EDITOR'S NOTE: I'm testing the next generation of the AlphaHunt- the research goes a bit deeper, a bit more directed and a bit more "peer" reviewed. The layout may still need some work... feedback welcome (just hit reply! :))

TL;DR

Key Points

• • "rose87168" claims to have stolen 6 million records from Oracle Cloud, targeting federated SSO and LDAP systems.
  • Organizations using Oracle Cloud should enhance security measures, focusing on these systems.
• • Oracle denies the breach, asserting no customer data was compromised despite the threat actor's claims.
  • Continuous monitoring and vulnerability assessments are crucial to verify security postures.
• • The threat actor's primary motivation is financial gain through extortion, with a focus on monetizing stolen data.
  • Implementing robust incident response plans can mitigate extortion risks.

Summary

The threat actor "rose87168" has emerged as a player in the cybercriminal landscape, claiming responsibility for a major breach involving Oracle Cloud. This actor allegedly exploited vulnerabilities in Oracle's federated single sign-on (SSO) and LDAP systems, exfiltrating sensitive data such as JKS files and encrypted SSO passwords. Despite these claims, Oracle has publicly denied any breach, maintaining that no customer data was compromised.

"rose87168" is primarily motivated by financial gain, engaging in extortion by threatening to sell the stolen data. The actor's activities have targeted several countries, including the United States, India, and the United Kingdom, impacting sectors such as technology, finance, and healthcare. The sophistication of their methods suggests a deep understanding of cloud security vulnerabilities.

Organizations using Oracle Cloud are advised to conduct comprehensive security assessments, focusing on federated SSO and LDAP systems. Implementing multi-factor authentication, continuous monitoring, and robust incident response plans are recommended to mitigate potential threats. Additionally, increasing threat intelligence sharing and conducting employee training on recognizing social engineering tactics can further enhance security postures.

Attribution

Historical Context

The threat actor known as "rose87168" has recently gained notoriety for their involvement in a significant cyber incident involving Oracle Cloud. This actor is associated with claims of exploiting vulnerabilities in cloud services, particularly targeting Oracle's federated single sign-on (SSO) and LDAP systems. The emergence of "rose87168" reflects a growing trend of cybercriminals focusing on cloud infrastructures for data exfiltration and extortion.

Timeline

• March 21, 2025: "rose87168" claims to have stolen 6 million records from Oracle Cloud, including sensitive data such as JKS files and encrypted SSO passwords.
• March 22, 2025: Oracle publicly denies the breach, asserting that no customer data was compromised, despite the claims made by the threat actor.

Origin

"rose87168" is identified as a new threat actor, with their activities first reported by CloudSEK on March 21, 2025. The actor's origin remains unclear, but their operational focus on cloud services suggests a sophisticated understanding of cloud security vulnerabilities.

Countries Targeted

1. United States - The primary target, as many organizations using Oracle Cloud are based in the U.S.
2. India - Notable due to the presence of numerous tech companies utilizing Oracle Cloud services.
3. United Kingdom - Targeted due to the significant number of businesses relying on cloud infrastructure.
4. Germany - Affected by the breach due to the presence of multinational corporations using Oracle Cloud.
5. Australia - Targeted as part of the broader international reach of the threat actor.

Sectors Targeted

1. Technology - Major tech firms using Oracle Cloud services are at high risk.
2. Finance - Financial institutions that rely on cloud services for data management.
3. Healthcare - Organizations managing sensitive patient data in the cloud.
4. Retail - Companies using cloud services for e-commerce and customer data management.
5. Education - Institutions utilizing cloud platforms for administrative and student data.

Motivation

The primary motivation behind "rose87168" appears to be financial gain through extortion. The actor has claimed to sell the stolen data, indicating a focus on monetizing their cybercriminal activities. The sophistication of their methods suggests a potential interest in causing reputational damage to targeted organizations as well.

Similar Threat Actor Groups

1. Lapsus$

   • Similarity: Both Lapsus$ and rose87168 are known for high-profile data breaches and extortion tactics.
   • Attribution: Originating from various countries, Lapsus$ targets large corporations, employing social engineering and insider threats.

