Australian companies have been urged to review their security after a hacker claimed to have stolen droves of important credentials from popular cloud company Oracle, despite the company staunchly denying any data has been breached.
On a popular hacking forum, user ‘rose87168’ (Rose) declared the alleged theft of some six million security credentials across 140,000 companies using Oracle Cloud, potentially marking the biggest supply chain hack of the year.
In addition to providing samples of the allegedly stolen data, the hacker shared a list of victims which contained over 1,600 Australian domain names, including Telstra, Optus, NBN Co, Westpac, Sportsbet, Australian Securities Exchange (ASX), Coles, Woolworths, Carsales.com.au, Kogan, BigPond, Wilson Parking, Bunnings, Origin Energy, Blackmores, Red Balloon, Yahoo Australia, Qantas, NAB, Choice, Kmart, Deloitte, MyNRMA, HSBC Australia, The Star, Dymocks, Suncorp, Boral, and EnergyAustralia.
Oracle has meanwhile refuted the incident, with a spokesperson stating there has been “no breach of Oracle Cloud” whatsoever.
"The published credentials are not for the Oracle Cloud,” a spokesperson said in a widely shared statement.
“No Oracle Cloud customers experienced a breach or lost any data."
At the time of writing, Rose is attempting to sell the allegedly stolen data as a complete bundle, all-the-while coercing companies into paying for their data to be removed from the set.
The hacker meanwhile exclusively told Information Age two companies had already paid a removal fee.
Experts warn of “mass data exposure”
Despite Oracle refuting the breach, cybersecurity outfit CloudSek found the hacker may have exploited a known vulnerability in an Oracle access management tool.
CloudSek arrived at this conclusion after reviewing a text file Rose claimed to have somehow created on an Oracle Cloud login server, specifically login.us2.oraclecloud.com.
Rosie's alleged proof of the breach. Photo: Wayback Machine
With the hacker boasting this text file as ‘proof’ of their hack, CloudSek used a snapshot from the Internet Archive’s Wayback Machine to determine the Oracle server was at the time running application platform Oracle Fusion Middleware 11G.
CloudSek ultimately found a critical vulnerability in Fusion Middleware's Oracle Access Manager – tracked as CVE-2021-35587 – may have been exploited due to a “lack of patch management practices” and/or “insecure coding”.
“Successful attacks of this vulnerability can result in takeover of Oracle Access Manager,” CloudSek wrote.
“This aligns with the samples that were leaked on [the hacking forum] too.”
The company later found login.us2.oraclecloud.com was indeed being used in production environments, while Rose told Information Age their methods matched CloudSek’s description.
“We believe there was a lack of judgment at the end of Oracle,” wrote CloudSek.
If their investigation was accurate, CloudSek explained the alleged hack threatened “mass data exposure” and increased “risks of unauthorised access and corporate espionage”.
Jamieson O’Reilly, founder of Australian information security company Dvuln, agreed CVE-2021-35587 could present a realistic attack vector.
“That snapshot shows an Oracle Fusion Middleware 11G login interface, which is known to be affected by CVE-2021-35587,” said O’Reilly.
“If that endpoint was publicly accessible and unpatched, it would be a plausible access vector.”
CloudSek is currently hosting a free tool to check if your organisation was on Rose’s list of alleged victims.
Australian businesses taking precautions
O’Reilly said the hacker’s data samples appeared “technically legitimate” in their structure and urged Oracle clients to take action.
“If this data is authentic and current, it may suggest significant exposure across Australian enterprises – including entities in finance, retail, healthcare, and critical infrastructure,” he said.
“Without technical confirmation from Oracle, it would be premature to state definitively whether Oracle’s core infrastructure was compromised but based on the structure and content of the leak, this incident warrants urgent review by all Oracle Cloud tenants.”
While analysts spent the weekend trying to make sense of Rose’s claims, Australian tech workers were scrambling to protect their companies’ systems.
Information Age has confirmed critical infrastructure providers Optus and NBN Co acted on the alleged Oracle breach, while the Australian Financial Review found a number of organisations named by Rose were changing company credentials and taking other mitigative actions as early as Sunday.
“NBN Co is aware of reports of an alleged breach of Oracle Cloud systems,” an NBN Co spokesperson said.
“We are continuing to monitor this situation closely.”
An Optus spokesperson added that in "an abundance of caution", the company has "taken additional steps to ensure our systems are and remain secure".
For organisations that appeared on the victim list, O’Reilly said “assume potential exposure and move quickly to validate”.
He said if users have been found to interact with the allegedly compromised endpoint (login.us2.oraclecloud.com), or similar subdomains, organisations should “rotate credentials for affected identities”, reissue and rebind authentication certificates and “cross-reference the leaked sample data with internal UID/email structures to detect potential overlaps”, among other steps.
“Regardless of findings, consider enforcing MFA on all cloud-facing identity providers,” he said.
Oracle quiet as 10,000 record sample leaks
On Monday, security analysts and fellow hacking forum members were expressing doubt over the proclaimed Oracle hack.
Despite announcing a breach Thursday, Rose had neglected to provide more than a limited data sample.
Furthermore, O’Reilly found most of the ‘leaked’ user records had timestamps from 2022, suggesting the data may have been sourced from legacy backups or dormant infrastructure rather than an active, real-time breach.
On Tuesday morning, however, Alon Gal, co-founder of cybersecurity intelligence company Hudson Rock, was reportedly given a further 10,000 record sample by Rose.
“I’m actively working to validate the claims,” said Gal.
“Initial feedback from customers [has been] received, likely confirming the breach.”
After checking the sample with some of his affected clients, one of Gal’s customers confirmed “the users provided to them from the sample exist” and several of them had “access to sensitive data”, while a second client affirmed the data – though in his case old – was real.
“It's shaping up to be bad,” said Gal.
“Oracle, please provide more information or begin remediating this.”
Oracle has been contacted for comment but did not respond prior to publication.
