Big - I just received 10,000 records from the Oracle breach, given to me by 'rose87168,' and I’m actively working to validate the claims (initial feedback from customers received, likely confirming the breach). To get to the bottom of this, I’ve reached out to Hudson Rock’s customers who were impacted by this breach, sharing sample data and asking key questions to verify the information and gain deeper insight. Specifically, I’m seeking to confirm: 1) if the listed user accounts exist in their Oracle Cloud environments and whether they’re production or test. 2) if the tenant IDs match active tenants and their environment type. 3) whether the systems hosting these identifiers are production or test infrastructure 4) if these accounts or tenants have access to sensitive data. So far, we received an answer from one of our customers confirming the following: 1. The users provided to them from the sample exist. 2. At the moment, they can't verify the tenant ID matches but are looking into it. 3. The users found in the sample are actively hosting data. 4. Several of the users have access to sensitive data(!!!) (likely disproving the test env assumption). Edit: 2nd customer confirming the data is real, in his case old, but for prod. Edit 2: Third customer confirmed the users and tenant ids match, and that they are for prod environment Additionally Rose is claiming they used the same RCE reported in CloudSEK's report. Stay tuned for more, but it's shaping up to be bad, Oracle please provide more information or begin remediating this.
Are you Rose87168 or working with them? Seem to be spending a lot of time and effort trying to validate debunked information. The campaign failed.
Rodrigo Melo Meireles
Here, let me expedite the transition These are the Oracle cloud IPs. Some are offensive.
So, if the data is legit. Oracle is either lying or they are admitting security failure. Wonder to see how their stock will react to this.
Alon Gal I saw an article saying only US2 and EM2 data centers were potentially impacted. Were your customers in those data centers?
Endless breaches!
Thanks for the update, the threat actor did initially indicate that there would be possible to perform decryption of the secrets, the samples provided by the threat actors only show evidence of hashed secrets. In the additional evidence shared with you is there anything that support the fact that it would be possible to decrypt the data to get clear text secrets, or is it only hashed values? In the samples shared with you are there any indications of the method in the userpassword attribute?
Everyone is claiming, this is looking like news reporting channel now. Who is going to break the breaking news.
Executive Editor, Cyber Threat Intelligence
2wHi Alon Gal. "Old" production data as in 2019-era?