This comes after a threat actor (known as rose87168) put up for sale 6 million data records on BreachForums on March 20 and released multiple text files containing a sample database, LDAP information, and a list of the companies as proof that the data was legitimate, all of them allegedly stolen from Oracle Cloud's federated SSO login servers. Cybersecurity firm CybelAngel first revealed that Oracle told clients that an attacker who gained access to the company's Gen 1 (also known as Oracle Cloud Classic) servers as early as January 2025 used a 2020 Java exploit to deploy a web shell and additional malware. However, while Oracle told clients this is old legacy data that is not sensitive, the threat actor behind the attack has shared data with BleepingComputer from the end of 2024 and posted newer records from 2025 on a hacking forum. Even though the company has not publicly disclosed this incident, BleepingComputer confirmed that patient data was stolen in the attack, as confirmed by private communications between Oracle Health and impacted customers and from conversations with those involved. Oracle Health said it detected the breach of legacy Cerner data migration servers on February 20, 2025, and that the attackers used compromised customer credentials to hack into the servers sometime after January 22, 2025. When asked to confirm the authenticity of the leaked data, Oracle told BleepingComputer that "There has been no breach of Oracle Cloud. This is admittedly true since it aligns with the reports that Oracle is telling customers that the breach impacted an older platform known as Oracle Cloud Classic. During the breach, detected in late February, the attacker allegedly exfiltrated data from the Oracle Identity Manager (IDM) database, including user emails, hashed passwords, and usernames. Last week, Oracle also notified customers of a breach at the software-as-a-service (SaaS) company Oracle Health(formerly Cerner), impacting multiple U.S. healthcare organizations and hospitals. However, days later, BleepingComputer confirmed with multiple companies that additional samples of the leaked data (including associated LDAP display names, email addresses, given names, and other identifying information) received from the threat actor were valid. Oracle denied this even after an archived URL showed that the threat actor uploaded a file containing their email address to one of Oracle's servers. Oracle has consistently denied reports of a breach in Oracle Cloud in statements shared with the press since the incident surfaced. An Oracle spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today for more details on the Oracle Cloud breach. Oracle has finally acknowledged to some customers that attackers have stolen old client credentials after breaching a "legacy environment" last used in 2017, Bloomberg reported. BleepingComputer has contacted Oracle Health multiple times about this incident since March 4, but we have not received a reply. Oracle Classic has the security incident," cybersecurity expert Kevin Beaumont confirmed on Monday.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 03 Apr 2025 15:30:11 +0000