Free Trial
Dark Web Report
SOCRadar® Cyber Intelligence Inc. | Everything You Need to Know About Oracle Cloud Security Incident by rose87168
Moon
Home

Resources

Blog
Mar 25, 2025
13 Mins Read

Everything You Need to Know About Oracle Cloud Security Incident by rose87168

[Update] April 2, 2025: “What are the Recent Developments?”

[Update] April 9, 2025: “Oracle has reportedly begun notifying affected customers

rose87168 is the alias of a hacker who claims to have breached Oracle Cloud, allegedly stealing around 6 million sensitive records, including encrypted passwords, key files, and authentication data. The hacker has been active since at least January 2025, selling the data on forums like BreachForums and attempting extortion against affected organizations. Despite Oracle’s denial of the breach, evidence from “rose87168” suggests a significant compromise. The breach is believed to have impacted over 140,000 Oracle Cloud tenants globally.

Threat actor’s BreachForums’ profile

Threat actor’s BreachForums’ profile

1. Who is “rose87168”?

rose87168” is the alias of a threat actor who claims to have breached Oracle Cloud, stealing approximately 6 million records. The hacker has been active since at least January 2025 and is selling the data on dark web forums like BreachForums, while also engaging in extortion attempts against affected organizations.

X (previously Twitter) account of the threat actor

X (previously Twitter) account of the threat actor

2. What Data did “rose87168” Allegedly Steal from Oracle Cloud?

The hacker claims to have exfiltrated 6 million records, including

  • Java KeyStore (JKS) files,
  • Encrypted Single Sign-On (SSO) passwords,
  • Encrypted Lightweight Directory Access Protocol (LDAP) passwords, key files, and
  • Enterprise Manager JPS keys.

This alleged leak data is critical for authentication and security within Oracle Cloud systems.

Threat actor’s post in BreachForums

Threat actor’s post in BreachForums

3. When did the Alleged Oracle Hack Occur?

According to “rose87168,” the breach took place approximately 40 days before March 21, 2025, when the stolen data was first advertised for sale. This places the infiltration around mid-February 2025.

Initial post of threat actor (X)

Initial post of threat actor (X)

3.1 What is the Timeline of the Incident?

  • Feb 9–15, 2025Initial Breach
    Rose87168 allegedly breaches login.us2.oraclecloud.com, exploiting a vulnerability (possibly CVE-2021-35587) in Oracle Fusion Middleware 11G. Claims to steal 6M records (JKS files, encrypted SSO/LDAP passwords, etc.) affecting 140,000+ tenants. No public evidence yet.
  • Late Feb 2025Contact with Oracle
    Rose87168 contacts Oracle, demands $200M+ (100,000 XMR) for vulnerability details. Oracle refuses, seeks full disclosure first. Negotiations fail. Text file with hacker’s ProtonMail uploaded to server (exact date unclear).
  • Mar 3, 2025Wayback Machine Capture
    Internet Archive’s Wayback Machine captures a snapshot of login.us2.oraclecloud.com, showing Rose87168’s uploaded text file with a ProtonMail address, proving some level of access.
  • Mar 21, 2025Public Disclosure on BreachForums
    Rose87168 announces the breach on BreachForums, offers 6M records for sale (price undisclosed or zero-day exploits), seeks decryption help, and offers data removal for a fee to affected companies.
  • Mar 22, 2025Oracle’s Denial
    Oracle issues a statement: “No breach of Oracle Cloud. Published credentials not for Oracle Cloud. No customer data lost.” Server login.us2.oraclecloud.com taken offline (reason unstated).
  • Mar 23–24, 2025Speculation and Investigation
    Cybersecurity outlets (e.g., The Register, BleepingComputer) report on the incident. CloudSEK speculates CVE-2021-35587 or a zero-day exploit. Reports emerge of Oracle requesting password resets from some customers.
  • Mar 25, 2025Data Sample Released & Analysis
    The threat actor “Rose87168” escalates the situation by releasing a 10,000-line sample of the allegedly stolen data. This sample is intended to substantiate their claim of exfiltrating 6 million records from Oracle Cloud’s federated Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems. Situation remains unresolved.

4. How did “rose87168” Allegedly Breach Oracle Cloud?

The hacker claims to have exploited a vulnerability in Oracle Cloud’s login infrastructure, specifically targeting the endpoint login.(region-name).oraclecloud.com. Cybersecurity researchers, including CloudSEK, speculate that the breach may involve CVE-2021-35587, a known flaw in Oracle Access Manager within Oracle Fusion Middleware, though “rose87168” hints at a possibly undisclosed vulnerability.

