David Jones@cybersecuritydive.com
//
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning on April 17, 2025, regarding increased breach risks following a potential compromise of legacy Oracle Cloud servers. This alert comes in response to public reporting of alleged threat activity targeting Oracle customers, though the scope and impact of the activity are currently unconfirmed. CISA's guidance urges organizations and individuals to take immediate steps to secure their IT environments amid claims of a large trove of customer credentials being compromised. The agency is also asking organizations to come forward if they detect suspicious activity or other evidence of a compromise.
CISA is particularly concerned about situations where credential material may be exposed, reused across separate and unaffiliated systems, or embedded into applications and tools. Embedded credential material, which can be hardcoded into scripts, applications, infrastructure templates, or automation tools, is especially difficult to detect and can enable long-term unauthorized access if exposed. The compromise of credentials like usernames, emails, passwords, authentication tokens, and encryption keys can pose a significant risk to enterprise environments.
To mitigate these risks, CISA recommends organizations reset passwords for known affected users, especially those not federated through enterprise identity solutions. Additionally, they should review source code, infrastructure as code templates, automation scripts, and configuration files for hardcoded credentials, replacing them with secure authentication methods supported by centralized secret management. Monitoring authentication logs for anomalous activity, particularly using privileged, service, or federated identity accounts, is also crucial. Finally, CISA advises enforcing phishing-resistant multi-factor authentication for all user and administrator accounts whenever possible.
Recommended read:
References :
- DataBreaches.Net: Sergiu Gatlan reports: On Wednesday, CISA warned of heightened breach risks after the compromise of legacy Oracle Cloud servers earlier this year and highlighted the significant threat to enterprise networks. CISA said, “the nature of the reported activity presents potential risk to organizations and individuals, particularly where credential material may be exposed, reused across separate,...
- BleepingComputer: On Wednesday, CISA warned of heightened breach risks after the compromise of legacy Oracle Cloud servers earlier this year and highlighted the significant threat to enterprise networks.
- www.cybersecuritydive.com: The agency is asking organizations to come forward if they detect suspicious activity or other evidence of a compromise.
- MSSP feed for Latest: Legacy Oracle cloud breach poses credential exposure risk
- hackread.com: Following reports of unauthorized access to a legacy Oracle cloud environment, CISA warns of potential credential compromise leading…
- www.scworld.com: Secure legacy Oracle cloud credentials amid leak reports, CISA warns
- www.itpro.com: CISA issues warning in wake of Oracle cloud credentials leak
- securityonline.info: CISA Warns of Credential Risks Tied to Oracle Cloud Breach
- The Register - Security: Oracle hopes talk of cloud data theft dies off. CISA just resurrected it for Easter
- securityonline.info: CISA Warns of Credential Risks Tied to Oracle Cloud Breach
- The DefendOps Diaries: Understanding the Oracle Cloud Breach: CISA's Guidance and Recommendations
- ciso2ciso.com: CISA Urges Action on Potential Oracle Cloud Credential Compromise
- ciso2ciso.com: Following reports of unauthorized access to a legacy Oracle cloud environment, CISA warns of potential credential compromise leading to phishing, network breaches, and data theft.
Dissent@DataBreaches.Net
//
Oracle has confirmed a cloud data breach, issuing notifications to customers about a cybersecurity incident. The confirmation follows claims by a threat actor alleging possession of millions of data lines related to over 140,000 Oracle Cloud tenants, including sensitive Personally Identifiable Information (PII), along with corporate and financial data. The company states the breach involved what it described as "two obsolete servers," and maintains that its Oracle Cloud Infrastructure (OCI) was not compromised, and no OCI customer data was viewed or stolen. However, this incident has brought into question Oracle's communication strategy and the accuracy of its disclosures.
The company's initial response has sparked debate and criticism, with cybersecurity experts and customers expressing concern over potential inconsistencies in Oracle's narrative. While Oracle claims the issue stemmed from "obsolete servers," independent analyses and customer confirmations suggest that customer data may have been compromised, contradicting the company's initial denial of an OCI breach. The discrepancy between Oracle's statements and the emerging evidence has raised questions about transparency and the potential use of carefully chosen terminology to minimize the perceived impact of the incident.
