The Cybersecurity and Infrastructure Security Agency (CISA) has warned about the heightened cybersecurity risks stemming from the alleged Oracle Cloud credential leak that has affected over 140,000 tenants.
“CISA is aware of public reporting regarding potential unauthorized access to a legacy Oracle cloud environment,” the agency stated.
While acknowledging that “the scope and impact remains unconfirmed,” CISA warned that the alleged Oracle Cloud credential leak poses potential risks to organizations and individual users.
The agency explained that the risk was greatest where credentials have been exposed, reused across systems, or embedded into scripts, templates, applications, or automation tools.
Warning stemmed from claims of Oracle Cloud credential leak
CISA’s warning follows a confirmed report that a threat actor had stolen and leaked credentials from Oracle’s “two obsolete servers.”
The confirmation follows a bold claim by a threat on the underground hacking forum BreachForums that they breached Oracle systems and stole 6 million data records. The attacker offered the stash for sale and attempted to extort the company.
However, the Austin, Texas tech giant denied that Oracle Cloud Infrastructure (OCI), its premier cloud solution, had suffered a data breach. It also denied that the alleged Oracle Cloud credential leak had affected customer data or services. Oracle also refuted any claims that the alleged breach allowed the hacker to access usable passwords, as they were either encrypted or hashed.
“A hacker did access and publish user names from two obsolete servers that were never a part of OCI. The hacker did not expose usable passwords because the passwords on those two servers were either encrypted and/or hashed. Therefore the hacker was not able to access any customer environments or customer data,” the company said in data notification letters sent to customers.
CloudSek reported that the threat actor was offering an incentive to anyone capable of assisting them to decrypt SSO passwords and crack LADP passwords. They also reportedly attempted to extort individual customers to have their data removed.
CloudSek also estimated that the alleged Oracle Cloud credential leak affected 140,000 tenants across various industries and suggested it stemmed from an undisclosed vulnerability.
CISA: Oracle Cloud credential leak poses significant risks
Meanwhile, CISA believes the potential Oracle Cloud credential leak could have dire ramifications for enterprise organizations and individual users.
“The compromise of credential material, including usernames, emails, passwords, authentication tokens, and encryption keys, can pose significant risk to enterprise environments,” CISA stated.
The agency warned that threat actors regularly harvest and weaponize credentials to escalate privileges and move laterally across networks, compromise cloud identity management systems, carry out phishing and business email compromise campaigns, and resell the stolen credentials on cybercrime forums.
CISA also warned that, when leaked, embedded credentials are particularly problematic as they could grant threat actors long-term access to compromised systems.
“Software engineers often embed authentication credentials or scripts for convenience when applications are being tested before production,” noted Jim Routh, Chief Trust Officer at Saviynt. “However, engineers often neglect to remove the embedded credentials once the code is put into production. This creates a vulnerability that threat actors actively exploit, giving them access to the application where they may escalate privileges, obtaining access to more sensitive information.”
Meanwhile, CISA advised organizations to reset enterprise users’ passwords, review resources such as templates, scripts, and configuration files for embedded credentials and replace them, monitor authentication logs for anomalies, and enforce phishing-resistant multifactor authentication (MFA).
For individual users, CISA recommended updating passwords, including those reused across services, using strong and unique passwords, enabling phishing-resistant MFA, and remaining vigilant for phishing attempts.
So far, the full impact of the alleged Oracle Cloud credential leak remains undetermined, as the tech giant has yet to issue a comprehensive report. The company continues to face backlash for its handling of the alleged credential leak.
