Listen to this Post
A threat actor on BreachForums claims to have taken over 6 million credentials from oraclecloud.com, including JKS files, passwords, key files, and Enterprise Manager JPS keys. The attacker also provided a list of potentially affected companies, raising concerns about a widespread breach. While Oracle has denied the claims, a suspicious flag uploaded to an Oracle portalācontaining the attackerās emailāhas added intrigue. BleepingComputer reported on this development, linking to the alleged flag.
BreachForums Post: https://lnkd.in/edgPRVJj
BleepingComputer Report: https://lnkd.in/e-gtbRiY
Attackerās Flag: https://lnkd.in/eZCnWGa6
You Should Know: How to Secure Oracle Cloud & Detect Credential Leaks
1. Verify Compromised Credentials
Use tools like Have I Been Pwned or DeHashed to check if your credentials were exposed:
curl -s "https://api.dehashed.com/[email protected]" -u API_KEY:
#### **2. Rotate Oracle Cloud Keys & Passwords**
Immediately rotate all Oracle Cloud credentials, including:
- JKS files (Java Keystores)
- SSH keys
- Database passwords
**Linux Command to List JKS Files:**
find / -name "*.jks" 2>/dev/null
**Regenerate SSH Keys:**
ssh-keygen -t rsa -b 4096 -f ~/.ssh/new_oracle_key
3. Monitor Oracle Cloud Logs for Unauthorized Access
Check Oracle Cloud audit logs:
grep "authentication failure" /var/log/oracle-cloud.log
#### **4. Enable Multi-Factor Authentication (MFA)**
Enforce MFA on all Oracle Cloud accounts:
oci iam user update --user-id USER_OCID --is-mfa-activated true
#### **5. Check for Suspicious Network Connections**
Use `netstat` to detect unexpected Oracle Cloud connections:
netstat -tulnp | grep oracle
#### **6. Scan for Malicious Files**
Use `clamav` to scan for malware:
sudo apt install clamav && sudo freshclam && sudo clamscan -r /
### **What Undercode Say**
This incident highlights the importance of proactive credential management and threat intelligence monitoring. If the breach is confirmed, affected organizations must:
– Revoke all exposed keys (oci iam customer-secret-key delete --key-id KEY_OCID)
– Audit Oracle Cloud IAM policies (oci iam policy list --compartment-id COMP_OCID)
– Deploy SIEM tools (e.g., Splunk, ELK) to track anomalous logins.
**Linux Command to Check Active Oracle Sessions:**
ps aux | grep 'oracle'
**Windows Command to Verify Oracle Services:**
sc query | findstr "Oracle"
**Expected Output:**
SERVICE_NAME: OracleServiceXE DISPLAY_NAME: Oracle Database Service XE
Stay vigilantāthreat actors often exploit stolen credentials for lateral movement.
Expected Output: A detailed analysis of the Oracle Cloud breach with actionable security steps.
References:
Reported By: Oletros En – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ā
