CISA Issues Threat Warning After ‘Potential’ Oracle Cloud Breach

While CISA said it has no specifics on the reported Oracle incident, the federal cybersecurity agency warned of a possibility of increased credential risks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning about the potential for increased security risks in response to reports of a compromise impacting Oracle Cloud customers.

Oracle has denied that its Oracle Cloud platform was breached and CISA indicated it has no details confirming recent media reports. The advisory from CISA refers only to a “potential legacy Oracle Cloud compromise.”

CRN has reached out to Oracle for comment.

Earlier this month, Bloomberg reported that Oracle had privately disclosed to customers that a threat actor has been discovered to have compromised a “legacy” environment, in a breach that has included the theft of certain log-in credentials.

According to the report, which cited individuals familiar with the matter, the impacted environment has not been used in eight years and the affected credentials are “old.”

In late March, BleepingComputer reported about a threat actor who claimed to have stolen data from Oracle Cloud servers. Oracle repeatedly denied that a cloud incident had occurred in statements to media outlets.

“There has been no breach of Oracle Cloud (OCI). The published credentials are not for OCI. No OCI customers experienced a breach or lost any data,” an Oracle spokesperson said in a statement provided to CRN on March 27.

In its advisory Wednesday, CISA suggested it felt obligated to warn Oracle Cloud customers about potential risks even without having confirmation of the media reports.

“CISA is aware of public reporting regarding potential unauthorized access to a legacy Oracle cloud environment,” the agency said in the advisory. “While the scope and impact remains unconfirmed, the nature of the reported activity presents potential risk to organizations and individuals, particularly where credential material may be exposed, reused across separate, unaffiliated systems, or embedded (i.e., hardcoded into scripts, applications, infrastructure templates, or automation tools).”

Notably, “when credential material is embedded, it is difficult to discover and can enable long-term unauthorized access if exposed,” CISA said.

Credentials—which can include usernames, passwords, email addresses, authentication tokens and encryption keys—can “pose significant risk to enterprise environments” when exposed, the agency added. “Threat actors routinely harvest and weaponize such credentials.”

The early April report from Bloomberg indicated that an unspecified number of customers were notified by Oracle about the breach.

The compromise reportedly affected credential data including usernames and passkeys as well as encrypted passwords.

In addition, Bloomberg reported that a person familiar with the incident contradicted Oracle’s statement that the stolen data was from older systems, saying that Oracle log-in credentials from as recently as last year were among those affected.

The attack also included a demand by the attacker for an extortion payment, according to the report.