The Cybersecurity and Infrastructure Security Agency (CISA) is suggesting that organizations that have been affected by a potential data breach at Oracle’s Cloud Infrastructure reset passwords to minimize the risk associated with credential compromise.
“CISA is aware of public reporting regarding potential unauthorized access to a legacy Oracle cloud environment. While the scope and impact remain unconfirmed, the nature of the reported activity presents potential risk to organizations and individuals,” America’s cybersecurity defense agency said in a security advisory.
The compromise of credential material, such as usernames, emails, passwords, authentication tokens, and encryption keys, can pose a significant risk to enterprise environments.
Threat actors can use this information to gain access to a company’s cloud environment and identity management systems, escalate privileges, move laterally within corporate networks, launch phishing or business email compromise (BEC) campaigns, or resell it on the dark web.
Since it’s better to be safe than sorry, organizations should reset passwords for any known affected users. They should also review source code, infrastructure-as-code templates, automation scripts, and configuration files for hardcoded or embedded credentials and replace them with secure authentication methods.
Furthermore, businesses should monitor authentication logs for anomalous activities and enforce phishing-resistant multi-factor authentication (MFA) for all users and administrators.
Users are recommended to update their online passwords and replace them with a strong and unique password for each account. They should also be alert for phishing attempts.
In March, a threat actor called ‘rose87168’ posted 6 million data records from Oracle Cloud’s SSO platform for sale on BreachForums. In addition, they claimed to have possession of encrypted SSO passwords, Java Keystore (JKS) files, key files, enterprise manager JPS keys, and Lightweight Directory Access Protocol (LDAP) hashed passwords.
The hacker demanded 100,000 XMR, or roughly €19.8 million, for information on how they breached the servers.
At first, Oracle denied that a data breach had occurred. However, a week ago, the Austin, Texas-based tech company acknowledged the attacker had breached a legacy environment that was last used in 2017.
“Oracle would like to state unequivocally that the Oracle Cloud, also known as Oracle Cloud Infrastructure or OCI, has NOT experienced a security breach. No OCI customer environment has been penetrated. No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way,” Oracle told BleepingComputer in a response.
“A hacker did access and publish user names from two obsolete servers that were never a part of OCI. The hacker did not expose usable passwords because the passwords on those two servers were either encrypted and/or hashed. Therefore, the hacker was not able to access any customer environments or customer data,” the company added.
The FBI is currently investigating the incident at Oracle.
Your email address will not be published. Required fields are markedmarked