Strange Situation at Oracle (OCI) Involving Threat Actor Access

By /

Listen to this Post

A concerning situation is unfolding at Oracle Cloud Infrastructure (OCI), where a threat actor with questionable credibility has posted videos demonstrating internal OCI access. The actor appears to have written files to public-facing Oracle Access Management servers, raising serious security concerns.

You Should Know:

1. Investigate Suspicious Access with Log Analysis

Use these Linux commands to check for unauthorized access:


<h1>Check authentication logs for unusual activity</h1>

grep "authentication failure" /var/log/auth.log

<h1>Monitor active connections</h1>

netstat -tuln

<h1>Check for unexpected file modifications</h1>

find / -type f -mtime -1 -exec ls -la {} \;

#### **2. Secure Oracle Access Management (OAM) Servers**

If you manage OAM servers, verify configurations:


<h1>Check open ports on OAM servers</h1>

nmap -sV -p 80,443,7001 <OAM_Server_IP>

<h1>Review OAM logs for anomalies</h1>

tail -f /var/log/oam/logs/access.log | grep "POST|GET"

#### **3. Validate File Integrity**

Detect unauthorized file writes:


<h1>Generate SHA-256 hashes of critical files</h1>

find /opt/oracle/oam/ -type f -exec sha256sum {} \; > oam_hashes.txt

<h1>Compare against known good hashes</h1>

diff oam_hashes.txt known_hashes.txt

#### **4. Block Suspicious IPs at Firewall Level**


<h1>Use iptables to block an attacker’s IP</h1>

iptables -A INPUT -s <Malicious_IP> -j DROP

<h1>Save firewall rules persistently (Ubuntu)</h1>

iptables-save > /etc/iptables/rules.v4

#### **5. Enable Multi-Factor Authentication (MFA)**

Ensure OCI accounts enforce MFA:

oci iam user list --query "data[?\"is-mfa-activated\"]"

### **What Undercode Say:**

This incident highlights the importance of proactive security measures in cloud environments. Threat actors often exploit misconfigurations or weak credentials. Regularly audit access logs, enforce strict IAM policies, and monitor file integrity.

For Oracle administrators, prioritize:

  • Patch Management: Apply OCI security patches immediately.
  • Least Privilege: Restrict user permissions.
  • SIEM Integration: Forward logs to a SIEM for real-time analysis.
  • Incident Response Plan: Prepare for breach scenarios with documented procedures.

### **Expected Output:**


<h1>Sample output of OCI user MFA status</h1>

{ 
"data": [ 
{ 
"id": "ocid1.user.oc1..example", 
"is-mfa-activated": true 
} 
] 
}

**Relevant URLs:**

References:

Reported By: Kevin Beaumont – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: