The cyber heist included Java KeyStore files, encrypted SSO passwords, and keys that could unlock doors in Oracle’s Fusion Middleware. Oracle denies everything—despite compelling evidence and a very awkward .txt file uploaded to an Oracle login subdomain.
The breach allegedly hit login.us2.oraclecloud.com, a subdomain conveniently offline. Screenshots and Wayback Machine captures suggest it was running a creaky old Oracle Fusion Middleware 11G setup, which hadn’t been touched since the tail end of the Obama administration.
Cybersecurity firm CloudSEK is pointing fingers at CVE-2021-35587—a juicy unauthenticated exploit in Oracle Access Manager—as the likely entry point. You’d think something slapped into the CISA KEV catalogue in 2022 might have been patched by now, but Oracle seems to prefer its software aged like fine milk.
Meanwhile, over 140,000 cloud tenants are being shaken down by the cyber extortionist, who’s offering to remove their data from the dark web—for a price.
CloudSEK confirmed the authenticity of the breach with medium confidence and high severity. They’ve even built a tool to help victims figure out if their credentials have been tossed into the digital wild.
Oracle’s public relations department, however, is clinging to the “nothing to see here” narrative, much to the confusion of experts. Jake Williams, a man who knows his way around a compromise, asked the million-dollar question: “How did a threat actor upload a file to an Oracle login server if nothing happened?” So far, crickets.
Chad Cragle, CISO at Deepwatch, says Williams raises a critical point. “If there was no breach, how did a threat actor allegedly upload a file to the Oracle Cloud subdomain? This indicates unauthorized access, even if it wasn’t a full-scale compromise. Dismissing the incident without addressing this key detail raises more questions than answers. If Oracle wants to maintain credibility, they must clarify how the file ended up there, whether any security gaps were exploited, and why the subdomain was taken down.”
Deepwatch’s CISO Chad Cragle rightly notes that taking down the subdomain screams “cover-up” more than “precaution.”
Fenix24 CISO Heath Renfrow said that the presence of a threat actor-uploaded file in the webroot of what appears to be an Oracle Cloud Infrastructure (OCI) login subdomain is deeply concerning.
“This detail, coupled with the public availability of sensitive data on forums, raises valid questions about the scope of compromise and whether customers with federated login configurations could be at risk.”
Apono CEO Rom Carmel said: “By compromising what appears to be a significant number of keys and credentials, the attackers can potentially gain unauthorized access to many more systems and data.
“This incident raises important questions about whether access to the server containing such sensitive resources was properly restricted—not just who had access, but also when that access was permitted. It also calls into question whether the affected resources had adequate access controls in place to enforce least privilege and limit access to defined, secure time windows,” Carmel said.