4.1 What’s About CVE-2021-35587?

The suspected vulnerability is CVE-2021-35587, a flaw in Oracle Access Manager (OAM) within Oracle Fusion Middleware. It’s a Remote Code Execution (RCE) vulnerability with a CVSS score of 9.8, allowing unauthenticated attackers to execute arbitrary code on affected systems. Patched in October 2021, it targets un-updated systems. “Rose87168” hinted at exploiting this or a similar undisclosed flaw in Oracle Cloud’s login infrastructure (login.(region-name).oraclecloud.com), though no definitive proof ties it to the breach.

SOCRadar’s Vulnerability Intelligence, CVE-2021-35587

SOCRadar’s Vulnerability Intelligence, CVE-2021-35587

5. Did Oracle Confirm the Hack by “rose87168”?

No, Oracle has denied the breach, stating, “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.” This stance contrasts with evidence presented by “rose87168” and findings from cybersecurity firms like CloudSEK.

9 April, 2025 Update: Despite initially denying the breach, Oracle has reportedly begun notifying affected customers about a data breach involving its cloud services.

The threat actor alleges the compromised database contains six million records, including private security keys, encrypted credentials, and LDAP entries—reportedly belonging to Oracle customers. To support their claims, the attacker uploaded a document to the cloud referencing their own email address, seemingly proving access to Oracle infrastructure.

Oracle later acknowledged the breach but attempted to downplay its significance. The company claimed the stolen data came from an outdated server holding information that was at least eight years old and no longer in use. However, this assertion is now under scrutiny.

6. What Evidence has “rose87168” Provided to Support the Hack Claim?

As seen above, “Rose87168” has shared sample data, including text files with database records and LDAP information, and uploaded a file containing their email address to login.us2.oraclecloud.com, archived on the Internet Archive. This action suggests some level of access, though its legitimacy remains unverified by independent sources.

Initial post in BreachForums

Initial post in BreachForums

“The threat actor has provided three sample files as proof: Sample_LDAP.txt, Company.List.txt, and Sample_Database.txt. Some sample data is as follows:”

Sample data #1

Sample data #1

Sample data #2

Sample data #2

Furthermore, The image below corroborates the claim that ‘Rose87168’ uploaded sample data, including an email address and a linked text file, to an Oracle Cloud URL. The presence of this record in the Internet Archive further indicates that, at least some part of the data was accessible by the threat actor at some point. 

Screenshot of the the text file uploaded by the threat actor on the Oracle Cloud on WayBackMachine

Screenshot of the the text file uploaded by the threat actor on the Oracle Cloud on WayBackMachine

6.1 Has the Breach Been Confirmed?

To this day threat actor continued to supply numerous sample screenshots, including the following novel sample data:

A sample data shared by rose87168 (DDW)

A sample data shared by rose87168 (DDW)

Furthermore, recent news indicate that some Oracle Cloud customers are taking independent steps to verify the breach claims made by “rose87168.” Several organizations have begun closely reviewing their security logs and access records, with some reporting anomalies such as unexpected authentication attempts and irregularities in key file activity. These early customer verifications are Indicators of Attack(IOAs), and suggest that there may be unusual activity warranting further scrutiny, even as Oracle continues to deny any breach of its systems.

7. How Many Organizations were Affected by the Alleged Hack?

The breach reportedly impacts over 140,000 Oracle Cloud tenants worldwide, spanning multiple regions and industries. These tenants are businesses or entities using Oracle Cloud services, making this a potential supply chain attack with broad implications.

7.1 How can I Check Whether Our Organization is in The List?

SOCRadar’s Threat Hunting module allows organizations to search vast digital sources, including dark web forums, to determine if their data appears in the alleged Oracle Cloud breach. Security teams can quickly query the leaked dataset to identify exposed credentials, domains, or sensitive information. Additionally, SOCRadar has already alerted all its affected users.

You can also access the Threat Hunting module using SOCRadar Free Edition to check if your organization’s data has been leaked.

Users can query the stolen dataset using keywords like company name, domains, or email addresses to identify their potential exposure

Users can query the stolen dataset using keywords like company name, domains, or email addresses to identify their potential exposure

8. What is “rose87168” doing with the Stolen Data?

The hacker is selling the 6 million records on BreachForums for an undisclosed price or in exchange for zero-day exploits. They’ve also offered affected companies the chance to pay a fee to remove their data from the leak list and are soliciting help to decrypt the stolen SSO passwords and crack LDAP hashes.

