Okay, this is not good:
"Executive Summary
On 21 March 2025, CloudSEK’s XVigil discovered a threat actor, "rose87168," selling 6M records exfiltrated from SSO and LDAP of Oracle Cloud. The data includes JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys."
"The attacker, active since January 2025, is incentivizing decryption assistance and demanding payment for data removal from over 140K affected tenants. Our engagement with the threat actor suggests a possible undisclosed vulnerability on login.(region-name).oraclecloud.com, leading to unauthorized access. While the threat actor has no prior history, their methods indicate high sophistication, CloudSEK assesses this threat with medium confidence and rates it as High in severity."
https://www.cloudsek.com/blog/the-biggest-supply-chain-hack-of-2025-6m-records-for-sale-exfiltrated-from-oracle-cloud-affecting-over-140k-tenants
https://exposure.cloudsek.com/
BrianKrebs /
npub1rf…5t9xk
2025-03-21 17:33:43
Author Public Key
npub1rfdvtvmesnz7x7s3hjg5q2dgrup9xfh209gvj36angljrfy5edtq25t9xkSeen on
wss://relay.mostr.pubPublished at
2025-03-21 17:33:43Event JSON
{
"id": "54c965a084b9f8caed212f5d2bb479c040e398c404732712ba4db2b9a006d14d",
"pubkey": "1a5ac5b37984c5e37a11bc914029a81f025326ea7950c9475d9a3f21a494cb56",
"created_at": 1742578423,
"kind": 1,
"tags": [
[
"proxy",
"https://infosec.exchange/users/briankrebs/statuses/114201619576206295",
"activitypub"
]
],
"content": "Okay, this is not good:\n\n\"Executive Summary\nOn 21 March 2025, CloudSEK’s XVigil discovered a threat actor, \"rose87168,\" selling 6M records exfiltrated from SSO and LDAP of Oracle Cloud. The data includes JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys.\" \n\n\"The attacker, active since January 2025, is incentivizing decryption assistance and demanding payment for data removal from over 140K affected tenants. Our engagement with the threat actor suggests a possible undisclosed vulnerability on login.(region-name).oraclecloud.com, leading to unauthorized access. While the threat actor has no prior history, their methods indicate high sophistication, CloudSEK assesses this threat with medium confidence and rates it as High in severity.\"\n\nhttps://www.cloudsek.com/blog/the-biggest-supply-chain-hack-of-2025-6m-records-for-sale-exfiltrated-from-oracle-cloud-affecting-over-140k-tenants\n\nhttps://exposure.cloudsek.com/",
"sig": "cfb2c83dc76abfac7ae6db5041549f2a1cf829a48419d3b24aa02fd55f444597aa8b8841ad14b23fc78c723720667753610ccfa9b5cfc0b3293b6df2d9bf817f"
}