ross.kelly@futurenet.com (Ross@itpro.com
//
On March 20, 2025, a user on the Breach Forums, identified as "rose87168," claimed to have stolen six million records from Oracle Cloud's Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) services. The user offered the data for sale or in exchange for zero-day exploits. The compromised database allegedly contains sensitive information, including Java KeyStore (JKS) files, encrypted SSO and LDAP passwords, key files, and Enterprise Manager Java Platform Security (JPS) keys. This could impact over 140,000 tenants, potentially creating a significant supply chain compromise.
Oracle has denied any breach of its cloud infrastructure. According to Oracle a spokesperson stated, "There has been no breach of Oracle Cloud...The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data." However, the attacker claimed to have planted evidence on Oracle's login server, specifically login.us2.oraclecloud.com, creating a text file captured by the Internet Archive's Wayback Machine as proof of access. Cybersecurity firm CloudSEK suggests that the US2 server might not have been patched against CVE-2021-35587, a known vulnerability in Oracle Access Manager within Fusion Middleware.
Recommended read:
References :
- hackread.com: Oracle Denies Breach Amid Hacker’s Claim of Access to 6 Million Records
- BleepingComputer: The threat actor who claimed to breach Oracle Cloud shared the following URL as proof of the breach showing what appears to be a file containing their email address uploaded to Oracle's servers
- The DefendOps Diaries: Oracle Cloud Breach Allegations: Hacker Claims vs. Oracle's Denial
- www.bleepingcomputer.com: Oracle denies it was breached after a threat actor claimed to be selling 6 million data records allegedly stolen from the company's Oracle Cloud federated SSO login servers
- research.kudelskisecurity.com: Oracle Cloud SSO, LDAP Records Dumped, 140k+ Tenants Affected
- The Register - Software: Oracle Cloud says it's not true someone broke into its login servers and stole data
- BrianKrebs: CloudSEK’s XVigil discovered a threat actor, selling 6M records exfiltrated from SSO and LDAP of Oracle Cloud
- www.cybersecurity-insiders.com: Oracle Cloud denies data breach claims of 6 million data files leak
- Patrick C Miller :donor:: Oracle denies breach after hacker claims theft of 6 million data records
- www.csoonline.com: Oracle Cloud breach may impact 140,000 enterprise customers
- www.it-daily.net: 6 million data records: Oracle was allegedly hacked
- eSecurity Planet: Oracle Cloud breach exposed 6M records from 140k+ tenants. Learn how attackers exploited vulnerabilities and steps organizations must take to secure data. The post appeared first on
- www.techradar.com: Oracle denies data breach after hacker claims to hold six million records
- securityonline.info: BreachForums Claims: Millions of Oracle Cloud Records Stolen
- Arctic Wolf: On March 20, 2025, a Breach Forums user, “rose87168,â€
claimed to have stolen six million records from Oracle Cloud’s SSO and LDAP services and offered the data for sale or in exchange for zero-day exploits.
- Information Security Buzz: Cybersecurity Firm Uncovers Major Oracle Cloud Breach—Oracle Denies It
- Arctic Wolf: Alleged Oracle Cloud Supply Chain Attack: Six Million Records Stolen, 140K Companies Affected
- www.cybersecuritydive.com: Researchers back claim of Oracle Cloud breach despite company’s denials
- www.scworld.com: A Breach Forums user claimed to have stolen six million records from Oracle Cloud's SSO and LDAP services and offered the data for sale.
- www.scworld.com: Details of the alleged Oracle Cloud breach.
- The DefendOps Diaries: Oracle Cloud Breach Allegations: Unraveling the Controversy
- www.itpro.com: Oracle breach claims spark war of words with security researchers
- SpiderLabs Blog: Trustwave SpiderLabs Threat Review: Alleged Oracle Compromise
- The Register - Security: There are perhaps 10,000 reasons to doubt Oracle Cloud's security breach denial
- Lobsters: Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6 million people, BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid.
- : A threat actor, known as “rose87168,� claimed to have stolen six million records from Oracle Cloud’s SSO and LDAP services and offered the data for sale or in exchange for zero-day exploits.
- Rescana: The Oracle Cloud breach resulted in the unauthorized access and alleged theft of 6 million records from Oracle's SSO and LDAP services,...
- DataBreaches.Net: Oracle continues to deny it had any breach, but customers and researchers are claiming otherwise.
- SpiderLabs Blog: On March 20, a relatively unknown user on Breach Forums posted the allegation that Oracle had suffered a data breach. According to  , the attacker claimed that 6 million customer records were exfiltrated from Oracle's SSO and LDAP systems.
- GreyNoise: Alleged Oracle Cloud Supply Chain Attack: Six Million Records Stolen, 140K Companies Affected
- www.cybersecuritydive.com: Researchers from CloudSEK are analyzing a data sample from a threat actor that claimed a massive breach involving 6 million records.
- SecureWorld News: In what may become one of the most scrutinized cloud security incidents of 2025, Oracle has come under fire following claims by a threat actor alleging the exfiltration of more than six million records from Oracle Cloud Infrastructure (OCI), impacting more than 140,000 tenants.
- Rescana: Executive Summary: The Oracle Health data breach significantly impacted multiple US healthcare organizations and hospitals by...
