Oracle Has One Of The Largest Supply Chain Breaches: Cyber Security Today For March 24, 2025 - Cybersecurity Today

Summary

Cybersecurity Today: Oracle Faces Massive Supply Chain Breach

Hosted by Jim Love

Introduction

In the March 24, 2025 episode of "Cybersecurity Today," host Jim Love delves into one of the most significant cybersecurity incidents of the year: a massive supply chain breach affecting Oracle Cloud. This comprehensive summary captures the key discussions, insights, and conclusions from the episode, providing valuable information for listeners and cybersecurity professionals alike.

1. Oracle Cloud Supply Chain Breach

Overview of the Breach

At the outset of the episode (00:01), Jim Love announces a severe security breach compromising Oracle Cloud's infrastructure. Approximately 6 million records have been exposed, putting over 140,000 businesses at risk. The breach was identified by the cybersecurity firm CloudSec on March 21, 2025.

Details of the Compromised Data

The breach has led to the exposure of sensitive authentication files, including:

Java Keystore (JKS) files
Encrypted Single Sign-On (SSO) passwords
Key files
Enterprise Manager Java Platform Security (JPS) keys

These elements are critical for maintaining secure access within enterprise environments.

Attacker Profile and Tactics

CloudSec attributes the breach to a threat actor known as Rose 87168. Although not widely recognized in cybersecurity circles, Rose 87168 has exhibited a high level of technical sophistication. The attacker exploited a vulnerability in Oracle Cloud's login interface, specifically targeting the subdomain login.us2.oraclecloud.com, which is associated with Oracle Fusion Middleware 11G. This system has known vulnerabilities, including CVE2021-35-587, which allows unauthenticated attackers to compromise Oracle Access Manager, potentially leading to a complete system takeover.

Impact and Risks

The breach poses several significant risks:

Data Exposure: Unauthorized access to sensitive authentication data, which could facilitate corporate espionage.
Credential Compromise: Decrypted passwords could lead to further breaches within Oracle Cloud environments.
Extortion: The attacker is demanding payments from affected companies to remove their data and has offered incentives to individuals who can assist in decrypting SSO or LDAP passwords.

Jim summarizes the gravity of the situation, stating, "The attacker has been active since January 2025 and is demanding payments from affected companies to remove their data from the compromised set." (02:30)

CloudSec’s Recommendations

CloudSec advises organizations using Oracle Cloud Services to:

Reset Passwords: Immediately change all affected credentials.
Update Security Protocols: Enhance existing security measures to prevent further exploitation.
Monitor for Unusual Activities: Keep a vigilant eye for any irregular activities within their systems.

Businesses can verify their exposure to this breach through CloudSec's dedicated portal, accessible via a link provided in the show notes.

Oracle’s Response

As of the episode's release, Oracle has yet to issue an official statement regarding the breach. Jim emphasizes the need for organizations to remain vigilant and implement recommended security measures to mitigate potential threats arising from this severe incident.

2. Emergence of Browser in the Middle Attacks

Understanding the Threat

Jim introduces a sophisticated cyberattack technique termed Browser in the Middle (BiM), which enables hackers to bypass Multi-Factor Authentication (MFA) and hijack user sessions within seconds. This method leverages web browser functionalities to intercept authenticated sessions, posing a significant threat to organizations relying on traditional security measures.

Mechanism of BiM Attacks

In a BiM attack, victims are directed through an attacker-controlled browser that mirrors a legitimate website. When users visit a malicious site or click on a phishing link, their interactions are funneled through this proxy. This process tricks them into entering credentials and completing MFA challenges. Once authenticated, the attacker captures the session token stored in the browser, effectively stealing the user's authenticated state.

Jim elaborates, "Browser in the Middle attacks are particularly dangerous because they bypass Multi Factor authentication, which many organizations consider their last line of defense." (15:45)

Tools and Techniques

Key components and tools involved in BiM attacks include:

Transparent Proxies: Act as intermediaries between the victim and the target service.
Tools like Evilginx2 or Delusion: Modify HTTP responses to replace legitimate domains with phishing domains, enabling session token extraction.
Rapid Deployment Frameworks: Allow attackers to target any website quickly.
Real-Time Monitoring: Enable immediate session theft upon successful authentication.

