Oracle’s leak is real and exposed to customers, draws attention to new evidence

Supposed Oracle customer data leakage, unauthorized access has a clear evidenceAccording to the new indications determined by Tecmundo Threatening intelligence company in partnership with Zenox.

Last Wednesday (26), we have received a new example with 10,000 records collected in a cyber attack through the Cyber ​​Criminal Car Criminal Criminal Criminal Claiming Oracle. After a week of calculation, it was possible to find information from companies and customers, including internal identifiers (USR switch and ACT key), personal data (identity information, full names), account status (field and administrator), temporal commodity data, LDAP bond and tenant data.

It should be noted that Oracle no longer responds to the press e -mails about the case and has rejected cyber invasion so far. . Tecmundo He contacted the company several times.

What was discovered

According to the Zenox analysis, the main identity information in the leak includes @oracle.com, @gmail.com and @hotmail.com. Password mixes are also defined – Hash is a cryptographic function that converts data into a fixed character row.

“Usr_password field, constantly,
They seem to be mixed or encrypted data (for example “128 *****: R0Hllmullte ********** E9SO/YJMVEWPPY =“) The exact format may vary or even though it is+mixed in a pre -attachment, the great asset confirms the claim that the attacker receives data from stored identity information.”

“This extended sample, previous information and the expected structure of a prophecy (potentially OID/IDCS/IDCS system) due to the expanded sample, despite the official negativity of Oracle, the nature of the leak claim significantly.

During the interview between Tecmundo And we noticed the differences between “Rose”, the actor before the previously leaked files. In short, “sample_database.txt” and “S.Txt” files appeared in the form of a table and are consistent with species leaks. On the other hand, the example “sample_ldap.txt ı had a characteristic LDAP data structure.

LDAP means a light directory access protocol, a mild directory access protocol that allows communication between applications and directory services. So how can the attacker explain the difference in the “Rose” structures?

We received an explanation, but he asked the methods and techniques not to be exposed to the report – this shows that access can still be vulnerable. Not only the idea that the lobby was exploited. Zenox explains with the information at hand:

“Oracle environment did not take place through a single abuse, but after providing the first access to the so -called vulnerable server through a series of actions (…) the actor’s first technical analysis is necessary to verify our first technical analysis, and a deeper and more permanent commitment to a simple and more permanent commitment than a single vulnerability.

The analysis allowed cyber criminal to understand that he had performed the following actions:

• To carry out arbitrary commands in the dangerous system;
• Access different data sources (potentially identity database and LDAP knee separately or interconnected systems);
• Find configuration files and sensitive switches and throw out.

Oracle denial, cyber guilty Truca

By raising the new information obtained, the Zenox company showed a surprise for already analyzing the first leak. “This is an important information volume that cannot be easily obtained or not easily obtained from the public resources that have pre -existing by the actor. The basic concept here”It was first seen“-The presence of data (e-mail addresses) that is unknown to the public before this special event,” he says.

The new example is calculated by two parameters: Remove all unique e-mails from the new example of 10,000 lines (result in 14,965 unique e-mail) and use the results of cross-control of these e-mails to measure the ratio of non-documented e-mails.

For TecmundoAnd now the measurement methodology, which is present in the threat report, used the following techniques defined by the company itself:

“Removing and merging: We have read the sample file using a script file, defined and removed the E -Post addresses from the related columns (such as usr_email). To provide the correct counting and avoid unnecessary controls, we only cause the last list of 14,965 in the E -Posta file by storing unique e -mails.

Cross -verification with HIBP API: We have developed a second script that reads the list of unique E -mails (E -Posta.txt). For each E -Posta, the last point / I made an appointment with PWED (HIBP) API V3Breach/{e -mail}, authentication with our API key. We applied a ratio to respect the request limit in the minute defined by the parameter. – (45/minute in this case). We use the Bourthines (Jobs, Works Defined by Parameter -workers5 In this case) E -POSTERS PAINT IN PARALLY within the limits of the determined rate. We interpret API answers: Http 200 ok “PWED” E -E -Posta (available in previous leaks), HTTP 404 not found “Clean” (Potential “first seen”) and other codes showed the specified errors. Accountants have been atomically updated for each category.

Metric Collection: At the end of the process, total E -mail, clean, clean and error was combined. We calculate additional metrics such as frequency of each leak and average PWeed E -Posting leaks. All results were recorded in a JSON file (hibp_analysis.json), as indicated by the Suput parameter.

The last document sent by Cyber ​​Criminal came after Oracle’s rejection. Because of the joint investigation between him and Tecmundo And Zenox is possible to say that the rate of “first seen” e -mails is high.

“The presence of almost 90% of the addresses without the registration of public commitment is not extremely likely to produce a list of the old data production or compilation hypothesis. It is very difficult for a player to produce a list of this magnitude. This result, for example, for example, in official conditions, it is significantly strengthened by the official denial of the sample.

• “Clean” E -Mails (potentially “first seen”): 13,312 (89.0%) – not found in previous public leaks documented by HIBP;
• “Pwned” e -mails: 1.615 (10.8%) – one or more public leakage;
• Average leaks with “Pwned” E -Posta: ~ 5.17;
• Verification Errors: 38 (0.25%).

It should be noted that Zenox is able to verify the 16 “first -seen” accounts in real and still actively.

CEO exposed

Another point we approached in the interview with “Rose” was the place where these data came: Oracle servers or partners? Oracle CEO Catz Crop sent two detailed LDAP records of Oracle CEO to strengthen the allegations that access servers are really a company.

The records have a consistent LDAP structure. Zenox said, “Records, following the DN (elite name) standard for Oracle Cloud Identity, Orclmttenantguidand it contains typical features (Mail, UID, CN, SN, Givenname, Objectclass).

They also reveal the existence of password mixes: “The second record clearly supports Fieldsword fields (partially hidden Sasl/MD5 mixes) and user passage (with a mixture that seems to be coded in Base64), the actor’s allegation to authentication data.

They are the new points shown by a large number of records/tenants in the files sent: “The existence of two different records for the same person, with different orclmttugid, CEO can be determined by the Oracle infrastructure (perhaps a Corpso Corpso in different tenants or contexts and the A454031 and the ID Management Management Management Management. it suggests that it reflects the complex.

Due to those discovered, these Catz crop data will show that the alleged leak will come from an oracle -managed server and that the exposed joint servers will overthrow the theories.

. Tecmundo It strengthens the task of transparency with our reader and the general public: If Oracle wants to position himself or comment on the case, this report will be updated.