Adversary Intelligence
3
mins read

The Biggest Supply Chain Hack Of 2025: 6M Records For Sale Exfiltrated from Oracle Cloud Affecting over 140k Tenants

CloudSEK uncovers a major breach targeting Oracle Cloud, with 6 million records exfiltrated via a suspected undisclosed vulnerability. Over 140,000 tenants are impacted, as the attacker demands ransom and markets sensitive data online. Learn the full scope, risks, and how to respond.

CloudSEK TRIAD
March 21, 2025
Green Alert
Last Update posted on
March 21, 2025
Proactive Monitoring of the Dark Web for your organization.

Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.

Schedule a Demo
Table of Contents
Author(s)
No items found.

Executive Summary

On 21 March 2025, CloudSEK’s XVigil discovered a threat actor, "rose87168," selling 6M records exfiltrated from SSO and LDAP of Oracle Cloud. The data includes JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys. 

The attacker, active since January 2025, is incentivizing decryption assistance and demanding payment for data removal from over 140K affected tenants. Our engagement with the threat actor suggests a possible undisclosed vulnerability on login.(region-name).oraclecloud.com, leading to unauthorized access. While the threat actor has no prior history, their methods indicate high sophistication, CloudSEK assesses this threat with medium confidence and rates it as High in severity.

Analysis and Attribution

Information from the Post

CloudSEK's XVigil discovered threat actor "rose87168" selling 6 million records extracted from Oracle Cloud's SSO and LDAP on March 21, 2025. The threat actor claims to have gained access by hacking the login endpoint: login.(region-name).oraclecloud.com.

Threat actor listing 6M records exfiltrated from Oracle Cloud

  • The database includes:
    • ~6 million lines of data dumped from Oracle Cloud’s SSO and LDAP that include
      • JKS files, 
      • encrypted SSO passwords, 
      • key files,
      • enterprise manager JPS keys.
  • Additionally, the threat actor offered an incentive to anyone that helped them decrypt the SSO passwords, and/or crack the LDAP passwords.
  • The list of affected tenants is over 140k, and the threat actor is urging companies to contact them and pay a certain “fee” to get their data removed.
  • The threat actor also created an X page and started following Oracle related pages.

Screenshot of the  threat actor’s X account following list

  • As the threat actor seems to have exploited a web application vulnerability, we started looking at the webservers being used for oraclecloud login pages. We noticed that most of the oracle cloud login pages were showing the favicon for oracle web logic server.
Screenshot from FOFA showing that the majority of favicons from oraclecloud login pages are Oracle Web Logic server favicons

  • Based on the available information, it can be ascertained with medium confidence that the threat actor used an undisclosed vulnerability on Oracle WebLogic servers used for hosting the login pages for oraclecloud.com. By exploiting login endpoints for all regions, the threat actor was subsequently able to dump data pertaining to the underlying tenants. 

Threat Actor Activity and Rating

Threat Actor Profiling
Active since Jan 2025
Reputation 0
Current Status ACTIVE
History A new user on the forum with no history of previous attacks. However, the samples and supporting information shared by the threat actor points towards a high sophistication.
Rating High

Impact

  • Mass Data Exposure: Compromise of 6M records, including sensitive authentication-related data, increases risks of unauthorized access and corporate espionage.
  • Credential Compromise: Encrypted SSO and LDAP passwords, if cracked, could enable further breaches across Oracle Cloud environments.
  • Extortion & Ransom Demands: Threat actor is coercing affected companies to pay for data removal, increasing financial and reputational risks.
  • Zero-Day Exploitation: The suspected use of a zero-day vulnerability raises concerns about Oracle Cloud security and potential future attacks.
  • Supply Chain Risks: Exposure of JKS and key files may enable attackers to pivot and compromise multiple interconnected enterprise systems.


Mitigation

  • Immediate Credential Rotation: Change all SSO, LDAP, and associated credentials, ensuring strong password policies and MFA enforcement.
  • Incident Response & Forensics: Conduct a thorough investigation to identify potential unauthorized access and mitigate further risks.
  • Threat Intelligence Monitoring: Continuously track dark web and threat actor forums for discussions related to the leaked data.
  • Engage with Oracle Security: Report the incident to Oracle for verification of a potential zero-day and seek patches or mitigations.
  • Strengthen Access Controls: Implement strict access policies, least privilege principles, and enhanced logging to detect anomalies.

