A hacker identified as "rose87168" claims to have breached Oracle Cloud and stolen6 million records, including passwords and sensitive files. The hacker demands payment from over 140,000 companies, including several large Brazilian organizations, to prevent the stolen data from being leaked. ZenoX, the cybersecurity startup of the Dfense Group, a leader and pioneer in the use of artificial intelligence against digital threats, is closely monitoring the situation and warns of the severe risks this incident poses, especially for Brazil, the second most affected country. While Oracle denies the occurrence of a data breach, the discrepancy between the information and the hacker's actions raises significant concerns about cloud security and reinforces the need for proactive protection measures.
Incident details
- Hacker "rose87168"Claims to have exploited a vulnerability, possibly related to Oracle WebLogic Server, to breach the Oracle Cloud login system.
- 6 million stolen recordsIncluding encrypted passwords (with potential to be broken), JKS files, internal access keys, and Enterprise Manager JPS data.
- Digital extortionThe hacker demands payment to not leak the data and seeks help to crack the encrypted passwords.
- Impact in BrazilSeveral large Brazilian organizations, including banks, public agencies, and private companies, are among those affected.
- Risk to the supply chainThe compromised data can be used for attacks on companies connected to the affected ones.
According to Ana Cerqueira, CRO of ZenoX, the potential impacts for Brazilian companies are:
- Unauthorized access to systemsLeaked credentials can give cybercriminals access to sensitive corporate systems.
- Authentication failureThe reliability of the Single Sign-On (SSO) authentication structure can be compromised.
- Targeted attacksLeaked information about the organizational structure can facilitate targeted attacks.
- Sophisticated phishingLeaked data can make phishing attacks more convincing and harder to detect.
- Legal and reputational risksCompanies may face reputational risks and legal notices under the LGPD.
The executive recommends the following protective measures
- Immediate password reset for Oracle SSO users.
- Implementation or reinforcement of multi-factor authentication (MFA).
- Access log review to identify suspicious activities.
- Constant monitoring of login attempts and access anomalies.
- Implementation of context-based access controls (time, location, device).
- Proactive communication with internal teams about phishing risks.
- Rotation of tokens and potentially compromised encryption keys.
- Complete audit of access rights, implementing the principle of least privilege.