However, the threat actor corrected a claim of wanting $200 million, stating that the actual amount was $20 million (X)

However, the threat actor corrected a claim of wanting $200 million, stating that the actual amount was $20 million (X)

9. What should organizations using Oracle Cloud do in response?

Experts recommend immediate action, including:

  • Reset the Credentials: Rotate all SSO, LDAP, and related passwords, enforcing Multi-Factor Authentication (MFA).
  • Investigate: Conduct forensic checks for unauthorized access.
  • Monitor: Watch dark web forums for leaked data.
  • Collaborate: Work with Oracle’s security team to assess exposure and apply fixes. These steps are advised regardless of Oracle’s denial, given the potential risks.

SOCRadar’s Threat Actor Intelligence

SOCRadar’s Threat Actor Intelligence

10. How can I protect my Oracle Cloud environment from similar attacks?

  • Patch Systems: Ensure all Oracle Fusion Middleware instances are updated beyond October 2021 to address CVE-2021-35587.
  • Enforce MFA: Require multi-factor authentication for all Oracle Cloud logins.
  • Limit Access: Restrict login endpoints to trusted IP ranges via network policies.
  • Rotate Keys: Regularly update JKS files, SSO passwords, and LDAP credentials.
  • Monitor Logs: Set up real-time alerts for suspicious activity in Oracle Cloud Audit.

11. What are the Recent Developments?

  • Oracle Denies Two Separate Data Breaches Despite Emerging Evidence

Oracle continues to publicly deny two separate but twin data breaches despite mounting evidence. The latest breach involves Oracle Health, the company’s healthcare subsidiary, which has suffered an unauthorized data access incident. While Oracle has not officially acknowledged this breach, impacted customers have received private notifications confirming that attackers accessed legacy Cerner data migration servers.

In letters sent to affected customers, Oracle Health confirmed that the breach involved legacy Cerner data servers that had not yet been migrated to Oracle Cloud. According to reports from Bleeping Computer, Oracle Health became aware of the incident on or around February 20, 2025.

“We are writing to inform you that, on or around February 20, 2025, we became aware of a cybersecurity event involving unauthorized access to some amount of your Cerner data that was on an old legacy server not yet migrated to the Oracle Cloud,” Oracle reportedly stated in the letters.

Although Oracle claims this incident is unrelated to last week’s alleged Oracle Cloud breach, the timing of both breaches and the use of stolen credentials in the healthcare-related attack cast doubt on their separation. The breach raises significant concerns about Oracle’s ability to safeguard sensitive personal and medical information.

  • FBI Investigation and Extortion Attempts

The FBI has launched an investigation into the Oracle Health breach, particularly regarding attempts to extort affected medical providers. According to Bloomberg, attackers stole patient data from Oracle’s systems and have since attempted to extort multiple healthcare providers across the United States. The number of impacted records and healthcare providers remains uncertain.

The breach notification letters indicate that attackers gained access through stolen customer credentials, further fueling concerns over Oracle’s security measures.

Oracle and the FBI have yet to comment publicly on the investigation.

  • Profiling the Threat Actor

While no definitive attribution has been made, cybersecurity researcher Louis Hur has provided potential insights into the identity of the actor behind the Oracle Cloud breach, known as “rose87168.” Hur’s OSINT analysis, based on deep and dark web sources, uncovered the following -not verified- details:

  • Telegram communication history, Turkic languages used
  • Affiliate or joined Telegram channels like Illegal Team(a Turkish black-hat community)
  • Avatar icons and nickname usage
  • Possible location and personal information
  • Past activity, seeking 0-click exploits in Turkish-spoken black-hat Telegram Channels

Alleged connection map shared by Louis Hur

Alleged connection map shared by Louis Hur

However, this information remains speculative, as it was sourced from dark web data, which may not be entirely reliable. The actor has reportedly used Turkish language and participated in Azerbaijani chat rooms, indicating possible regional connections.

  • Threat Actor Provides Video Proof

A video by rose87168 as part of the new evidence, shows a conversation between the hacker and an Oracle representative. Notably, the video suggests that Rose had access to an employee account from the domain ‘dmh-global.com.’ This raises serious questions about whether rose87168 successfully decrypted passwords from the compromised database, as this domain was included in the victim company list originally provided by the threat actor.