Mitigation Strategies

To defend against BiM attacks, organizations can implement the following strategies:

Hardware-Based MFA: Utilize security keys like Yubikey to enforce cryptographic challenges tied to specific domains, preventing attackers from replaying responses across different websites.
Client Certificates: Bind authentication to device-specific certificates, preventing session reuse on unauthorized devices.
Behavioral Monitoring: Detect unusual login patterns or browser fingerprint discrepancies to flag potential BiM compromises.
Security Awareness Training: Educate users to recognize and avoid phishing attempts.

Jim underscores the importance of these measures, stating, "The emergence of Browser in the Middle attacks signifies a major shift in cyber threats, utilizing browser functionalities to evade traditional security measures." (20:10)

3. Synology’s Critical DSM Vulnerability

Vulnerability Details

The episode shifts focus to a major security flaw in Synology's Disk Station Manager (DSM) software. This vulnerability, identified as CVE2024-10441, has been assigned a near-maximum severity score of 9.8 out of 10 by the Common Vulnerability Scoring System (CVSS), indicating its potential for devastating effects if left unpatched.

Nature of the Flaw

The vulnerability resides in the system plugin daemon, which fails to properly handle output encoding. This flaw allows attackers to execute arbitrary commands on vulnerable systems from anywhere on the Internet without any user interaction.

Additionally, Synology has disclosed two more vulnerabilities:

CVE2024-50629: Allows attackers to read limited files.
CVE2024-10445: Enables nearby attackers to write files due to poor certificate validation.

Discovery and Response

Security researchers from the DevCorp team Smoking Barrels and independent expert Ryan Emmons discovered these flaws. In response, Synology has released security updates to address the issues across all affected DSM versions, including 6.2 through 7.2.2. Users are strongly urged to upgrade immediately, as no temporary workarounds are available.

Jim remarks, "With Synology NAS devices so widely used in corporate environments and small offices for sensitive data storage, the risk of compromises is high if patches are not applied immediately." (25:00)

Action Steps for Users

Immediate Upgrade: Install the latest security updates from Synology.
Review Security Advisory: Synology's full security advisory is available on their website, accessible via a link in the show notes.

4. Disruptions in CISA’s Red Team Operations

Impact of Budget Cuts

A significant portion of the episode addresses recent operational upheavals within the Cybersecurity and Infrastructure Security Agency (CISA)'s Red Team. These disruptions are attributed to budgetary measures implemented by the Department of Governmental Efficiency (DOGE), which terminated contracts affecting over 100 Red Team members in late February.

Expert Insights

Christopher Chenoweth, a senior penetration tester at the Department of Homeland Security (DHS), commented on the situation:

"As a result, I and many other experienced Red Team operators are now seeking new opportunities." (35:20)

Implications for U.S. Cyber Defenses

The abrupt termination of these contracts has raised alarms about potential gaps in the nation's cybersecurity posture. Red Teams are essential for proactively identifying and assessing security weaknesses before malicious actors can exploit them. Their reduction could significantly hinder the government's ability to defend against sophisticated cyber threats.

Jim critically observes, "You don't lose 100 experienced red team members in any organization without taking an incredible hit." (37:15)

CISA’s Response

CISA has acknowledged the staffing changes but assured that efforts are underway to maintain essential cybersecurity functions. In a recent statement, the agency emphasized its commitment to collaborating with network defenders, system administrators, and technical staff to bolster the nation's critical infrastructure against diverse threats.

Expert Opinions and Concerns

Cybersecurity experts caution that the loss of experienced Red Team personnel could severely impair the government's capability to anticipate and defend against evolving cyber threats, especially as the digital landscape grows more complex and attacks become more frequent and sophisticated.

Jim concludes this segment by emphasizing the national priority of maintaining robust cybersecurity operations amidst these challenges.

Conclusion

The episode of "Cybersecurity Today" paints a concerning picture of the current cybersecurity landscape, marked by significant breaches, evolving attack techniques, critical vulnerabilities, and strategic operational disruptions. Jim Love stresses the imperative for organizations to adopt proactive security measures, remain vigilant, and stay informed about the latest threats and defenses.

