A hacker identified as "rose87168" claims to have breached Oracle Cloud and stolen6 million records, including passwords and sensitive files. The hacker demands payment of more than 140.000 companies, including several large Brazilian organizations, to prevent the stolen data from leaking. A ZenoX, cybersecurity startup of the Dfense Group, leader and pioneer in the use of artificial intelligence against digital threats, is closely monitoring the situation and is alert to the severe risks that this incident represents, especially for Brazil, second most affected country. While Oracle denies the occurrence of a data breach, the discrepancy between the information and the hacker's action raises important concerns about cloud security and reinforces the need for proactive protection measures
Incident details
- Hacker "rose87168"Claims to have exploited a vulnerability, possibly related to Oracle WebLogic Server, to invade the Oracle Cloud login system
- 6 million stolen recordsIncluding encrypted passwords (with potential to be cracked), JKS files, internal access keys and Enterprise Manager JPS data
- Digital extortionThe hacker demands payment to avoid leaking the data and seeks help to break the encrypted passwords
- Impact in BrazilVarious large Brazilian organizations, including banks, public agencies and private companies, are among the affected
- Risk to the supply chainThe compromised data can be used for attacks on companies connected to the affected ones
According to Ana Cerqueira, CRO of ZenoX the potential impacts for Brazilian companies, are
- Unauthorized access to systemsLeaked credentials can give cybercriminals access to sensitive corporate systems
- Authentication failureThe reliability of the Single Sign-On (SSO) authentication structure can be compromised
- Targeted attacksLeaked information about the organizational structure can facilitate targeted attacks
- Sophisticated phishingLeaked data can make phishing attacks more convincing and harder to detect
- Legal and reputational risksCompanies may face reputational risks and legal notifications according to the LGPD
The executive recommends the following protective measures
- Immediate password reset for Oracle SSO users
- Implementation or reinforcement of multi-factor authentication (MFA)
- Review of access logs to identify suspicious activities
- Constant monitoring of login attempts and access anomalies
- Implementation of context-based access controls (time, location, device
- Proactive communication with internal teams about phishing risks
- Rotation of tokens and potentially compromised encryption keys
- Complete audit of access rights, implementing the principle of least privilege
