Secure legacy Oracle cloud credentials amid leak reports, CISA warns

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is advising security professionals to tighten the security on their Oracle Cloud deployments following multiple claims of a data breach on the platform.

In an advisory posted April 16, the Department of Homeland Security’s cybersecurity organization cautioned organizations that, though it has yet to be officially confirmed by the vendor, there are strong indications that one or more legacy deployments of the Oracle Cloud platform were compromised and, as a result, they should take precautions to prevent downstream attacks.

"While the scope and impact remains unconfirmed, the nature of the reported activity presents potential risk to organizations and individuals, particularly where credential material may be exposed, reused across separate, unaffiliated systems, or embedded (i.e., hardcoded into scripts, applications, infrastructure templates, or automation tools),” CISA said in its advisory.

“When credential material is embedded, it is difficult to discover and can enable long-term unauthorized access if exposed.”

The guidance from CISA followed multiple reports and claims that at least one Oracle Cloud instance was breached by threat actors. A hacker publicly claimed to have broken into an Oracle server and plundered some 6 million user account credentials, a claim that was denied at the time.

The plot thickened when a second report surfaced claiming that despite its public denials, Oracle was informing some of its customers that a possible data breach of Oracle Cloud had occurred, though which version was not specified, in addition to its scope. This was later backed up with additional reports that the threat actor involved in the attack was advertising about 10,000 compromised credentials for sale on the dark web.

The matter is further muddied by Oracle’s ongoing silence on the matter and refusal to provide details as to what may or may not have been compromised.

Oracle did not respond to a request for comment from SC Media, though the company previously denied that it suffered a breach of its cloud platform.

As with others, CISA was hesitant to declare the breach a verified occurrence. Rather, the agency refers to the incident as a “potential unauthorized access to a legacy Oracle cloud environment.”

Regardless of the vocabulary, the CISA advisory recommended federal agencies and government contract partners to take some basic steps to defend themselves against possible follow-up attacks.

Resetting passwords, checking logs, and enforcing MFA requirements for all user accounts with access to Oracle Cloud were among the recommendations. Additionally, the agency is recommending that organizations review their source code and cloud configurations to spot any weak points that would allow an attacker entry.