A hacker identified as “rose87168” claims to have breached Oracle Cloud and stolen 6 million records, including passwords and sensitive files. The hacker demands payment from over 140,000 companies, including various large Brazilian organizations, to not leak the stolen data. ZenoX, a cybersecurity startup from the Dfense Group, a leader and pioneer in using artificial intelligence against digital threats, is closely monitoring the situation and warns of the severe risks this incident poses, especially for Brazil, the second most affected country. While Oracle denies a data breach occurrence, the discrepancy between the information and the hacker’s actions raises significant concerns about cloud security and reinforces the need for proactive protection measures.
Incident Details:
- Hacker “rose87168”: Claims to have exploited a vulnerability, possibly related to the Oracle WebLogic Server, to breach Oracle Cloud login system.
- 6 million stolen records: Including encrypted passwords (with potential to be cracked), JKS files, internal access keys, and Enterprise Manager JPS data.
- Digital extortion: The hacker demands payment to not leak the data and seeks help to break the encrypted passwords.
- Impact on Brazil: Various large Brazilian organizations, including banks, public entities, and private companies, are among those affected.
- Supply chain risk: The compromised data can be used for attacks on companies connected to the affected ones.
According to Ana Cerqueira, CRO of ZenoX, the potential impacts for Brazilian companies are:
- Unauthorized access to systems: Leaked credentials can give cybercriminals access to sensitive corporate systems.
- Authentication failure: The reliability of the Single Sign-On (SSO) authentication structure may be compromised.
- Targeted attacks: Leaked information about the organizational structure can facilitate targeted attacks.
- Sophisticated phishing: Leaked data can make phishing attacks more convincing and difficult to detect.
- Legal and reputational risks: Companies may face reputational risks and legal notifications under the LGPD.
The executive recommends the following protection measures:
- Immediate password reset for Oracle SSO users.
- Implementation or reinforcement of multifactor authentication (MFA).
- Review of access logs to identify suspicious activities.
- Ongoing monitoring of login attempts and access anomalies.
- Implementation of context-based access controls (time, location, device).
- Proactive communication with internal teams about phishing risks.
- Rotation of potentially compromised encryption tokens and keys.
- Complete audit of access rights, implementing the principle of least privilege.
