With Oracle not budging from its denial of a breach that a growing number of security experts believe occurred, some are urging the company's cloud customers to take immediate steps to verify if their data was compromised and to protect against any resulting misuse.
If the breach indeed occurred, the primary concerns include attackers leveraging stolen data to infiltrate cloud environments, escalating privileges to administrative control, and reusing credentials for lateral movement across affected organizations.
Cybersecurity Compliance Implications
Additionally, any exposure of personally identifiable information (PII) and passwords could trigger compliance requirements under statutes like the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) for covered organizations, Trustwave said in its take on the reported incident.
"This leak is a serious breach of identity and privilege-related security, underscoring the need for timely de-provisioning, password hygiene, and multi-factor authentication," Trustwave researchers Nikita Kazymirskyi and Karl Sigler wrote in a Trustwave blog post. "The exposure of [records,] especially with access tied to administrative groups, could serve as a direct entry point for ransomware deployment, data exfiltration, or long-term espionage."
News of the possible breach first surfaced on March 21 when CloudSEK reported seeing hacker "rose87168" attempting to sell around 6 million records allegedly obtained from Oracle's single sign-on (SSO) and Lightweight Directory Access Protocol (LDAP) systems in a cybercrime forum. CoudSEK identified the stolen data as including encrypted SSO passwords, Java KeyStore (JKS) files, key files, and enterprise manager JPS keys associated with over 140,000 Oracle cloud tenants, or customers.
The attacker appears to have exploited an unpatched vulnerability in Oracle Fusion Middleware (CVE-2021-35587) to compromise Oracle cloud's login and authentication system and steal the data, CloudSEK reported.
Convincing Breach Evidence?
After Oracle denied that any such breach had occurred, the threat actor rose87168 shared a sample of 10,000 records allegedly taken from the breach, with CloudSEK, SOCRadar, and a few others. The records, according to the researchers who analyzed them, strongly pointed to a breach of Oracle's cloud environment. Others, including threat intelligence firm Hudson Rock, reported hearing directly from Oracle Cloud customers who recognized the leaked data as their own, adding further credibility to claims of a breach.
Trustwave analyzed a database sample with PII, a sample of LDAP records with PII, and a list companies allegedly affected by the breach. Its analysis showed the data to include markers that clearly identified accounts with elevated permissions and access to sensitive data, accounts that were active or inactive, accounts with admin access, and other contextual data that would allow an attacker to prioritize targets effectively. It found the list of affected companies to be made up of 128,466 unique domain names.
"If true, the scale of this breach is massive," Kazymirskyi and Sigler wrote. "For companies involved in such a breach, the consequences can be severe and multifaceted. Attackers can sell or exploit access to these networks for ransomware deployment, data theft, or espionage."
CloudSEK has provided a resource that organizations could use to verify if the reported breach affected them.
How to Protect Oracle Cloud Accounts
Liran Farazis, global enterprise security manager at Sygnia, recommends that organizations that find themselves on the list should take immediate measures to protect themselves.
The measures, which Sygnia documented in a recent blog post, include resetting all credentials in Oracle Cloud SSO, LDAP, or encrypted configuration files; invalidating existing sessions and tokens; and reviewing access logs, authentication records, and application behavior across Oracle Cloud components. "Reviewing this data helps identify unusual activity, such as failed login attempts, session anomalies, or unauthorized changes," Sygnia said. The vendor also recommends that potentially affected organizations rotate all cryptographic keys and secrets and implement continuous monitoring of the affected environment.
"While we cannot confirm exactly how the incident occurred, there is a strong basis to believe it did happen," Farazis says. He says the complexity associated with some of the mitigation measures will vary depending on the environment. "Some of the recommended mitigations can be challenging to implement and require careful planning and testing," Farazis adds. "The overall impact and urgency of these actions also depend on how many services and resources the organization has deployed in Oracle Cloud, as well as how those services are integrated into their broader environment."
Trustwave had similar advice for potentially affected organizations: Force password resets, enforce multifactor authentication for all systems, regenerate SSO/SAML/OIDC secrets, and audit and revoke dormant and unused accounts. The company suggests that organizations isolate and monitor critical systems, especially if the exposed credentials provided access to them.
Oracle did not immediately respond to a Dark Reading request for comment for this article. But in previous statements, the company has denied that any breach of its Oracle Cloud Infrastructure (OCI) has happened. "The published credentials," according to the company's last statement to Dark Reading, "are not for OCI. No OCI customers experienced a breach or lost any data."
However, some believe Oracle may be deliberately crafting narrow denials by referring specifically to OCI, potentially leaving room for breaches in other parts of its cloud ecosystem. In a March 31 post on Medium, security researcher Kevin Beaumont said the security incident appears to involve Oracle Cloud Classic, the older version of OCI. "Oracle are denying it on 'Oracle Cloud' by using this scope — but it's still Oracle cloud services that Oracle manage," Beaumont wrote.
"Oracle are attempting to wordsmith statements around Oracle Cloud and use very specific words to avoid responsibility," Beaumont said. "This is not okay. Oracle need to clearly, openly and publicly communicate what happened, how it impacts customers, and what they're doing about it."
https://www.darkreading.com/application-security/oracle-cloud-users-urged-take-action
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.