Information security firms are taking measures to protect customers and their own networks as they wait for official guidance following claims of a massive attack against Oracle Cloud.
A threat actor last week claimed to have stolen 6 million data records, including user credentials, from Oracle Cloud, which could affect more than 140,000 customers. After initially releasing strong denials, Oracle has been silent this week, while security researchers have compiled evidence backing claims of an actual attack.
Security providers are assessing any potential impacts across their networks and advising customers to take precautionary measures until they are provided formal guidance from Oracle or official government agencies.
Rapid7 researchers are aware of the reported breach and are making high-level assessments of the potential impact across its customer base, Brian Bartholomew, director of information security at Rapid7, said via email.
Rapid7 said it maintains a very small footprint as a customer on Oracle Cloud, which is used exclusively for testing and research purposes. There is no production or customer data involved.
“At this time, there is no evidence to suggest any impact to the Rapid7 test systems on OCI,” Bartholomew said.
However, the firm is rotating credentials stored in its test and research accounts as a precautionary measure.
As previously reported, researchers at CloudSEK disclosed multiple pieces of evidence that supported the hacker’s claims. Researchers said the attacker exploited a critical vulnerability in Oracle Cloud’s login endpoint. The threat actor claimed to have exploited CVE-2021-35587, a critical vulnerability in Oracle Access Manager.
CloudSEK has also been examining a data sample provided by the threat actor to assess its authenticity.
Palo Alto Networks declined to comment on cases involving other firms but confirmed it is closely monitoring the Oracle Cloud situation.
“Given the potential impact and uncertainty of the situation, we suggest that organizations that feel they may have been impacted identify and rotate credentials for any Oracle Cloud accounts,” a Palo Alto Networks spokesperson said via email.
Orca Security said it was initially skeptical of the reported breach and has not seen any confirmation that the hacker obtained user credentials. However, the firm did not consider Oracle’s initial denials to be fully transparent.
“We still believe that the risk outweighs our skepticism and that organizations should take immediate action to rotate credentials and otherwise protect their Oracle Cloud tenants as appropriate,” Neil Carpenter, field CTO at Orca Security, said via email.