References

#Traffic Light Protocol - Wikipedia

Author

CloudSEK TRIAD

CloudSEK Threat Research and Information Analytics Division

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
No items found.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Adversary Intelligence

3

min read

The Biggest Supply Chain Hack Of 2025: 6M Records For Sale Exfiltrated from Oracle Cloud Affecting over 140k Tenants

CloudSEK uncovers a major breach targeting Oracle Cloud, with 6 million records exfiltrated via a suspected undisclosed vulnerability. Over 140,000 tenants are impacted, as the attacker demands ransom and markets sensitive data online. Learn the full scope, risks, and how to respond.

Authors
CloudSEK TRIAD
CloudSEK Threat Research and Information Analytics Division
Co-Authors
No items found.

Executive Summary

On 21 March 2025, CloudSEK’s XVigil discovered a threat actor, "rose87168," selling 6M records exfiltrated from SSO and LDAP of Oracle Cloud. The data includes JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys. 

The attacker, active since January 2025, is incentivizing decryption assistance and demanding payment for data removal from over 140K affected tenants. Our engagement with the threat actor suggests a possible undisclosed vulnerability on login.(region-name).oraclecloud.com, leading to unauthorized access. While the threat actor has no prior history, their methods indicate high sophistication, CloudSEK assesses this threat with medium confidence and rates it as High in severity.

Analysis and Attribution

Information from the Post

CloudSEK's XVigil discovered threat actor "rose87168" selling 6 million records extracted from Oracle Cloud's SSO and LDAP on March 21, 2025. The threat actor claims to have gained access by hacking the login endpoint: login.(region-name).oraclecloud.com.

Threat actor listing 6M records exfiltrated from Oracle Cloud

  • The database includes:
    • ~6 million lines of data dumped from Oracle Cloud’s SSO and LDAP that include
      • JKS files, 
      • encrypted SSO passwords, 
      • key files,
      • enterprise manager JPS keys.
  • Additionally, the threat actor offered an incentive to anyone that helped them decrypt the SSO passwords, and/or crack the LDAP passwords.
  • The list of affected tenants is over 140k, and the threat actor is urging companies to contact them and pay a certain “fee” to get their data removed.
  • The threat actor also created an X page and started following Oracle related pages.

Screenshot of the  threat actor’s X account following list

  • As the threat actor seems to have exploited a web application vulnerability, we started looking at the webservers being used for oraclecloud login pages. We noticed that most of the oracle cloud login pages were showing the favicon for oracle web logic server.
Screenshot from FOFA showing that the majority of favicons from oraclecloud login pages are Oracle Web Logic server favicons

  • Based on the available information, it can be ascertained with medium confidence that the threat actor used an undisclosed vulnerability on Oracle WebLogic servers used for hosting the login pages for oraclecloud.com. By exploiting login endpoints for all regions, the threat actor was subsequently able to dump data pertaining to the underlying tenants. 

Threat Actor Activity and Rating

Threat Actor Profiling
Active since Jan 2025
Reputation 0
Current Status ACTIVE
History A new user on the forum with no history of previous attacks. However, the samples and supporting information shared by the threat actor points towards a high sophistication.
Rating High

Impact

  • Mass Data Exposure: Compromise of 6M records, including sensitive authentication-related data, increases risks of unauthorized access and corporate espionage.
  • Credential Compromise: Encrypted SSO and LDAP passwords, if cracked, could enable further breaches across Oracle Cloud environments.
  • Extortion & Ransom Demands: Threat actor is coercing affected companies to pay for data removal, increasing financial and reputational risks.
  • Zero-Day Exploitation: The suspected use of a zero-day vulnerability raises concerns about Oracle Cloud security and potential future attacks.
  • Supply Chain Risks: Exposure of JKS and key files may enable attackers to pivot and compromise multiple interconnected enterprise systems.


Mitigation

  • Immediate Credential Rotation: Change all SSO, LDAP, and associated credentials, ensuring strong password policies and MFA enforcement.
  • Incident Response & Forensics: Conduct a thorough investigation to identify potential unauthorized access and mitigate further risks.
  • Threat Intelligence Monitoring: Continuously track dark web and threat actor forums for discussions related to the leaked data.
  • Engage with Oracle Security: Report the incident to Oracle for verification of a potential zero-day and seek patches or mitigations.
  • Strengthen Access Controls: Implement strict access policies, least privilege principles, and enhanced logging to detect anomalies.

References

#Traffic Light Protocol - Wikipedia