ZenoX reveals Oracle Cloud leak that exposes data from 6 million users, including Brazilian companies

A hacker identified as “rose87168” claims to have breached Oracle Cloud and stolen it 6 Million records, including passwords and sensitive files. The hacker requires the payment of more than 140,000 companies, including several large Brazilian organizations, not to leak the stolen data. ZenoX, a cybersecurity startup of the Dfense Group, a leader and pioneer in the use of artificial intelligence against digital threats, is closely monitoring the situation and alerting to the severe risks that this incident poses, especially for Brazil, the second most affected country. While Oracle denies the occurrence of a data breach, the discrepancy between the information and the hacker's action raises important concerns about cloud security and reinforces the need for proactive protection measures.

Incident details:

• Hacker“rose87168”: Claims to have exploited a vulnerability, possibly related to Oracle WebLogic Server, to hack into the Oracle Cloud login system.
• 6 Million records stolen: Including encrypted passwords (with potential to be cracked), JKS files, internal access keys, and Enterprise Manager JPS data.
• Digital extortion: The hacker demands payment not to leak the data and seeks help to crack the encrypted passwords.
• Impact in Brazil: Several large Brazilian organizations, including banks, public agencies and private companies, are among those affected.
• Supply chain risk: The compromised data can be used for attacks on companies connected to those affected.

According to Ana Cerqueira, CRO of ZenoX the potential impacts for Brazilian companies are:

• Unauthorized access to systems: Leaked credentials can give cybercriminals access to sensitive corporate systems.
• Authentication failure: The reliability of the Single Sign-On (SSO) authentication framework can be compromised.
• Targeted attacks: Leaked information about the organizational structure can facilitate targeted attacks.
• Sophisticated phishing: Leaked data can make phishing attacks more convincing and difficult to detect.
• Legal and reputational risks: Companies may face reputational risks and legal notices under the LGPD.

The executive recommends the following protective measures:

• Immediate password reset for Oracle SSO users.
• Implementation or reinforcement of multi-factor authentication (MFA).
• Review of access logs to identify suspicious activity.
• Constant monitoring of login attempts and access anomalies.
• Implementation of context-based access controls (time, location, device).
• Proactive communication with internal teams about phishing risks.
• Rotation of potentially compromised tokens and encryption keys.
• Complete audit of access rights, implementing the principle of minimum privilege.