The communication strategy has drawn specific criticism regarding Oracle's distinction between "Oracle Cloud" and "Oracle Cloud Classic." Experts, like Kevin Beaumont, have pointed out that this distinction allows Oracle to deny a breach of "Oracle Cloud" while acknowledging issues with "Oracle Classic," which is still part of Oracle's cloud services. This approach raises concerns about potential wordplay and its effects on customer trust and Oracle's reputation. The incident highlights the challenges companies face in maintaining transparency and trust during cybersecurity incidents, especially when sensitive customer data is at risk.
Recommended read:
References :
- DataBreaches.Net: Oracle’s statement to customers is still raising questions about its disclosure and transparency
- The DefendOps Diaries: Explore Oracle's security incident, its communication strategy, and the implications for customer trust and industry standards.
- securityaffairs.com: Oracle confirms a cloud data breach, quietly informing customers while downplaying the impact of the security breach.
- BleepingComputer: Oracle finally confirmed in email notifications sent to customers that a hacker stole and leaked credentials that were stolen from what it described as "two obsolete servers."
- The Register - Security: Oracle says its cloud was in fact compromised
- securityonline.info: Oracle Data Breach: Authenticity Confirmed Despite Denial
- Cyber Security News: CyberPress on Oracle Confirms Breach
- cyberinsider.com: Oracle Sends “Not a Breach†Notices to Customers Following Data Exposure
- phishingtackle.com: Oracle Confirms Cloud Data Breach, Privately Alerts Affected Customers
- Techzine Global: Oracle confirms data breach via outdated servers, denies cloud breach
- The Register - Security: The Reg translates the letter in which Oracle kinda-sorta tells customers it was pwned
- Phishing Tackle: Oracle Confirms Cloud Data Breach, Privately Alerts Affected Customers
- securityonline.info: At the end of March, a hacker claimed to have breached Oracle’s cloud infrastructure, allegedly exfiltrating approximately six million records. These reportedly included sensitive materials such as Oracle Cloud customer security keys, encrypted credentials, and LDAP authentication data. The threat actor even published a sample of the data as proof. Oracle promptly denied the breach, […] The post appeared first on .
- CyberInsider: Cybersecurity Insiders article about Oracle's sends the data exposure notices to customers
- www.csoonline.com: Oracle admits breach of ‘obsolete servers,’ denies main cloud platform affected
Dissent@DataBreaches.Net
//
A data breach at Oracle Health has impacted multiple healthcare organizations and hospitals across the United States. The breach involved a threat actor gaining unauthorized access to legacy servers and stealing patient data. The incident, which occurred on February 20, 2025, was initially discovered by Oracle Health, formerly known as Cerner, but has only recently been publicly disclosed by BleepingComputer on March 28, 2025, after Oracle Health failed to respond to requests for comments.
The compromised data includes sensitive information from electronic health records, single sign-on credentials, Lightweight Directory Access Protocol passwords, OAuth2 keys, and tenant data. It is believed that the breach was facilitated through the use of compromised customer credentials, aligning with known attack techniques. The implications for healthcare organizations are substantial, particularly concerning compliance with HIPAA regulations, and could lead to legal repercussions and financial penalties for affected entities.
Oracle Health is facing criticism for its lack of transparency regarding the incident. The company is reportedly telling hospitals that they will not notify patients directly, placing the responsibility on them to determine if the stolen data violates HIPPA laws. However, Oracle Health has committed to assisting in identifying impacted individuals and providing notification templates to help with notifications.
Recommended read:
References :
- bsky.app: Oracle Health breach compromises patient data at US hospitals
- BleepingComputer: A breach at Oracle Health impacts multiple U.S. healthcare organizations and hospitals after patient data was stolen from legacy servers.
- Rescana: Executive Summary: The Oracle Health data breach significantly impacted multiple US healthcare organizations and hospitals by...
- DataBreaches.Net: Oracle Health breach compromises patient data at US hospitals
- The DefendOps Diaries: The Oracle Health breach highlights urgent need for healthcare IT modernization to protect patient data and comply with regulations.
- Lobsters: Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6 million people, BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid.
- bsky.app: A breach at Oracle Health impacts multiple U.S. healthcare organizations and hospitals after patient data was stolen from legacy servers.