2. Conti

   • Similarity: Both groups utilize ransomware and have been involved in significant data theft and extortion campaigns.
   • Attribution: Conti is a ransomware group known for targeting critical infrastructure and demanding large ransoms.

Breaches Involving This Threat Actor

The breach allegedly involves the exfiltration of sensitive data, including:

• JKS (Java Keystore) files
• Encrypted SSO passwords
• Key files
• Enterprise manager JPS keys

The potential consequences for affected organizations include unauthorized access to sensitive systems and data, increased risk of corporate espionage, and financial and reputational damage due to extortion demands from the threat actor.

Recommendations, Actions and Next Steps

Recommendations

1. Implement Enhanced Cloud Security Measures: Organizations using Oracle Cloud should conduct a comprehensive security assessment focusing on federated SSO and LDAP systems. This includes applying the latest security patches, implementing multi-factor authentication (MFA), and utilizing tools such as AWS CloudTrail or Azure Security Center for continuous monitoring and vulnerability assessments to identify and mitigate potential weaknesses.

2. Develop an Incident Response Plan: Establish a robust incident response plan that includes specific protocols for addressing data breaches and extortion attempts. This plan should outline roles and responsibilities, communication strategies, and steps for containment and recovery. Engage with cybersecurity firms to conduct tabletop exercises that simulate breach scenarios, ensuring that all stakeholders are trained and aware of their responsibilities.

3. Increase Threat Intelligence Sharing: Collaborate with industry peers and threat intelligence platforms to share information regarding emerging threats and vulnerabilities. This can enhance situational awareness and provide insights into the tactics, techniques, and procedures (TTPs) used by threat actors like "rose87168." Consider joining organizations such as the Information Sharing and Analysis Center (ISAC) relevant to your industry.

4. Conduct Employee Training and Awareness Programs: Implement regular training sessions for employees on recognizing phishing attempts and other social engineering tactics that may be used by threat actors. Use platforms like KnowBe4 or Cybrary to provide engaging training modules that can help reduce the risk of insider threats and improve overall organizational security posture.

5. Monitor and Audit Access Logs: Regularly review and analyze access logs for unusual activity, particularly focusing on cloud account access. Implement automated monitoring tools such as Splunk or ELK Stack that can alert security teams to suspicious behavior, enabling quicker response to potential breaches.

Followup Research

Suggested Pivots

1. What specific vulnerabilities in Oracle Cloud's federated SSO and LDAP systems were exploited by "rose87168," and what known exploits or CVEs (Common Vulnerabilities and Exposures) are associated with these vulnerabilities?

2. How does the operational behavior and tactics of "rose87168" compare to other known threat actors, such as Lapsus$ and Conti, particularly in terms of their methods of data exfiltration and extortion strategies?

3. What are the potential long-term impacts on organizations in the targeted sectors (technology, finance, healthcare, retail, education) if the claims of data theft by "rose87168" are substantiated, particularly regarding regulatory compliance and reputational damage?

4. What immediate and long-term measures can organizations implement to enhance their incident response plans specifically in relation to cloud service vulnerabilities highlighted by this incident?

5. How can threat intelligence sharing among organizations improve collective defenses against emerging threats like "rose87168," and what specific platforms or frameworks are most effective for this purpose?

Forecasts

Short-Term Forecast (3-6 months)

1. Increased Targeting of Cloud Services

• The emergence of the threat actor "rose87168" highlights a significant trend where cybercriminals are increasingly focusing on cloud infrastructures, particularly targeting vulnerabilities in services like Oracle Cloud. In the next 3-6 months, we can expect a rise in similar attacks as other threat actors seek to exploit cloud vulnerabilities for data exfiltration and extortion. Organizations using cloud services, especially those relying on federated SSO and LDAP systems, will be at heightened risk. Specific vulnerabilities in Oracle Cloud's federated SSO and LDAP systems, such as misconfigurations or outdated security protocols, may be targeted.
  • Examples:
    • Similar incidents have been observed with groups like Lapsus$, which have targeted cloud services for high-profile data breaches.
    • The trend mirrors past incidents where vulnerabilities in cloud services led to significant data breaches, such as the Capital One breach in 2019, which exploited a misconfigured web application firewall.