As cyber threats continue to grow in complexity and scale, the collective efforts of cybersecurity professionals, organizations, and government agencies become increasingly essential in safeguarding digital infrastructures and sensitive data.

Jim closes the episode with a resolute message: "What a past couple of days it's been between high severity issues and the loss of these key resources. Hey, take a deep breath. We'll get back to another week of the battle. We're all in this together." (45:00)

Key Takeaways:

Oracle Cloud has suffered a substantial supply chain breach affecting millions of records and thousands of businesses.
The emergence of Browser in the Middle attacks represents a significant evolution in cyberattack techniques, capable of bypassing traditional MFA protections.
Synology's DSM software faces critical vulnerabilities that necessitate immediate updates to prevent potential exploitation.
Budget cuts have critically impacted CISA’s Red Team operations, raising concerns about the robustness of U.S. cyber defenses.

For detailed information and actionable steps, listeners are encouraged to refer to the show notes provided alongside the episode.

Transcript

Jim Love (0:01)

Oracle is hit with what some are calling one of the largest supply chain attacks ever. A browser in the middle attack can steal everything in seconds. Synology, a large storage company, has a major vulnerability and have the DOGE terminations hurt US Government Red Teams this is Cybersecurity Today. I'm your host Jim Love. A significant security breach has compromised Oracle Cloud's infrastructure, exposing approximately 6 million records and placing over 140,000 businesses at risk. Cybersecurity firm CloudSec identified the breach on March 21, 2025, attributing it to a threat actor known as Rose 87168. The attacker is not well known in cybersecurity circles, but has demonstrated what experts are calling a high level of technical sophistication. The compromised data include sensitive authentication files such as Java Keystore or JKS files, encrypted single sign on or SSO passwords, key files and Enterprise Manager Java Platform Security or JPS keys. These elements are crucial for maintaining secure access within enterprise environments. The attacker reportedly exploited a vulnerability in Oracle Cloud's login interface, specifically targeting the subdomain login.us2.oraclecloud.com this subdomain was associated with Oracle Fusion Middleware 11G, which has known vulnerabilities, including CVE2021, 35, 587. This particular flaw allows unauthenticated attackers to compromise Oracle Access Manager, potentially leading to a complete system takeover. The threat actor has been active since January 2025 and is demanding payments from affected companies to remove their data from the compromised set. They have also offered incentives to individuals who can assist in decrypting the stolen SSO passwords or cracking the Lightweight Directory Access Protocol, or LDAP passwords. The breach poses several risks. There's data exposure. Sensitive authentication data could be used for unauthorized access or corporate espionage. There's credential compromise. If decrypted, the stolen passwords could facilitate further breaches within Oracle Cloud environments. And there's extortion. The attacker's ransom demands will place additional financial and reputational pressures on the affected businesses. CloudSec advises organizations using Oracle Cloud Services to take immediate actions, including resetting passwords, updating security protocols, and monitoring for any unusual activities. Businesses can verify their exposure to this breach using cloudsec's dedicated portal. There's a link in our show notes Oracle is yet to release an official statement regarding the breach. Organizations are urged to remain vigilant and implement recommended security measures to mitigate the potential threats arising from this severe incident. A sophisticated cyber attack technique Known as Browser in the Middle has emerged, enabling hackers to bypass Multi Factor Authentication or MFA and hijack user sessions within seconds. This method exploits web browser functionalities to intercept authenticated sessions, posing a significant threat to organizations relying on traditional security measures. In a Browser in the Middle, attack victims are directed through an attacker controlled browser that mirrors a legitimate website. When a user visits a malicious site or clicks on a phishing link, their interactions are funneled through this proxy, tricking them into entering credentials and completing MFA challenges. Once authenticated, the attacker captures the session token stored in the browser, effectively stealing the user's authenticated state. Some of the key components of this are the transparent proxies and there are tools like evil, jinx2 or delusion. They act as intermediaries between the victim and the target service, modifying HTTP responses to replace legitimate domains with phishing domains, enabling session token extraction. There's rapid deployment with these Browser in the Middle frameworks, allowing operators to target any website quickly. Features such as Firefox's profile storage and automatic load balancing simplify large scale phishing campaigns. And finally, there's real time monitoring. Attackers can observe victim interactions in real time, enabling immediate session theft upon successful authentication. So