Introduction
Oracle Cloud is one of the leading cloud providers of enterprise cloud services. It offers a complete set of cloud services to meet all kinds of enterprise computing needs. Oracle offers cloud-based solutions for Human Capital Management, Enterprise Resource Planning, Supply Chain Management, and many other applications, all managed, hosted, and supported by Oracle.
On 21 March 2025, CloudSEK’s XVigil discovered a threat actor, “rose87168,” selling 6M records exfiltrated from SSO (Single Sign-On) and LDAP (Light-weight Directory Access Control) of Oracle Cloud. The breach affected over 140.000 Oracle Cloud tenants. It highlights the importance of a robust security system, timely application of mitigation strategies, and the need to rethink cloud security.
Dissecting Oracle’s breach
According to Oracle, compromised data was approximately 16 months old and did not include complete Personally Identifiable Information (PII). Exposed data included email addresses, usernames, and hashed passwords. The stolen data includes: SSO and LDAP credentials JKS files (Java Key Store), Passwords and key files Enterprise Manager JPS keys reaching 6 million records in totality.
The breach faced by Oracle in March is not the first of its kind. Earlier in February, attackers accessed data from Oracle’s servers at Cerner, an electronic health records company. A class action lawsuit was filed against Oracle, and it was criticised for the lack of notification which exacerbated the circumstances. The Oracle failed to explain if it had been able to contain the threat or how it happened.
After initially denying the incident, the multinational technology company acknowledged to some clients that attackers stole old client credentials after breaching a “legacy environment” last used in 2017. When asked how they breached the servers, the threat actor told Bleepingcomputers that all of the Oracle Cloud servers use a vulnerable version with a public CVE (flaw) that does not currently have a public PoC (Proof of Concept) or exploit. Interestingly, the threat actors contacted Oracle for ransom and tracked down Oracle’s social media handles. They tried to intimidate and pressure the company by showing a glimpse of upcoming psychological tactics businesses must be ready for.
The exploited CVE (Common Vulnerabilities and Exposure)
CVE is a publicly disclosed security flaw that the CVE Numbering Authority has assigned a CVE ID number. U.S. National Vulnerability Database (NVD) and the CERT/CC Vulnerability Notes Database include a database (CVE list) of all the reported vulnerabilities per the MITRE Corporation standard. Reporting vulnerabilities in open-source software helps recognise flaws in the security system and coordinate the development of security tools. Hence, these are often submitted by organisations and open-source community members. Exploitation of these publicly disclosed CVEs is a big concern for an organisation’s security systems. Oracle breach is not the first case and will not be the last wherein an unpatched CVE led to unauthorised access to the cloud. The volume of CVEs can be overwhelming and if not managed timely, lead to data breaches. While CVE itself does not cause breaches, delays in addressing the vulnerabilities as we saw in the case of Oracle breaches increase the risk of exploitation of CVE leading to data breaches. This highlights the need for organisations to protect themselves and their networks.
What it means for your Online Security
The Oracle Cloud breach impacts your online security primarily through supply chains and credential vulnerabilities. Once stolen, the credentials can be used to compromise systems connected to Oracle Cloud. The breach underscores the importance of robust security practices and timely, transparent notification of a breach to mitigate the consequences. Oracle breach highlighted importance of securing legacy Environments despite being outdated or replaced. Another overlooked vulnerability which companies need to address after the Oracle breach will be Rogue OCI (Oracle Could Infrastructure) tenants and similar unused accounts to prevent further data breaches.
Decommissioned OCI tenants, also known as Rogue Tenants, is an account someone created for a project but never shut down. These temporary projects are actively connected to the core systems but at times lack multi-factor authentication (MFA), making them high-risk entry points. Similar to the Microsoft Midnight Blizzard attack, in which an overlooked dev account became an entry point. Rogue Tenants contain outdated and unmanaged data, enabling easy access to interconnected services. Reportedly 16% of unused accounts remain connected to core systems, opening the door for attackers to move laterally and access your sensitive data faster. Oracle breach compromised 6 million records, jeopardising all linked resources. Securing Rogue tenants will be the next step to ensuring data protection.
How businesses can proactively defend against supply chain vulnerabilities
Supply chains are the driving force of modern businesses. They connect manufacturers, suppliers, and customers. However, when it comes to cyber threats, this interconnectedness can also be their downfall. As discussed above, the risks of rogue tenants and unused accounts compromise supply chain safety. With the rise of technology, supply chain vulnerabilities have increased rapidly. While it might not be possible to eliminate the total risk of infiltration, companies can still proactively deploy measures and fortify defenses. UK’s National Cyber Security Centre offers 12 principles to secure supply chains and partnerships. Further, there are provided general guidelines for CISOs and IT departments to support supply chain security advancements. At Tsaaro Cyber, we ensure the right security leadership is directed at your organisation. We engage services delivered by expert CISOs leveraging years of industry experience to present tailored solutions that address your needs.
Here is brief on a three-step assessment framework, that can be applied to reduce supply chain vulnerabilities-
Step 1: Internal Risk Evaluation– A team of cybersecurity professionals plays a key role in this process to identify, assess and mitigate risks to organisation’s digital assets. This involves patching up organisational weaknesses, like outdated technology and inefficient processes. Their findings recommend the implementation of security controls and updating security policies. Professionals help to highlight workforce gaps and bolster resilience.
Step 2: External Risk Monitoring- Next, it is important to track global threats emerging from regulatory shifts to identify potential risks. Most importantly, it is evaluated that third-party weaknesses do not become entry points for attackers. Cybersecurity teams can quickly monitor signs of impersonation attacks, data leaks, and respond accordingly. During this process, they ensure there is an updated and robust risk management system to process access throughout the supply chain.
Step 3: Node Analysis- Lastly, node analysis shows the importance of having a reliable and efficient cybersecurity team. It strengthens an organisation’s overall security. It requires mapping individual nodes using network traffic data and graph-based techniques. Cybersecurity professionals build timelines and uncover evidence of attacks to address lateral movements of threat actors promptly. Further professionals use node analysis for future investigations. Conclusively, cybersecurity professionals map the supply chain to isolate high-risk zones and concentrate mitigation efforts on these points.
Moreover, a company must ensure it adheres to national security laws such as NIST’s cybersecurity framework, European Union’s GDPR, or international frameworks ISO/IEC 27001 guidelines for securing information systems. You can choose to partner with specialists like Tsaaro Consulting to identify intricate areas of non-compliance and develop a tailored compliance plan to meet your unique business needs.
Mitigation Strategies
Once the security has been breached and data has been compromised, the next step is to employ mitigation strategies. The aim is to limit the extent of damage that the breach can cause if left unchecked. Organisations must reset all passwords for LDAP accounts and enforce multi-factor authentication. Promptly rotate tenant-specific credentials and regenerate all affected SSO (Single Sign-On)/SAML (Security Assertion Markup Language)/OIDC (OpenID Connect) certificates and secrets. Further audit recent account activities to detect unauthorised access, and continuous monitoring for anomalies.
Concluding Remarks
Several Oracle breaches offer key guidance to other cloud providers to manage CVEs more efficiently than ever. It takes only one overlooked pending CVE to risk years of data security and user trust. It is a reminder not to forget the challenges legacy systems pose if not properly decommissioned or isolated, underscoring the need for regular audits. With over 140,000 businesses affected, the incident reveals the impact of supply-chain vulnerabilities. Further, we analysed how Oracle’s inconsistency and unaccountability escalated the extent of the breach to 6 million records. Hence, transparency and immediate employment of mitigation strategies are vital for building trust and combating evolving attack methodologies.
