Larry Ellison’s PR pukes desperately observe the script.
A hacker claims to have breached Oracle Cloud Infrastructure (OCI), stealing 6,000,000 data. However Oracle Corp. says that’s not true.
Nevertheless, many shoppers confirmed the leaked dataset is real. A number of researchers level to a four-year-old crucial vulnerability because the hacker’s entry level. However nonetheless Oracle retains up the pretense.
“There was no breach,” the PR flaks cry. In at this time’s SB Blogwatch, we cry too.
Your humble weblogwatcher curated these bloggy bits on your entertainment. To not point out: The Officerance.
OCI Dokey Then
What’s the craic? Eduard Kovacs studies: Proof Appears to Affirm Oracle Cloud Hack
“No breach”
Oracle has categorically denied that its Cloud methods have been breached, however pattern knowledge made accessible by the hacker appears to show in any other case. … A hacker named ‘rose87168’ … claims to have obtained six million strains of knowledge, together with SSO and LDAP passwords.
…
rose87168 supplied pattern knowledge consisting of roughly 10,000 data to a number of safety companies in an effort to show the hacking claims. … Some prospects mentioned … the leaked knowledge is real and … uncovered accounts have entry to delicate knowledge. … The assault on Oracle Cloud methods could contain the exploitation of a vulnerability … CVE-2021-35587, which impacts Oracle Fusion Middleware.
…
“There was no breach of Oracle Cloud,” an Oracle spokesperson [said]. “The printed credentials usually are not for the Oracle Cloud. No Oracle Cloud prospects skilled a breach or misplaced any knowledge.”
Will we consider them? Lawrence Abrams doesn’t: Knowledge stolen in alleged cloud breach is legitimate
“Oracle Fusion Middleware 11g”
rose87168 shared [with me a] URL … for a textual content file hosted on the “login.us2.oraclecloud.com” server that contained their e mail handle. This file signifies that the menace actor might create recordsdata on Oracle’s server, indicating an precise breach. Nevertheless, Oracle has denied that it suffered a breach of Oracle Cloud and has refused to reply to any additional questions.
…
This denial, nevertheless, contradicts [my] findings. [I] obtained extra samples of the leaked knowledge from the menace actor. … The related companies … who agreed to substantiate the info below the promise of anonymity [all] confirmed the authenticity of the knowledge.
…
The “login.us2.oraclecloud.com” server was operating Oracle Fusion Middleware 11g [which] was impacted by a vulnerability tracked as CVE-2021-35587 that allowed unauthenticated attackers to compromise Oracle Entry Supervisor. The menace actor claimed that this vulnerability was used within the alleged breach.
How massive is the impression? As Aviv Sinai argues, The Influence is Larger Than You Assume:
“The actual danger”
However the true story of the … OCI breach isn’t in regards to the back-and-forth particulars or the vulnerability that attackers exploited. [There’s] a much more crucial query: What number of organizations even know they’re utilizing OCI? … Safety groups have a small window of alternative to defuse a ticking time bomb by performing quick, together with rotating credentials and imposing MFA—if you realize what tenants exist within the first place.
…
Whereas its footprint is small in comparison with giants like AWS, Azure, and Google Cloud, OCI has carved out a distinct segment by catering to enterprises that rely closely on Oracle’s database merchandise. … So, whereas OCI could not dominate in uncooked market share, its presence throughout main enterprises—and its strategic use circumstances—give it an even bigger real-world impression than the numbers counsel.
…
Specialists advocate an all-too acquainted playbook: Rotate passwords, allow MFA, evaluate entry logs. All smart. All necessary. However there’s an unstated assumption: … That you already know the place your Oracle tenants are and who’s utilizing them. And that’s the place the true danger lives.
For instance? Safe Technique exemplifies thuswise:
It’s the SaaS apps which are the hazard. Most of these affected gained’t be instantly utilizing Oracle Cloud. They’ll be utilizing NetSuite, or one other SaaS app (Zoom and many others) that runs on Oracle Cloud. A fast take a look at the domains affected will present this – a number of SMEs.
How unhealthy is it? Actually unhealthy. 2thumbsup undersells the severity:
The truth that Oracle was internet hosting their login gateway on a product with a identified vulnerability from 2021 with a CVSS rating of 9.8 is kind of disturbing.
However what about Oracle’s unequivocal PR prose? Dru Nemeton is solely in awe:
What an ideal response.
The factor that occurred—didn’t occur.
The factor that you’re experiencing—you aren’t experiencing.
The factor you could see with your individual eyes—you can’t see with your individual eyes.
However does this “deny every little thing” technique truly work? Sure, argues dylan604:
That is the best way. … People who have already drunk the kool-aid will consider your denial. These which are too lazy to look or solely get their data from one supply won’t know any completely different than your denial. The remainder are simply improper from being in opposition anyhow. It really works anyplace, so long as you’re giant sufficient.
What would Dick The Butcher do? Stu J calls it “popcorn time:”
Oh pleeeeeease can somebody affected sue Oracle into the ground for felony negligence? Offering an insecure service by operating cases of your individual software program, which is riddled with public exploits, and never updating mentioned cases to patch the exploitable bugs? Priceless multi-layered ranges of negligence.
In the meantime, no less than mprindle is completely satisfied:
Nice! I actually need one other yr of nugatory credit score monitoring.
And Lastly:
I knew Severance jogged my memory of one thing
You will have been studying SB Blogwatch by Richi Jennings. Richi curates the most effective bloggy bits, best boards, and bizarreest netwebsites—so that you don’t should. Hate mail could also be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your physician earlier than studying. Your mileage could range. Previous performance is not any guarantee of future outcomes. Don’t stare into laser with remaining eye. E&OE. 30.
Picture sauce: U.S. State Division