Pierluigi Paganini@Security Affairs
//
A Russian zero-day broker known as Operation Zero is offering up to $4 million for zero-day exploits targeting the Telegram messaging app. This broker exclusively sells vulnerabilities to Russian government and private organizations, suggesting a significant interest from these entities in exploiting Telegram's security flaws. The high bounty offered indicates the immense value of potential targets to these organizations and their willingness to invest heavily in acquiring such exploits.
Operation Zero has released multiple bounty tiers for security vulnerabilities targeting Telegram, with the price depending on the user interaction required. Remote code execution vulnerabilities needing one user interaction fetch $500,000, while a zero-click RCE vulnerability is valued at $1.5 million. A complete exploit chain capable of compromising the entire system may command up to $4 million. This highlights the potential for targeted attacks on individuals or user groups through the platform, given Telegram's user base of over a billion.
Recommended read:
References :
- CyberInsider: Russian Zero-Day Firm Offers Record $4 Million for Telegram Exploits
- infosec.exchange: NEW: A zero-day provider that exclusively sells to the Russian government is offering up to $4 million for flaws in Telegram. This announcement offers a glimpse into what the Russian government may be especially interested in, and willing to pay (even at a premium), right now. Sources in the industry tell me the prices offered are broadly right.
- techcrunch.com: Russian zero-day seller is offering up to $4 million for Telegram exploits
- securityaffairs.com: Zero-day broker Operation Zero offers up to $4 million for Telegram exploits
- securityonline.info: The Russian vulnerability broker, Operation Zero, is a company specializing in the acquisition and sale of security vulnerabilities—whether The post appeared first on .
- Davey Winder: The Russian exploit brokerage firm, Operation Zero, is offering up to $4 million for zero-day vulnerabilities in Telegram. This signifies heightened state-sponsored interest in hacking Telegram.
- hackread.com: A broker that only sells to Russian private and government organizations has just offered $4 million for a zero-day hack attack against the Telegram messenger app.
Dissent@DataBreaches.Net
//
A data breach at Oracle Health has impacted multiple healthcare organizations and hospitals across the United States. The breach involved a threat actor gaining unauthorized access to legacy servers and stealing patient data. The incident, which occurred on February 20, 2025, was initially discovered by Oracle Health, formerly known as Cerner, but has only recently been publicly disclosed by BleepingComputer on March 28, 2025, after Oracle Health failed to respond to requests for comments.
The compromised data includes sensitive information from electronic health records, single sign-on credentials, Lightweight Directory Access Protocol passwords, OAuth2 keys, and tenant data. It is believed that the breach was facilitated through the use of compromised customer credentials, aligning with known attack techniques. The implications for healthcare organizations are substantial, particularly concerning compliance with HIPAA regulations, and could lead to legal repercussions and financial penalties for affected entities.
Oracle Health is facing criticism for its lack of transparency regarding the incident. The company is reportedly telling hospitals that they will not notify patients directly, placing the responsibility on them to determine if the stolen data violates HIPPA laws. However, Oracle Health has committed to assisting in identifying impacted individuals and providing notification templates to help with notifications.
Recommended read:
References :
- bsky.app: Oracle Health breach compromises patient data at US hospitals
- BleepingComputer: A breach at Oracle Health impacts multiple U.S. healthcare organizations and hospitals after patient data was stolen from legacy servers.
- Rescana: Executive Summary: The Oracle Health data breach significantly impacted multiple US healthcare organizations and hospitals by...
- DataBreaches.Net: Oracle Health breach compromises patient data at US hospitals
CISO2CISO Editor 2@ciso2ciso.com
//
Oracle has released its January 2025 Critical Patch Update (CPU), addressing 318 new security vulnerabilities across over 90 products and services within 27 categories. The update includes patches for roughly 200 unique CVEs. The vulnerabilities affect a wide range of Oracle products, including its Communications applications, Construction and Engineering appliances, middleware and servers, and the E-Business Suite. This update is critical for organizations using Oracle products, highlighting the importance of robust vulnerability management and patching procedures.
The severity of the addressed vulnerabilities varies, with some having a CVSS score of 4 to 6 while others are considered critical. The most severe vulnerability, with a CVSS score of 9.9, affects the Oracle Agile Product Lifecycle Management (PLM) Framework, allowing a low-privileged attacker to compromise susceptible instances via HTTP. Oracle is urging customers to apply the Critical Patch Update as soon as possible, as some older Oracle flaws remain unpatched on some networks as evidenced by the US Cybersecurity and Infrastructure Security Agency (CISA) adding an older vulnerability in Oracle WebLogic Server to its Known Exploited Vulnerabilities (KEV) catalog.
Recommended read:
References :
- ciso2ciso.com: Oracle To Address 320 Vulnerabilities in January Patch Update
- ciso2ciso.com: Software giant Oracle is expected to release patches for 320 new security vulnerabilities affecting over 90 products and services across 27 categories.
- The Hacker News: Oracle releases January 2025 patch to address 300+ vulnerabilities
- ciso2ciso.com: Oracle Releases January 2025 Patch to Address 318 Flaws Across Major Products – Source:thehackernews.com
- ciso2ciso.com: Oracle Releases January 2025 Patch to Address 318 Flaws Across Major Products
|
|