Somebody is claiming to have exfiltrated 6 million lines of data with Oracle Cloud’s SSO and LDAP that includes JKS files, encrypted SSO passwords, key files and enterprise manager JPS keys from servers on login.*.oraclecloud.com
The poster has no prior reputation, it is unclear if they're LARPing. Some of the sample data does align with prior infostealer logs, I'm told. breachforums.st/Thread-SELLING…
This entry was edited (8 months ago)
Kevin Beaumont
in reply to Kevin Beaumont • • •Kevin Beaumont
in reply to Kevin Beaumont • • •⠠⠵ avuko
in reply to Kevin Beaumont • • •⠠⠵ avuko (@avuko@infosec.exchange)
⠠⠵ avuko (Infosec Exchange)Advanced Persistent Teapot
in reply to Kevin Beaumont • • •Brad Ackerman
in reply to Kevin Beaumont • • •Andrej
in reply to Kevin Beaumont • • •Lawrence Abrams
in reply to Kevin Beaumont • • •And we were told that they were running a vulnerable version with a public CVE that does not have a public PoC exploit.
I could not verify that though.
Delbecq David
in reply to Kevin Beaumont • • •Marius Kießling
in reply to Kevin Beaumont • • •Dave 🐶
in reply to Kevin Beaumont • • •In fairness to Oracle, the whole OCI offering feels like a poorly cobbled-together attempt to replicate AWS and grab a few customers that are suckers enough to decide to actually use Oracle as a cloud platform. No one in their right mind would willingly use it and assume it to be a good (and secure) offering.
How do I know...? Who has to use it?
ProtocolParameter
in reply to Kevin Beaumont • • •colingilroymcguire
in reply to Kevin Beaumont • • •uoxc
in reply to Kevin Beaumont • • •Pierre
in reply to Kevin Beaumont • • •the XML config file in the screen shot is the oam-config.xml or a backup of one for an Oracle Access Manager deployment.
It’s strange that the configuration shows simple mode. Those certificates expired early last year and should no longer work. Customers were advised on changing to OPEN or CERT mode as SIMPLE was being EOLd
Sraars
in reply to Kevin Beaumont • • •