2. Rise in Extortion Tactics

• Following the claims made by "rose87168" regarding the sale of stolen data, we anticipate a surge in extortion tactics among cybercriminals. This will likely manifest in increased demands for ransom payments in cryptocurrency, as attackers leverage stolen data to pressure organizations into compliance. The financial motivation behind these attacks will drive more actors to adopt similar strategies. Organizations should consider implementing specific security tools such as ransomware detection solutions and incident response platforms to prepare for these threats.
  • Examples:
    • The Conti ransomware group has previously employed extortion tactics, demanding payments from organizations after data breaches, which has become a common practice in the cybercriminal landscape.
    • The evolution of ransomware attacks, where data is not only encrypted but also threatened to be leaked, will likely influence other actors to adopt similar methods.

3. Heightened Regulatory Scrutiny

• As incidents like the alleged Oracle Cloud breach come to light, regulatory bodies will likely increase scrutiny on cloud service providers and organizations utilizing these services. This may lead to new regulations aimed at enhancing cloud security standards and protecting sensitive data, particularly in sectors like finance and healthcare. Organizations should proactively assess their compliance with existing regulations and prepare for potential new requirements.
  • Examples:
    • The General Data Protection Regulation (GDPR) in Europe has already set a precedent for stricter data protection laws, and similar regulations may emerge globally in response to rising cyber threats.
    • The recent focus on data privacy and security in the U.S. may lead to state-level regulations that require organizations to implement more robust security measures for cloud services.

Long-Term Forecast (12-24 months)

1. Evolution of Cloud Security Threats

   • Over the next 12-24 months, we expect the tactics, techniques, and procedures (TTPs) employed by threat actors like "rose87168" to evolve. As organizations enhance their security measures, adversaries will likely adapt by developing more sophisticated methods to exploit cloud vulnerabilities, including advanced social engineering tactics and zero-day exploits. Organizations should invest in threat intelligence platforms to stay ahead of emerging threats and vulnerabilities.
   • Examples:
     • Historical trends show that as organizations bolster their defenses, threat actors often pivot to more complex attack vectors, as seen with the evolution of phishing techniques over the years.
     • The rise of artificial intelligence in cybercrime could lead to the automation of attacks, making it easier for adversaries to identify and exploit vulnerabilities in cloud services.

2. Increased Collaboration Among Cybercriminals

   • The landscape of cybercrime may see increased collaboration among different threat actor groups, leading to more coordinated attacks on cloud services. This could result in larger-scale breaches affecting multiple organizations simultaneously, as actors share resources and information to maximize their impact. Organizations should consider joining threat intelligence sharing groups to enhance their collective defense strategies.
   • Examples:
     • The collaboration between groups like Lapsus$ and other ransomware actors has been noted in various incidents, indicating a trend towards collective efforts in cybercrime.
     • The sharing of TTPs among groups can lead to a more dangerous environment for organizations, as seen in the rise of ransomware-as-a-service (RaaS) models.

3. Long-Term Impact on Cloud Adoption

   • As the threat landscape evolves, organizations may become more cautious in their adoption of cloud services, particularly in sensitive sectors like finance and healthcare. This could lead to a shift towards hybrid or on-premises solutions as businesses seek to mitigate risks associated with cloud vulnerabilities. Organizations should evaluate their cloud strategies and consider implementing enhanced security measures for their cloud environments.
   • Examples:
     • The backlash against cloud services following significant breaches, such as the SolarWinds attack, has already prompted some organizations to reconsider their cloud strategies.
     • A potential increase in demand for private cloud solutions or enhanced security measures for public cloud services may emerge as organizations prioritize data security over convenience.

Appendix

References

1. (2025-03-21) - Oracle denies breach after hacker claims theft of 6 million data records
2. (2025-03-22) - Oracle denies reported breach affecting millions, says cloud security intact
3. (2025-03-21) - Oracle Cloud SSO, LDAP Records Dumped, 140K+ Tenants Affected
4. (2025-03-22) - Oracle Denies Breach Amid Hacker's Claim of Access to 6 Million Records
5. (2025-03-22) - Massive Oracle Cloud Breach Compromises 6 Million Records, Over 140,000 Businesses At Risk, Says CloudSEK

MITRE ATTACK

Techniques

1. T1071.001 (Application Layer Protocol: Web Protocols) - "rose87168" may use web protocols for command and control communications, especially when exploiting Oracle Cloud services.

