Oracle Cloud Supply Chain Breach: exfiltrated data affecting over 140k tenants
In what is being coined “So far the biggest breach of 2025”, a threat actor is selling 6 million records allegedly extracted from Oracle Cloud Infrastructure
To better understand the scale and geographic distribution, we have the list of all affected domains from this breach. The list has been collated, cleaned and classified by the top-level domain.
Below is the summary of the cleaned domain data:
| Rank | Top Level Domain | Count of unique Domains |
| 1 | .com | 79.244 |
| 2 | .br | 4.737 |
| 3 | .jp | 3.573 |
| 4 | .net | 3.555 |
| 5 | .org | 3.144 |
| 6 | .uk | 2.501 |
| 7 | .de | 2.462 |
| 8 | .it | 1.924 |
| 9 | .edu | 1.652 |
| 10 | .mx | 1.614 |
| 11 | .au | 1.608 |
| 12 | .in | 1.549 |
| 13 | .fr | 1.485 |
| 14 | .co | 1.171 |
| 15 | .nl | 1.167 |
| … | …. | |
| 37 | .be | 460 |
| … | …. | |
| Grand Total | 140.621 |
While looking a little more in-depth into the data, we identified that approximately 687 domains belonged to personal and niche businesses. The data also contains 1.883 “domains” either being artifact lines of the script or just bad input data.
The data includes JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys.
The attacker, active since January 2025, is incentivizing decryption assistance and demanding payment for data removal from over 140K affected tenants. or suggests a possible undisclosed vulnerability on login.(region-name).oraclecloud.com, leading to unauthorized access. While the threat actor has no prior history, their methods indicate high sophistication.
CloudSEK assesses this threat with medium confidence and rates it as High in severity.
Some further analysis on the attack:
The threat actor claims to have compromised the subdomain login.us2.oraclecloud.com, which has been claimed to have been taken down since the hack.
The subdomain was captured on the wayback machine on 17 Feb 2025, which suggests that it was hosting Oracle fusion middleware 11G .
This specific Oracle Fusion middleware server was last updated around Sat, 27 Sep 2014 .
The Oracle Fusion middleware had a critical vulnerability CVE-2021-35587 which affects Oracle Access Manager (OpenSSO Agent) . Which was added to CISA KEV(Known Exploited Vulnerabilities) already on December 2022 .
CVE-2021-35587: Vulnerability in Oracle Access Manager (OpenSSO Agent)
A vulnerability exists in the Oracle Access Manager component of Oracle Fusion Middleware (OpenSSO Agent). The affected versions are:
- 11.1.2.3.0
- 12.2.1.3.0
- 12.2.1.4.0
This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful exploitation can lead to a complete takeover of Oracle Access Manager.
Threat actor claimed to one of the independent news sources that they have compromised a vulnerable version of the Oracle Cloud servers with a public CVE (flaw) that does not currently have a public PoC or exploit.
As we can see in the aforementioned screenshot, the login endpoint was last updated in 2014 !
Due to lack of patch management practices and/or insecure coding, the vulnerability in Oracle Fusion Middleware was exploited by the threat actor. This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager(OAM). This aligns with the samples that were leaked on Breachforums too.
-
The Corruption Index 2024 of Transparency International
12 februari 2025 -
Bedrijven onder vuur: Hoe Tycoon 2FA beveiliging omzeilt
7 januari 2025 -
Een praktische gids om klokkenluiders in België te helpen
27 december 2024