- DataBreaches.Net: Oracle customers confirm data stolen in alleged cloud breach is valid
- BleepingComputer: A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole patient data from legacy servers.
- SecureWorld News: Alleged Oracle Cloud Breach Triggers Industry Scrutiny, Supply Chain Concerns
- BleepingComputer: A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole patient data from legacy servers. This is not related to the alleged Oracle Cloud breach.
- aboutdfir.com: Oracle customers confirm data stolen in alleged cloud breach is valid Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6 million people, BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid.
- www.cybersecuritydive.com: Cybersecurity firms brace for impact of potential Oracle Cloud breach
- Rescana: The Oracle Cloud breach resulted in the unauthorized access and alleged theft of 6 million records from Oracle's SSO and LDAP services,...
- bsky.app: A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole patient data from legacy servers. This is not related to the alleged Oracle Cloud breach.
- Risky Business Media: Oracle’s Health Tech division gets hacked and its customers extorted, the Italian government admits it used Paragon to spy on an NGO, a WordPress feature is being abused to silently install malicious plugins, and the Dutch public prosecutor pulls systems offline after a cyber incident.
- DataBreaches.Net: Oracle attempt to hide serious cybersecurity incident from customers in Oracle SaaS service
- techxplore.com: Oracle warns health customers of patient data breach
- www.healthcareitnews.com: Oracle Health customers notified of data compromise, reports say
- Techzine Global: Hackers have gained access to Oracle’s computer systems. They stole patient data to extort money from several American healthcare providers, as evident from a message that the company sent to its customers. The FBI has launched an investigation.
- aboutdfir.com: Infosec News Nuggets: Oracle Health breach compromises patient data.
- hackread.com: Oracle Hit with Lawsuit Over Alleged Cloud Breach Affecting Millions
- : Oracle Cloud security SNAFU latest: IT giant accused of pedantry as evidence scrubbed
- techcrunch.com: Oracle has denied at least one breach, despite evidence to the contrary, as it begins notifying healthcare customers of a separate patient data breach.
- www.csoonline.com: Oracle warns customers of health data breach amid public denial
- The420.in: Oracle has informed customers of a second cybersecurity breach in recent weeks, involving the theft of older client login credentials. The incident, which is under investigation by the FBI and cybersecurity firm CrowdStrike, marks another challenge for the tech giant’s cloud infrastructure security.
@The DefendOps Diaries
//
A Russian threat actor, known as Water Gamayun or EncryptHub, is actively exploiting a zero-day vulnerability in the Microsoft Management Console (MMC) framework, identified as CVE-2025-26633. This flaw, dubbed MSC EvilTwin, enables attackers to execute malicious code on infected Windows systems. The attackers manipulate .msc files and the MMC's Multilingual User Interface Path (MUIPath) to bypass security features and deploy various malicious payloads.
Water Gamayun employs sophisticated delivery methods, including provisioning packages, signed MSI files, and Windows MSC files. The group's arsenal includes custom backdoors like SilentPrism and DarkWisp, as well as variants of the EncryptHub Stealer, Stealc, and Rhadamanthys. These payloads are designed to maintain persistence, steal sensitive data, and exfiltrate it to command-and-control servers, using encrypted channels and anti-analysis techniques. Organizations can protect themselves through up-to-date patch management and advanced threat detection technologies.
Recommended read:
References :
- www.cybersecuritydive.com: Russian threat actor weaponized Microsoft Management Console flaw
- www.trendmicro.com: Trend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.
- iHLS: A threat actor is leveraging a zero-day vulnerability in the Microsoft Management Console (MMC) to distribute malware.
- Virus Bulletin: Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console.
- doublepulsar.com: Bleeping Computer reports on claims of a breach of Oracle Cloud federated SSO login servers.
- www.cybersecuritydive.com: Confirmation of patient data stolen in alleged cloud breach.
- www.healthcareitnews.com: Reports indicate Oracle Health customers received a letter about a data compromise.
- Techzine Global: Oracle acknowledged the breach related to their health tech division.
- www.cybersecuritydive.com: Security firms brace for impact of potential Oracle Cloud breach
- DataBreaches.Net: Oracle attempt to hide serious cybersecurity incident from customers in Oracle SaaS service
- infosec.exchange: Oracle is apparently dealing with two separate breaches — one affecting Oracle Cloud, and one Oracle Health — but the company refuses to say what's actually going on.