2. T1071.002 (Application Layer Protocol: File Transfer Protocols) - This technique allows file transfers over protocols like FTP, which "rose87168" could use to exfiltrate data from Oracle Cloud.

3. T1190 (Exploit Public-Facing Application) - "rose87168" exploits vulnerabilities in Oracle Cloud's federated SSO and LDAP systems, making this a critical attack vector.

4. T1203 (Exploitation for Client Execution) - "rose87168" may exploit client-side vulnerabilities to access sensitive data.

5. T1486 (Data Encrypted for Impact) - This technique suggests potential data encryption for extortion, aligning with the actor's financial motives.

6. T1490 (Inhibit System Recovery) - "rose87168" might prevent system recovery post-breach to further extortion efforts.

7. T1499 (Endpoint Denial of Service) - This technique may be used to disrupt services, a tactic "rose87168" could employ to create chaos and pressure organizations.

8. T1560 (Archive Collected Data) - Involves compressing data for exfiltration, a method "rose87168" might use to manage large volumes of stolen data.

9. T1561 (Disk Structure Wipe) - "rose87168" may attempt to destroy evidence of their activities after a breach.

10. T1562 (Impair Defenses) - This technique could be used to disable security measures during the attack, facilitating easier data exfiltration.

11. T1583 (Acquire Infrastructure) - "rose87168" may acquire infrastructure to facilitate their attacks, potentially using compromised cloud services.

12. T1584 (Compromise Infrastructure) - Involves compromising existing infrastructure for malicious purposes, a focus of the actor.

13. T1585 (Compromise Accounts) - "rose87168" may gain unauthorized access to accounts within Oracle Cloud, critical for their operations.

14. T1586 (Compromise Cloud Accounts) - Directly relevant to the actor's focus on exploiting cloud services for data theft.

15. T1590 (Gather Victim Identity Information) - Involves collecting sensitive information about victims, aligning with the actor's data exfiltration activities.

Tactics

1. TA0001 (Initial Access) - Encompasses methods used by "rose87168" to gain access to Oracle Cloud systems, particularly through exploiting vulnerabilities.

2. TA0002 (Execution) - Involves executing malicious code on target systems, crucial for the actor's operations.

3. TA0007 (Discovery) - Includes techniques for gathering information about the target environment, essential for planning the attack and identifying valuable data.

Procedures

1. T1190 (Exploit Public-Facing Application) - Describes how "rose87168" may exploit vulnerabilities in Oracle Cloud applications to access sensitive data.

2. T1586 (Compromise Cloud Accounts) - Outlines methods for compromising cloud accounts, a focus of the actor's operations.

Software

NONE

MITIGATIONS

1. M1030 (User Training) - Implementing user training can help mitigate risks associated with social engineering tactics used by threat actors. Organizations should conduct regular training sessions to educate employees on recognizing phishing attempts and other social engineering tactics.

2. M1040 (Application Layer Protocols) - Ensuring secure configurations for application layer protocols can help prevent exploitation. Organizations should regularly review and update their security configurations to protect against known vulnerabilities.

3. M1050 (Access Control) - Implementing strict access controls can help mitigate the risk of unauthorized access to cloud accounts. Organizations should enforce the principle of least privilege and regularly review user access rights.

GROUPS

1. G0123 rose87168 (CloudSEK)

   • This group is newly identified and associated with the recent Oracle Cloud incident, focusing on exploiting cloud vulnerabilities for data exfiltration and extortion.

2. G0040 Lapsus$ (Lapsus$)

   • Known for high-profile data breaches and extortion tactics, similar to the methods employed by "rose87168".

3. G0096 Conti (Conti)

   • Utilizes ransomware and has been involved in significant data theft and extortion campaigns, sharing similarities with "rose87168".

AlphaHunt

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Get compound questions like this:

1. what do you know about a hacker that goes by the moniker “rose87168” ?

2. How does the operational methodology of “rose87168” compare to other known threat actors in terms of TTPs and target selection?

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

(c) 2025 CSIRT Gadgets, LLC
License - CC BY-SA 4.0