Massive Oracle Cloud Breach: 6 Million Records Exfiltrated, Affecting 140k+ Tenants

On March 21, 2025, CloudSEK’s threat intelligence platform, XVigil, uncovered a significant breach targeting Oracle Cloud, marking it as one of the biggest supply chain hacks of the year. The breach involves the exfiltration of 6 million records from over 140,000 Oracle Cloud tenants, affecting organizations globally.

Severity Level: High

INCIDENT OVERVIEW

• The Oracle Cloud breach occurred due to a vulnerability likely linked to the login endpoint of Oracle Cloud’s infrastructure, specifically login.(region-name).oraclecloud.com.
• The vulnerability is suspected to be a zero-day flaw in Oracle’s Fusion Middleware. This vulnerability could be associated with CVE-2021-35587, which affects Oracle Access Manager, an integral part of Oracle Fusion Middleware.
• The attack likely involved compromising the login subdomain (login.us2.oraclecloud.com), which had not been adequately updated or patched since 2014.
• The vulnerability allowed the threat actor to bypass authentication mechanisms, gaining unauthorized access to sensitive data stored within Oracle Cloud’s SSO and LDAP systems.
• Once inside, the attacker exfiltrated 6 million records, including encrypted SSO passwords, LDAP credentials, JKS files, and enterprise manager JPS keys.
• The attacker then proceeded to sell the stolen data on underground forums and demanded ransom payments from affected organizations for the removal of the data. Additionally, the threat actor incentivized individuals to help decrypt the stolen data, further increasing the risk of exploitation.

THREAT ACTOR DETAILS

• The threat actor behind this breach has been identified as “rose87168”, an attacker who has been active since January 2025.
• Reputation: “rose87168” is a new threat actor with no previous history of cyberattacks, yet the attack showed significant sophistication in their ability to exploit an unpatched vulnerability and create a ransom demand.

LESSONS LEARNED

• Oracle Cloud’s failure to patch its vulnerable systems (such as Oracle Fusion Middleware) for several years allowed the attacker to exploit the flaw. Organizations must ensure timely patching and vulnerability management practices to close known gaps in security.
• The attack was facilitated by a weakness in the authentication process of Oracle Cloud’s SSO and LDAP systems. It is essential to harden authentication by enforcing multi-factor authentication (MFA) and strong password policies to mitigate unauthorized access.

Recommendations:

1. Check if your organisation is impacted in the 2025 Oracle attack: https://exposure.cloudsek.com/oracle
2. Organizations affected by the incident should implement below security measures immediately:
3. Reset passwords for LDAP and SSO accounts, particularly focusing on privileged accounts (e.g., Tenant Admins). Ensure that all reset passwords are strong and adhere to security best practices, including the use of MFA.
4. Regenerate SASL or MD5 hashes, and if possible, migrate to more secure authentication methods to minimize the impact of any compromised credentials.
5. Contact Oracle Support to rotate tenant-specific identifiers (e.g., orclmttenantguid, orclmttenantuname) and discuss necessary remediation steps.
6. Regenerate and replace any SSO/SAML/OIDC secrets or certificates associated with the LDAP configuration.
7. Review LDAP logs for suspicious authentication attempts.
8. Investigate recent account activities to detect potential unauthorized access.
9. Ensure that all systems running Oracle Fusion Middleware, including Access Manager, are patched against known vulnerabilities like CVE-2021-35587.
10. Limit access to Oracle Cloud environments to only those users and applications that need it, based on the principle of least privilege.
11. Ensure that MFA is enforced across all login systems, especially for administrators and other high-privilege users. This should be made mandatory for Oracle Cloud logins.
12. Set up proactive monitoring of the dark web for discussions around the leaked data. This could provide early alerts on further misuse or sale of the data.

SOURCES:

• https://www.cloudsek.com/blog/the-biggest-supply-chain-hack-of-2025-6m-records-for-sale-exfiltrated-from-oracle-cloud-affecting-over-140k-tenants
• https://www.bleepingcomputer.com/news/security/oracle-denies-data-breach-after-hacker-claims-theft-of-6-million-data-records/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.