- Risky Business Media: Risky Bulletin: Oracle's healthtech division hacked, customers extorted
- aboutdfir.com: Oracle Health breach compromises patient data at US hospitals A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole patient data from legacy servers. Oracle Health has not yet publicly disclosed the incident, but in private communications sent to impacted customers and from conversations with those involved, BleepingComputer confirmed […] The post appeared first on .
- techcrunch.com: Oracle under fire for its handling of separate security incidents
- techxplore.com: Oracle warns health customers of patient data breach
- The Register - Security: 1990s incident response in 2025 Two Oracle data security breaches have been reported in the past week, and the database goliath not only remains reluctant to acknowledge the disasters publicly – it may be scrubbing the web of evidence, too.…
- www.csoonline.com: Oracle’s healthcare subsidiary, Oracle Health, has suffered a data breach, potentially exposing customers’ sensitive data, the company told some of its customers.
- SiliconANGLE: Oracle denies cloud breach, while researchers point to credible indicators
- Danny Palmer: NEW: Oracle is apparently dealing with two separate breaches — one affecting Oracle Cloud, and one Oracle Health — but the company refuses to say what's actually going on. Both public and employees are confused at this point, as there is little transparency. Here's a recap of what's happening.
ross.kelly@futurenet.com (Ross@itpro.com
//
On March 20, 2025, a user on the Breach Forums, identified as "rose87168," claimed to have stolen six million records from Oracle Cloud's Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) services. The user offered the data for sale or in exchange for zero-day exploits. The compromised database allegedly contains sensitive information, including Java KeyStore (JKS) files, encrypted SSO and LDAP passwords, key files, and Enterprise Manager Java Platform Security (JPS) keys. This could impact over 140,000 tenants, potentially creating a significant supply chain compromise.
Oracle has denied any breach of its cloud infrastructure. According to Oracle a spokesperson stated, "There has been no breach of Oracle Cloud...The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data." However, the attacker claimed to have planted evidence on Oracle's login server, specifically login.us2.oraclecloud.com, creating a text file captured by the Internet Archive's Wayback Machine as proof of access. Cybersecurity firm CloudSEK suggests that the US2 server might not have been patched against CVE-2021-35587, a known vulnerability in Oracle Access Manager within Fusion Middleware.
Recommended read:
References :
- hackread.com: Oracle Denies Breach Amid Hacker’s Claim of Access to 6 Million Records
- BleepingComputer: The threat actor who claimed to breach Oracle Cloud shared the following URL as proof of the breach showing what appears to be a file containing their email address uploaded to Oracle's servers
- The DefendOps Diaries: Oracle Cloud Breach Allegations: Hacker Claims vs. Oracle's Denial
- www.bleepingcomputer.com: Oracle denies it was breached after a threat actor claimed to be selling 6 million data records allegedly stolen from the company's Oracle Cloud federated SSO login servers
- research.kudelskisecurity.com: Oracle Cloud SSO, LDAP Records Dumped, 140k+ Tenants Affected
- The Register - Software: Oracle Cloud says it's not true someone broke into its login servers and stole data
- BrianKrebs: CloudSEK’s XVigil discovered a threat actor, selling 6M records exfiltrated from SSO and LDAP of Oracle Cloud
- www.cybersecurity-insiders.com: Oracle Cloud denies data breach claims of 6 million data files leak
- Patrick C Miller :donor:: Oracle denies breach after hacker claims theft of 6 million data records
- www.csoonline.com: Oracle Cloud breach may impact 140,000 enterprise customers
- www.it-daily.net: 6 million data records: Oracle was allegedly hacked
- eSecurity Planet: Oracle Cloud breach exposed 6M records from 140k+ tenants. Learn how attackers exploited vulnerabilities and steps organizations must take to secure data. The post appeared first on
- www.techradar.com: Oracle denies data breach after hacker claims to hold six million records
- securityonline.info: BreachForums Claims: Millions of Oracle Cloud Records Stolen
- Arctic Wolf: On March 20, 2025, a Breach Forums user, “rose87168,â€
claimed to have stolen six million records from Oracle Cloud’s SSO and LDAP services and offered the data for sale or in exchange for zero-day exploits.
