Listen to this Post
CloudSEK recently uncovered a massive breach involving Oracle Cloud, where 6 million records were exfiltrated from the SSO and LDAP systems. The data includes JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys. The threat actor, “rose87168,” has been active since January 2025 and is demanding payment for the removal of data from over 140,000 affected tenants. The breach exploits a 4-year-old vulnerability (CVE-2021-35587) in Oracle Fusion Middleware, which allows unauthorized access via HTTP.
You Should Know:
1. Check if Your Organization is Affected:
- Visit the webpage provided by CloudSEK to verify if your organization is listed among the affected tenants: Check Your Organization
2. Patch Management:
- Ensure that your Oracle Fusion Middleware is up-to-date. Apply the latest patches to mitigate the vulnerability (CVE-2021-35587).
- Use the following command to check for available updates on a Linux system:
sudo yum update oracle-fusion-middleware
3. Secure Coding Practices:
- Review and update your coding practices to prevent insecure coding that could lead to vulnerabilities.
- Implement code reviews and static code analysis tools to identify potential security issues.
4. Network Security:
- Restrict network access to Oracle Access Manager (OAM) via HTTP. Use firewalls to limit access to trusted IP addresses.
- Example command to add a firewall rule using
iptables:sudo iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -j DROP
5. Encryption and Key Management:
- Ensure that all sensitive data, including SSO passwords and key files, are encrypted using strong encryption algorithms.
- Use the following OpenSSL command to encrypt a file:
openssl enc -aes-256-cbc -salt -in file.txt -out file.enc
6. Monitoring and Logging:
- Implement robust monitoring and logging to detect unauthorized access attempts.
- Use the following command to monitor logs in real-time:
tail -f /var/log/oracle/access.log
7. Incident Response:
- Develop and test an incident response plan to quickly address any security breaches.
- Example command to create a backup of critical files before incident response:
tar -czvf backup.tar.gz /path/to/critical/files
What Undercode Say:
The Oracle Cloud breach highlights the critical importance of patch management, secure coding practices, and robust network security. Organizations must proactively address vulnerabilities and implement comprehensive security measures to protect sensitive data. Regular monitoring, encryption, and incident response planning are essential components of a strong cybersecurity strategy.
Expected Output:
- Check Your Organization: Check Your Organization
- Patch Management: `sudo yum update oracle-fusion-middleware`
– Network Security: `sudo iptables -A INPUT -p tcp –dport 80 -s trusted_ip -j ACCEPT`
– Encryption: `openssl enc -aes-256-cbc -salt -in file.txt -out file.enc`
– Monitoring: `tail -f /var/log/oracle/access.log`
– Incident Response: `tar -czvf backup.tar.gz /path/to/critical/files`
References:
Reported By: Mthomasson If – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
