Cydea’s risk advisories are intended for senior management to aid their understanding of current events and the cyber risk posed to their organisations.
Contact your Oracle account manager to understand whether your environment is impacted and request clarity on any mitigation steps
What has happened?
On March 27, 2025, a cyber criminal group claimed to have breached Oracle Cloud Infrastructure, exploiting a known vulnerability in Oracle Access Manager, a tool used to manage user access to systems. The attacker claims to have accessed sensitive data across thousands of Oracle Cloud clients, including passwords, security credentials, and other confidential information.
Oracle has denied these claims, stating that the credentials mentioned by the attacker do not belong to Oracle Cloud customers. However, multiple independent security experts (CloudSEK, Orca) have confirmed the veracity of sample data provider by the cybercriminals and raised concerns that the breach might be real and that Oracle Access Manager systems may have been compromised.
What is the risk?
At this point, the full scope of the situation remains uncertain. Oracle denied the breach, but thorough investigations could substantiate the claims of the attack.
The risk stems mainly from the potential exposure of sensitive data, particularly authentication credentials. The attacker claimed to have access to encrypted and unencrypted passwords, cryptographic keys, all of which could be leveraged to bypass authentication systems or take control of customer’s Oracle Cloud tenants.
Source:
Risk events:
- System intrusion (Exploitation of a vulnerability)
- Information Breach (Unauthorised access to systems; Unauthorised access to information)
Consequences:
- Financial (Unplanned response costs, potential fines)
- Operational (Disruption of cloud services)
- Strategic (Damaged reputation)
- Compliance (Potential legal challenge)
How may it evolve?
If the breach claims are validated, criminals could use the compromised Oracle data to gain unauthorised access to customer’s environments. They could exploit stolen credentials to infiltrate systems, escalate privileges, and move laterally across networks, potentially accessing sensitive business or customer data.
This foothold could then be leveraged to deploy ransomware, steal intellectual property, or cause operational disruption.
This activity would be particularly difficult to detect and respond to as it will leverage genuine credentials and keys.
Source:
Risk events:
- Unauthorised access (Use of compromised credentials)
- Lateral movement (Exploiting access across systems)
- Information Breach (Theft of sensitive information)
- Malware (Ransomware, cryptojackers, infostealers)
Consequences:
- Operations (Business disruption)
- Compliance (Regulatory fines)
- Financial (Unplanned response costs, potential fines)
- Strategic (Embarrassing reporting, loss of customer confidence)
What action is required?
To minimise the potential impact of the incident, consider taking the following actions:
-
Contact your Oracle account manager immediately to understand whether your systems are impacted and what steps Oracle is taking to mitigate the situation.
-
Change and rotate credentials associated with Oracle Cloud services, particularly for administrative accounts and systems that manage sensitive data.
-
Restrict access to Oracle Cloud services wherever possible, especially for high risk systems or services that are exposed to the internet.
-
Enable Multi-Factor Authentication (MFA) across all Oracle Cloud accounts to reduce the risk of unauthorised access.
-
Monitor systems closely for any unusual activity, such as irregular logins or changes to configurations.
For further information or assistance in understanding or measuring this risk to your organisation please contact us for a session with one of our cyber risk consultants.
Cydea uses the Open Information Security Risk Universe (OISRU) as a framework and taxonomy for describing information security risks independently of models or methods of analysing risks. Find out more about our contribution to the project on our cydea.tools site.
Photo by BoliviaInteligente on Unsplash
