Alert Essentials:

Oracle has reportedly experienced two separate data compromises, Oracle Health (formerly Cerner) and Oracle Cloud. Both incidents have sparked criticism of Oracle’s handling of the situation, with the company denying one breach and remaining silent on the other.

Email Team

Detailed Threat Description:

Recent claims of an Oracle Cloud data breach emerged on March 21, 2025, when a threat actor, “rose87168,” advertised the sale of approximately 6 million records allegedly stolen from Oracle Cloud’s federated Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems.

The data reportedly includes sensitive items such as Java KeyStore (JKS) files, encrypted SSO passwords, key files, and Enterprise Manager JPS keys, potentially impacting over 140,000 tenants. The attacker claims to have exploited a vulnerability (possibly CVE-2021-35587 in Oracle Fusion Middleware) to access the login endpoint “login.us2.oraclecloud.com,” which Oracle subsequently took offline following the incident.

Security firms such as CloudSEK, Hudson Rock, and SOCRadar analyzed samples of the leaked data, including a 10,000-line dataset. They found evidence suggesting authenticity, with some Oracle customers confirming the validity of the data tied to their production environments. However, Oracle has consistently denied the breach.

Separately, an incident involving Oracle Health (formerly Cerner) was reported, in which patient data from legacy servers was confirmed to have been stolen following a breach detected on February 20, 2025, with extortion attempts ongoing. The FBI is investigating the Oracle Health breach, but no public connection to the Oracle Cloud incident has been established.

The situation remains unresolved: independent researchers assert a breach occurred, supported by customer confirmations and technical evidence (e.g., a file uploaded to an Oracle server by the attacker), while Oracle maintains that no breach of its cloud infrastructure took place.

Protective Measures for Cerner / Oracle Cloud Users

Given the potential risks, Cerner (Oracle Health) and Oracle Cloud users should take precautionary measures to protect themselves. Below are the recommended actions:

Reset User Credentials

  • Why: Stolen data may include encrypted SSO and LDAP passwords, posing risks if decrypted or reused.
  • Action: Reset all passwords for Oracle Cloud and Cerner accounts, particularly those with privileged access. Use strong, unique passwords and rotate tenant-specific identifiers or secrets (e.g., SAML, OIDC configurations).
  • Cerner-specific: Reset credentials tied to legacy Cerner systems affected by the confirmed breach.

Enable and Enforce Multi-Factor Authentication (MFA)

  • Why: MFA prevents unauthorized access even if passwords are compromised.
  • Action: Enable MFA across all Oracle Cloud and Cerner accounts, particularly for SSO logins, and verify compliance.

Regenerate Certificates and Keys

  • Why: Exposed JKS files and cryptographic keys could enable impersonation.
  • Action: Regenerate and replace all certificates, keys, and secrets that may be linked to compromised systems.

Conduct Incident Response and Monitoring

  • Why: Undetected access or ongoing extortion attempts may already be underway.
  • Action: Audit logs for suspicious activity, deploy enhanced monitoring, and check dark web forums for leaked data.

Engage with Oracle Support

  • Why: Official guidance or patches could mitigate risks.
  • Action: Contact Oracle Support or the Chief Information Security Office to report concerns and seek remediation steps.

Update Systems and Apply Patches

  • Why: The alleged CVE-2021-35587 vulnerability highlights the risks associated with outdated software.
  • Action: Update Oracle Fusion Middleware and related components to the latest patches beyond those released in October 2021.

Assess Third-Party Risks

  • Why: Supply chain attacks could extend the breach’s impact.
  • Action: Review third-party integrations, audit their security, and enforce least-privilege

Should Users Take Precautionary Measures?
Yes, precautionary measures are strongly recommended. Evidence from security firms and customer validations suggests a credible risk, outweighing Oracle’s denials for actionable purposes. Resetting credentials, enforcing multi-factor authentication (MFA), and monitoring for potential compromises are low-cost, high-impact steps to mitigate potential threats.

Conclusion
The Oracle Cloud breach claims remain contentious, with credible evidence clashing against Oracle’s denial as of March 31, 2025.

For Cerner users, the separate Oracle Health breach is a confirmed threat requiring immediate action. Users should prioritize credential resets, multi-factor authentication (MFA), and system audits to safeguard their data, remaining vigilant for updates as the situation develops.

Affected Products / Versions:

Potential Impacts:
Oracle Cloud Infrastructure (OCI)
Oracle Fusion Cloud Applications
Oracle Database Services
Oracle NetSuite
Oracle Middleware and Java-based applications

CVEs
CVE-2021-35587- CWE-306- CVSS 9.8

Impacts on Healthcare Organizations:

A breach in healthcare data security can have profound consequences on a healthcare organization. For patients, the loss or alteration of sensitive medical records can lead to incorrect diagnoses, improper treatments, and even life-threatening errors. Hackers may manipulate medication histories or delete vital information, compromising the integrity of care.

The fallout from a data breach is equally severe for healthcare organizations. Financially, they face direct costs, including fines for regulatory violations, legal fees from lawsuits, and increased insurance premiums.

Hospitals are high-value targets for cybercriminals, and those using Oracle applications—such as Oracle Health (formerly Cerner), Oracle ERP, HCM, or NetSuite—should take immediate steps to protect sensitive data. With proactive security steps, a healthcare agency can prevent costly data leaks, ransomware attacks, and patient privacy violations.

Recommendations:

Engineering Recommendations:

  • Reset User Credentials
  • Enable and Enforce Multi-Factor Authentication (MFA)
  • Regenerate Certificates and Keys
  • Conduct Incident Response and Monitoring
  • Engage with Oracle Support\
  • Update Systems and Apply Patches
  • Assess Third-Party Risks

Leadership/Program Recommendations:

  • Collaborate with industry groups to share threat intelligence and advocate for federal policies addressing single-source supplier risks
  • Maintain a robust incident response plan aligned with the organization’s protocols

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

References: