CISA has issued “guidance” on credential risks associated with a “potential legacy Oracle cloud compromise”, even as the database giant remaining stubbornly schtum about any alleged breach of its systems.
The US gov cyber arm said it was “aware of public reporting regarding potential unauthorized access to a legacy Oracle cloud environment.”
While the “scope and impact remains unconfirmed” the agency continued, the “nature of the reported activity” presents potential risk, particularly that credential material may be exploited.
If that all sounds somewhat vague, that could be because Oracle has been extremely tight-lipped since reports first emerged last month that a hacker had breached its systems and helped themselves to six million customer records.
The database and cloud operator has publicly insisted that its Oracle Cloud Infrastructure has not been breached.
At the same time, it has reportedly written to customers explaining that, yes, “two obsolete servers that were not part of OCI” had been accessed by a hacker but the hacker had not exposed passwords or been able to access customer environments or data. Customers with “questions” were advised to contact Oracle Support or their account manager.
Which might be reassuring if it wasn’t for the widespread reports from security researchers that the data includes a range of credentials including encrypted SSO passwords, key files, and enterprise manager JPS keys. And that the attacker was soliciting assistance in decrypting or cracking the passwords. Over 140 tenants are affected.
And of course, if it wasn’t the case that in addition to OCI, Oracle offers Cloud Classic. It also offers Oracle Health – itself reportedly the victim of a breach.
The agency recommends a range of standard actions for worried customers, including resetting passwords, reviewing source code, templates, scripts and configuration files for embedded credentials, and replacing them. It also recommends monitoring authentication logs for anomalous activity and enforcing MFA.
If CISA’s advisory was less pointed than usual, that could be because it has had its hands full this week, after it emerged that funding for the CVE programme – critical to the global cybercommunity – was due to expire, putting the programme’s future in doubt.
However, by the end of yesterday, CISA confirmed to the Stack that funding had been renewed. Albeit for just 11 months.
The link has been copied!