- Information Security Buzz: Cybersecurity Firm Uncovers Major Oracle Cloud Breach—Oracle Denies It
- Arctic Wolf: Alleged Oracle Cloud Supply Chain Attack: Six Million Records Stolen, 140K Companies Affected
- www.cybersecuritydive.com: Researchers back claim of Oracle Cloud breach despite company’s denials
- www.scworld.com: A Breach Forums user claimed to have stolen six million records from Oracle Cloud's SSO and LDAP services and offered the data for sale.
- www.scworld.com: Details of the alleged Oracle Cloud breach.
- The DefendOps Diaries: Oracle Cloud Breach Allegations: Unraveling the Controversy
- www.itpro.com: Oracle breach claims spark war of words with security researchers
- SpiderLabs Blog: Trustwave SpiderLabs Threat Review: Alleged Oracle Compromise
- The Register - Security: There are perhaps 10,000 reasons to doubt Oracle Cloud's security breach denial
- Lobsters: Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6 million people, BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid.
- : A threat actor, known as “rose87168,� claimed to have stolen six million records from Oracle Cloud’s SSO and LDAP services and offered the data for sale or in exchange for zero-day exploits.
- Rescana: The Oracle Cloud breach resulted in the unauthorized access and alleged theft of 6 million records from Oracle's SSO and LDAP services,...
- DataBreaches.Net: Oracle continues to deny it had any breach, but customers and researchers are claiming otherwise.
- SpiderLabs Blog: On March 20, a relatively unknown user on Breach Forums posted the allegation that Oracle had suffered a data breach. According to  , the attacker claimed that 6 million customer records were exfiltrated from Oracle's SSO and LDAP systems.
- GreyNoise: Alleged Oracle Cloud Supply Chain Attack: Six Million Records Stolen, 140K Companies Affected
- www.cybersecuritydive.com: Researchers from CloudSEK are analyzing a data sample from a threat actor that claimed a massive breach involving 6 million records.
- SecureWorld News: In what may become one of the most scrutinized cloud security incidents of 2025, Oracle has come under fire following claims by a threat actor alleging the exfiltration of more than six million records from Oracle Cloud Infrastructure (OCI), impacting more than 140,000 tenants.
- Rescana: Executive Summary: The Oracle Health data breach significantly impacted multiple US healthcare organizations and hospitals by...
Pierluigi Paganini@Security Affairs
//
A Russian zero-day broker known as Operation Zero is offering up to $4 million for zero-day exploits targeting the Telegram messaging app. This broker exclusively sells vulnerabilities to Russian government and private organizations, suggesting a significant interest from these entities in exploiting Telegram's security flaws. The high bounty offered indicates the immense value of potential targets to these organizations and their willingness to invest heavily in acquiring such exploits.
Operation Zero has released multiple bounty tiers for security vulnerabilities targeting Telegram, with the price depending on the user interaction required. Remote code execution vulnerabilities needing one user interaction fetch $500,000, while a zero-click RCE vulnerability is valued at $1.5 million. A complete exploit chain capable of compromising the entire system may command up to $4 million. This highlights the potential for targeted attacks on individuals or user groups through the platform, given Telegram's user base of over a billion.
Recommended read:
References :
- CyberInsider: Russian Zero-Day Firm Offers Record $4 Million for Telegram Exploits
- infosec.exchange: NEW: A zero-day provider that exclusively sells to the Russian government is offering up to $4 million for flaws in Telegram. This announcement offers a glimpse into what the Russian government may be especially interested in, and willing to pay (even at a premium), right now. Sources in the industry tell me the prices offered are broadly right.
- techcrunch.com: Russian zero-day seller is offering up to $4 million for Telegram exploits
- securityaffairs.com: Zero-day broker Operation Zero offers up to $4 million for Telegram exploits
- securityonline.info: The Russian vulnerability broker, Operation Zero, is a company specializing in the acquisition and sale of security vulnerabilities—whether The post appeared first on .
- Davey Winder: The Russian exploit brokerage firm, Operation Zero, is offering up to $4 million for zero-day vulnerabilities in Telegram. This signifies heightened state-sponsored interest in hacking Telegram.
- hackread.com: A broker that only sells to Russian private and government organizations has just offered $4 million for a zero-day hack attack against the Telegram messenger app.
|
|