For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

IngressNightmare, Next.js critical, More Agents, pwned

Introduction Hello! ArvinF  is your editor covering 23 to 29 March 2025 for this edition of F5 SIRT This Week in Security. Credit to the original sources. IngressNightmare Wiz has discovered se...
Published Apr 03, 2025
Version 1.0
f5 sirt
security
twis
ArvinF's avatar
ArvinF
Icon for SIRT rankSIRT
Apr 06, 2025

hi its ArvinF  again. I wanted to add this news on the ongoing Oracle Cloud data breach from March 23 -29.

Credit to the original source.

Looking through the Wayback Machine, we can see that the US2 server was as recently as February 2025 running some form of Oracle Fusion Middleware 11G.

Infosec outfit CloudSEK reckons that server may not have been patched to close CVE-2021-35587, a known critical vulnerability in Fusion Middleware's Oracle Access Manager, specifically its OpenSSO Agent.

Exploiting that bug – which can be done over HTTP with no authentication – would potentially give an intruder access to the very kind of information put up for sale this week. Public exploit code for the flaw exists.

On Thursday, what was claimed to be six million records of Oracle Cloud customers' Java KeyStore files, which contain security certificates and keys; encrypted Oracle Cloud SSO passwords; encrypted LDAP passwords; Enterprise Manager JPS keys; and other information stolen from the cloud provider went up for sale on BreachForums by a previously unknown netizen going by the name rose87168. The potentially affected customers is said to number in the thousands.

The price for this info has not been disclosed, as far as we can tell, and the seller is also accepting zero-day exploits as payment. It's said rose87168 contacted Oracle about a month ago to let the database giant know about the alleged data theft, wanted more than $20 million in cryptocurrency in exchange for details about the claimed heist, and was turned down.

https://www.theregister.com/2025/03/23/oracle_cloud_customers_keys_credentials/

https://www.bleepingcomputer.com/news/security/oracle-denies-data-breach-after-hacker-claims-theft-of-6-million-data-records/ 

 

Oracle Cloud's denial of a digital break-in is now in clear dispute. A infosec researcher working on validating claims that the cloud provider's login servers were compromised earlier this year says some customers have confirmed data allegedly stolen and leaked from the database giant is genuine.

Since Oracle rubbished reports of a security breach, rose87168, the individual who claimed responsibility for the alleged intrusion and theft of approximately six million records – customer security keys, encrypted credentials, LDAP entries, and other data – sent a 10,000-line sample of the collection to Alon Gal, co-founder and CTO at security shop Hudson Rock.

Gal said he took the sample and reached out to multiple Hudson Rock customers who appeared to be affected. Three customers have since confirmed the data handed to Gal by rose87168 from Oracle Cloud's internal systems is genuine, according to the CTO.

One customer, we're told, said its users are in the sample set, and have access to sensitive information. Another concurred, claiming the data is legitimate and from a production environment though it dates back to 2023.A third Hudson Rock customer said their users and tenant IDs match those in the sample, and that they are used in their production environment.

https://www.theregister.com/2025/03/25/oracle_breach_update/