Oracle allegedly hacked: User data for sale on the darknet
Has there been an IT security incident at Oracle? Security researchers say yes, according to media reports Oracle denies an attack.
Security researchers from CloudSEK report that sensitive data from around 140,000 Oracle customers is for sale on the darknet. This information is said to have originated from a cyberattack. According to the hardware and software manufacturer, there has been no IT security incident.
An Oracle spokesperson assured the IT news website Bleepingcomputer of this. A response to an inquiry from heise security is still pending. This statement contradicts the statements made by the security researchers in their report.
Access data copied
In it, they state that a user with the pseudonym "rose87168" is offering a data package with 6 million entries containing personal data from 140,000 Oracle customers for sale in an underground forum. The security researchers claim to have spoken to the provider of the data.
They state that the attacker could have gained access to oraclecloud.com via a security vulnerability. He is said to have copied data such as encrypted SSO passwords. He is now calling for the passwords to be cracked and is offering the prospect of a reward. According to the researchers, he has created a list of affected companies on X. They can contact him so that he can remove their data for a fee.
Further background
As proof that he compromised the login.us2.oraclecloud.com subdomain, which has since been taken offline, the security researchers list a URL that leads to a text file with the cybercriminal's email address on the Oracle server. This address is still accessible via the Waybackmachine.
Videos by heise
According to the researchers, the Waybackmachine entry also shows that the server was running Fusion Middleware 11g with a patch status at the end of September 2014. As a result, the researchers estimate that the gateway was a "critical" vulnerability (CVE-2021-35587) in the OpenSSO agent. This vulnerability could be exploited with comparatively little effort without authentication via the network.
It now remains to be seen how Oracle will comment on the incident.
(des)
