Understanding the Oracle cloud breaches

According to sources, Austin-based Oracle Corporation experienced two data breaches this year.  

One of those allegedly occurred in early 2025, when a threat actor using the alias rose87168 claimed to have infiltrated a legacy Oracle Cloud Classic environment. Oracle initially denied any breach occurred, as reported by several news organizations.  

According to the threat actor, the breach began with the compromise of an unpatched Oracle Cloud Classic server—part of Oracle’s Gen1 infrastructure. In an email exchange with BleepingComputer, the attacker said they used “a public CVE (flaw) that does not currently have a public PoC or exploit.”

Timeline of alleged events

• January 2025: A threat actor exploited an older Oracle Cloud Classic server that included an identity management database. The attacker installed a web shell and malware, enabling persistent access and data exfiltration, according to BleepingComputer.

• February 2025: Oracle identified suspicious activity and began an internal investigation. Among the affected subdomains, login.us2.oraclecloud.com, was taken offline.

• March 2025: The threat actor posted portions of the stolen data on BreachForums and issued a ransom demand, offering either payment or zero-day exploits to avoid further exposure. Data samples were shared with researchers to support their claims.

• April 2025: The Cybersecurity and Infrastructure Security Agency (CISA) released guidance warning of credential risks from the potential compromise. CISA advised organizations to reset credentials, monitor logs and adopt phishing-resistant multifactor authentication.

Despite Oracle’s substantial cloud presence, the alleged use of an unpatched legacy server that had not been updated in more than a decade raised concerns about the risks of technical debt in cloud environments. For example, eSecurity Planet noted that the vulnerable endpoint was last updated on September 27, 2014, and was still operational as recently as February 2025.

What was reportedly stolen

The threat actor claims to have exfiltrated more than 6 million records from Oracle Cloud’s SSO and LDAP systems, and Bloomberg News reported the compromised data included usernames, passkeys and encrypted passwords.

• Encrypted SSO credentials and LDAP data: Emails, usernames and hashed passwords. Though encrypted or hashed, some of the credentials could potentially be decrypted.

• JKS files: Repositories of security certificates used for TLS encryption.

• JPS files: Configuration files used by Oracle Enterprise Manager to manage access control and encryption policies through the Java Platform Security (JPS) framework.

• Enterprise Manager JPS keys: Used to manage access and encryption in Oracle Enterprise Manager.

The lack of interest from dark web buyers and Oracle’s limited transparency have divided the security community’s view about the dataset’s overall significance. Even so, Florida resident Michael Toikach on March 31 filed a class action lawsuit in U.S. District Court for the Western District of Texas accusing Oracle of failing to adequately secure sensitive customer data and of not providing timely notification to affected individuals.

Regardless of the breach’s full scope, the incident illustrates how important it is for companies to protect data both new and old.

Questions to ask when selecting a cloud provider

When choosing a cloud provider, it's critical to evaluate the strength and reliability of their cybersecurity stack. In light of relentless and advanced threats, the provider should follow Zero Trust principles—built on a deny-by-default, allow-by-exception model.

To strengthen your security posture, look for practical application control solutions that are easy to implement and manage. These tools should make it easier for you to block unauthorized software as well as prevent trusted applications from being exploited. Additionally, assess how effectively the provider limits attack vectors, especially through strict controls on administrative privileges.

How ThreatLocker solutions could prevent such attacks

ThreatLocker Application Control is a comprehensive cybersecurity strategy that orchestrates several ThreatLocker solutions to manage and secure software execution within an environment.  

Application Allowlisting

One of those solutions, Application Allowlisting, is a powerful yet agile deny-by-default solution that makes application control simple and fast. Only trusted software runs—everything else, including ransomware, is blocked by default.  

Ringfencing

Building upon this, Ringfencing provides an additional layer of security by controlling permitted applications' activities once they are running. This feature limits an application's ability to interact with other applications, files, data, or the internet, acting as a barrier to containing software within its intended boundaries.  

Ringfencing is crucial for defending against fileless malware and "living off the land" attacks, which leverage native tools and trusted applications for malicious purposes. ThreatLocker is the only company offering this solution.

Elevation Control and Application Control

Finally, Elevation Control integrates with Application Control to manage application privileges. It allows users to run specific applications as local administrator without requiring local administrator rights, which is particularly useful for installations or updates. Plus, this greatly reduces the exploitation of stolen admin privileges.  

Users can run an application with elevated rights, and administrators can create time-based policies to remove these elevated rights once they are no longer needed, allowing the application to revert to regular privileges.

Application Allowlisting could have prevented an attack like this by blocking all unapproved applications by default. In the event of the attacker running malicious code on the server, Ringfencing could have blocked unauthorized file access as well as data exfiltration. And since Elevation Control can limit what applications can run as local administrator, the malicious code would only be able to run as a standard user.

By controlling what runs, dictating how allowed applications behave, and tightly managing necessary administrative privileges, Application Control is a powerful and comprehensive tool for enhanced organizational security.

To learn more, book a demo or request more information.