Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
cyberplace.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Cybersecurity, fandom, video games, technology, dog photos and most importantly, you.

Administered by:

Server stats:

876
active users

cyberplace.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.6

Kevin Beaumont

Somebody is claiming to have exfiltrated 6 million lines of data with Oracle Cloud’s SSO and LDAP that includes JKS files, encrypted SSO passwords, key files and enterprise manager JPS keys from servers on login.*.oraclecloud.com

The poster has no prior reputation, it is unclear if they're LARPing. Some of the sample data does align with prior infostealer logs, I'm told. breachforums.st/Thread-SELLING

#threatintel
Mar 21, 2025, 01:00 PM·Public
29boosts·41favorites
Public
Kevin Beaumont

If anybody is interested, the servers they claim they targeted all run Oracle WebLogic and are managed by Oracle as a SaaS service.

Public
Kevin Beaumont

Has anybody else got Oracle to comment on this? No reply to my queries.

Public
Kevin Beaumont

Oracle are denying a breach to @BleepingComputer, but the threat actor has provided an archived URL which suggests they somehow uploaded a file to the Oracle Access Manager (SaaS solution) frontend.

web.archive.org/web/2025030116

Public
⠠⠵ avuko

@GossiTheDog probably coincidence, but just in case: infosec.exchange/@avuko/114167

Infosec Exchange⠠⠵ avuko (@avuko@infosec.exchange)Noticed scans for WebLogic versions from Chinamobile, Hong Kong and Singapore in my access logs (TLS port 443). What is showing up in the logs looks like: `223.113.128.179 - - [09/Mar/2025:19:34:38 +0100] "t3 12.1.2" 400 157 "-" "-"` But what I think is being send is something like https://github.com/synfinner/WebLogic-T3-Version-Pull/blob/6d0ebb5282a0b481cd018bb65b0fa3d49266022d/t3_version.py#L22 ``` msg = "t3s 12.1.2\nAS:2048\nHL:19\n\n" ``` Could be scanning for WebLogic servers in relation to https://nsfocusglobal.com/oracle-weblogic-server-remote-code-execution-and-denial-of-service-vulnerability-cve-2025-21535-cve-2025-21549/, but that's just a wild guess. Interesting the scan origins are all China-nexus. #infosec
Quiet public
Advanced Persistent Teapot

@GossiTheDog WebLogic? You mean the framework that used to have a new RCE every 3 months like clockwork? That WebLogic?

Public
AndrejBag

@GossiTheDog haha, weblogic.. what is this? The German government?

Public
Joel Michael

@joacim @GossiTheDog basically this. If you’re not a customer with a support contract they sue you for running their software unlicensed, and if you are a customer with a support contract they sue you for breaching the contract that says you’re not allowed to do any kind of vulnerability testing.

Remember the Oracle CISO’s rant a few years ago?

Public
Delbecq David‏

Oracle is too busy with Stargate grand future to worry about pesky security matters.

Quiet public
Silva

@GossiTheDog
As far as I know, no official comment from Oracle, but big customers are already being contacted and credentials/mfa are being reset as we speak.

Public
Lawrence Abrams

@GossiTheDog And we were told that they were running a vulnerable version with a public CVE that does not have a public PoC exploit.

I could not verify that though.

Public
Jack
Someday (maybe today?) you'll be able to ask an LLM to generate infostealer logs and it will take nearly as long to verify them as fake. So you pick a tiny number, "For $50k I won't leak this to your local media." And someone will pay the bill. The new phishing.
Public
Delbecq David‏

For the jks, it's probably useless default java certificate. Anyway, try 'changeit' as password, nobody changed it since sun era.

Public
Marius Kießling

@GossiTheDog Thanks. I will bring it up with our account team on Monday.

Public *
lbJourno

@GossiTheDog Have you seen anything convincing come out of this? The more I look at it, the more it seems to be hot air.

Wish I had more insight on the apparent Oracle Access Manager upload.

ExploreLive feeds
About