Browser in the Middle attacks are particularly dangerous because they bypass Multi Factor authentication, which many organizations consider their last line of defense. By capturing session tokens, attackers gain persistent access to accounts without needing the victim's credentials again. Some of the mitigation strategies you can use hardware based Multi factor authentication using security keys like Yubikey to enforce cryptographic challenges tied to specific domains, preventing attackers from replaying responses across different websites. You can use client certificates. Binding authentication to device specific certificates could prevent session reuse on unauthorized devices. You can use behavioral monitoring. Detecting unusual login patterns or browser fingerprint discrepancies could flag some of these browser in the middle compromises. And finally, there's security awareness training. Educating users to recognize phishing attempts remains critical. The emergence of Browser in the Middle attacks signifies a major shift in cyber threats, utilizing browser functionalities to evade traditional security measures. Security teams globally have to urgently address this evolving threat landscape. A major security flaw in Synology's Disk Station Manager or DSM software could allow remote attackers to take full control of affected systems with no user interaction required. Synology, the leading provider of network attached storage or NAS systems used by businesses and individuals for secure file storage and backup, confirmed the vulnerability after it was publicly demonstrated at the Pwn to Own Hacking contest early this year. The flaw, identified as CVE2024 10441 has been given a near maximum severity score of 9.8 out of 10 by the Common Vulnerability Scoring System, or CVSS, indicating it could have devastating effects if left unpatched. The vulnerability lies in the system plugin daemon, which fails to properly handle output encoding. This allows attackers to run arbitrary commands on vulnerable systems from anywhere on the Internet. Synology has also disclosed two additional vulnerabilities, one that could allow attackers to read limited files CVE2024 50629 and another that could let nearby attackers write files due to Poor certificate validation CVE2024 10,445. Security researchers from DevCorp team smoking barrels and independent expert Ryan Emmons were among those who discovered the flaws. Synology has released security updates to fix the issues in all affected versions of DSM, including versions 6.2 through 7.2.2. Users are urged to upgrade immediately as there are no temporary workarounds available. Synology's full security advisory is available on their website. There's a link in our show Notes With Synology NAS devices so widely used in corporate environments and small offices for sensitive data storage, the risk of compromises is high if patches are not applied immediately. Recent operational upheavals within the Cybersecurity and Infrastructure Security Agency, or CISA's, RED team are prompting serious concerns about the robustness of U.S. cyber defenses. The Red Team, tasked with simulating cyber attacks to identify vulnerabilities in federal systems, has experienced significant disruptions due to budgetary measures implemented by the Department of governmental efficiency, or DOGE. In late February, DOGE terminated contracts affecting over 100 CISA Red Team members as part of a broader initiative to reduce government spending. Christopher Chenoweth, a senior penetration tester at the Department of Homeland Security, or dhs, highlighted the impact of these cuts, stating, as a result, I and many other experienced Red Team operators are now seeking new opportunities. The abrupt termination of these contracts has raised alarms about the potential gaps in the nation's cybersecurity posture. Red teams play a critical role in proactively identifying and assessing security weaknesses before malicious actors can exploit them. Their work informs defensive strategies across various government agencies and critical infrastructure sectors. CISA acknowledged the staffing changes but assured that efforts are underway to maintain essential cybersecurity functions. In a recent statement, the agency emphasized its commitment to collaborating with network defenders, system administrators, and technical staff to bolster the nation's critical infrastructure against diverse threats. If that sounds like corporate blah blah blah, it's because it is. You don't lose 100 experienced red team members in any organization without taking an incredible hit. And that's why cybersecurity experts are cautioning that the loss of experienced Red Team personnel could hinder the government's ability to anticipate the defense against sophisticated cyber threats. The timing of these disruptions is also particularly concerning given the escalating frequency and complexity of cyber attacks that are targeting both public and private sector organizations. As the digital landscape continues to evolve, ensuring the stability and effectiveness of cybersecurity operations like Those conducted by CISA's Red Team should remain a national priority. And that's our show. What a past couple of days it's been between high severity issues and the loss of these key resources. Hey, take a deep breath. We'll get back to another week of the battle. We're all in this together. I'm your host, Jim Love. Thanks for listening.