The Oracle Cloud breach resulted in the unauthorized access and alleged theft of 6 million records from Oracle's SSO and LDAP services, affecting over 140,000 companies globally. The data compromised included sensitive authentication components such as encrypted SSO and LDAP passwords, Java Keystore (JKS) files, key files, and enterprise manager JPS keys. The breach was executed by exploiting a vulnerability in Oracle Fusion Middleware, specifically CVE-2021-35587, which allowed unauthorized access to Oracle Access Manager. The threat actor "rose87168" has previously targeted cloud services for data exfiltration. This incident underscores the critical need for enhanced security measures and timely vulnerability management in cloud environments [BleepingComputer: https://www.bleepingcomputer.com/news/security/oracle-customers-confirm-data-stolen-in-alleged-cloud-breach-is-valid/; Cybersecurity Dive: https://www.cybersecuritydive.com/news/researchers-oracle-cloud-breach/743447/; Arctic Wolf: https://arcticwolf.com/resources/blog/alleged-oracle-cloud-supply-chain-attack/].

2. Incident Overview

The breach impacted Oracle Cloud's SSO and LDAP services, resulting in the theft of sensitive authentication data. Over 140,000 companies were affected, with compromised data including encrypted passwords, JKS files, and key management files. This incident highlights the vulnerabilities within cloud service authentication mechanisms and poses significant risks for unauthorized access to impacted systems and further exploitation [Cybersecurity Dive: https://www.cybersecuritydive.com/news/researchers-oracle-cloud-breach/743447/].

3. Attack Vector Analysis

The exploitation of CVE-2021-35587 in Oracle Fusion Middleware 11g allowed the threat actor to access Oracle Access Manager's login endpoint. This vulnerability facilitated the theft of sensitive authentication data, exemplifying a targeted attack on Oracle's cloud infrastructure [Orca Security: https://orca.security/resources/blog/oracle-cloud-breach-exploiting-cve-2021-35587/].

4. Malware and Tools Identified

No specific malware was cited; however, the breach was achieved through exploiting a well-known vulnerability in Oracle software, emphasizing the need for organizations to prioritize vulnerability patching and management.

5. Historical Context of Threat Actor Activities

The actor "rose87168" is not widely known for other incidents, but aligns with patterns seen in threat actors focusing on cloud services to exfiltrate and sell large volumes of data.

6. Sector-specific Targeting Patterns

The breach demonstrates vulnerabilities in cloud authentication, particularly affecting enterprises dependent on Oracle infrastructure. This poses a risk of unauthorized access, impacting other SaaS products hosted within Oracle Cloud [Arctic Wolf: https://arcticwolf.com/resources/blog/alleged-oracle-cloud-supply-chain-attack/].

7. Technical Details Mapped to MITRE ATT&CK Framework

• Initial Access (T1190 - Exploit Public-Facing Application): The threat actor exploited CVE-2021-35587 for initial access.
• Credential Access (T1555 - Credentials from Password Stores): The breach involved the theft of encrypted SSO and LDAP passwords, indicating a focus on credential access for further exploitation.

8. Recommendations

• Critical: Immediate reset and rotation of Oracle SSO and LDAP passwords across affected enterprises.
• High: Update authentication methods and implement Multi-Factor Authentication (MFA) to enhance security.
• Medium: Regularly update and patch Oracle software to mitigate vulnerabilities such as CVE-2021-35587.
• Low: Conduct regular security awareness training focusing on cloud service vulnerabilities [Arctic Wolf: https://arcticwolf.com/resources/blog/alleged-oracle-cloud-supply-chain-attack/].

9. Lessons Learned

This breach emphasizes the necessity for robust security measures, particularly in cloud environments, and the importance of timely identification and management of vulnerabilities to prevent future incidents.

About Rescana

Rescana specializes in comprehensive risk assessment and management solutions tailored to cloud infrastructure security. Our capabilities include advanced vulnerability scanning, incident response planning, and implementation of enhanced authentication protocols to safeguard against unauthorized access and data breaches. Rescana is committed to helping organizations secure their cloud environments and mitigate the risks associated with emerging threats.