Recent searches
Search options
Somebody is claiming to have exfiltrated 6 million lines of data with Oracle Cloud’s SSO and LDAP that includes JKS files, encrypted SSO passwords, key files and enterprise manager JPS keys from servers on login.*.oraclecloud.com
The poster has no prior reputation, it is unclear if they're LARPing. Some of the sample data does align with prior infostealer logs, I'm told. https://breachforums.st/Thread-SELLING-Oracle-cloud-traditional-hacked-login-X-oraclecloud-com
If anybody is interested, the servers they claim they targeted all run Oracle WebLogic and are managed by Oracle as a SaaS service.
Has anybody else got Oracle to comment on this? No reply to my queries.
Oracle are denying a breach to @BleepingComputer, but the threat actor has provided an archived URL which suggests they somehow uploaded a file to the Oracle Access Manager (SaaS solution) frontend.
https://web.archive.org/web/20250301161517/http:/login.us2.oraclecloud.com/oamfed/x.txt?x
@GossiTheDog @BleepingComputer
One thing you point out here has me thinking...
Does Oracle Cloud = Oracle Access Manager?
Looking at Oracle's own page on that, one could see it as a middleware component
https://www.oracle.com/middleware/technologies/access-management.html
Feels like Oracle is being very specific in their denial, but should we be asking a more specific question?
@definity @GossiTheDog @BleepingComputer ive been wondering that too. Or even the word breach. They arent even saying theres an incident to talk about.
Definitions are useful and important, but a vendor does the public great disservice by hanging them by the neck with word play
@0ddj0bb @definity @BleepingComputer yeah, I’ve had similar thoughts on both counts.