Risky Business Podcast Summary
Episode: #786 – Oracle is lying
Host/Author: Patrick Gray
Release Date: April 2, 2025

Introduction

In this episode of Risky Business, host Patrick Gray delves into significant security breaches affecting Oracle, evaluates Oracle's questionable security practices, and discusses broader cybersecurity news. The episode features insightful commentary from guest Adam Boileau and concludes with a sponsored interview with Jaden Hess from Trail of Bits, focusing on the infamous Bybit cryptocurrency exchange attack.

Oracle Breaches

Oracle Health Breach

The episode opens with Patrick Gray addressing two distinct and severe security breaches at Oracle, with Adam Boileau providing an in-depth analysis.

Key Points:

• Legacy System Vulnerability: Oracle’s health data subsidiary, formerly Cerner, suffers a breach due to lingering legacy systems connected to the internet.
• Data Ransom Attempt: An attacker, identifying as "Andrew," accessed and attempted to ransom electronic health record data, targeting both Oracle and its clients.

Notable Quote:
Patrick Gray [00:00-03:36]:
“Oracle is having a really bad time because it looks like they've had two breaches... they're spinning hard on this one and kind of veering into outright porky pie lies.”

Oracle Cloud Auth Portal Breach

Following the health breach, another significant incident involves Oracle’s cloud authentication portal.

Key Points:

• Exploitation of CVE: Attackers exploited a known deserialization flaw (CVE from 2021) in Oracle's identity and access management product, part of the Fusion Middleware suite.
• Data Compromise: Approximately 6 million records, including LDAP credentials and certificates, were allegedly stolen.
• Oracle's Denial: Despite evidence from cross-referenced customer data, Oracle publicly denies the breach, attributing it to legacy systems not part of the current production environment.

Notable Quotes:
Adam Boileau [04:28-06:35]:
“They have provided some of this data as evidence of their access... Oracle has flat out said this didn't happen. It's a load of bunkum.”

Patrick Gray [06:35-09:42]:
“Oracle has been having such a bad time... you can't imagine like having a look at the Azure IP space and finding a bunch of like NT4 boxes.”

Discussion on Oracle's Security Practices

Patrick and Adam critique Oracle's handling of security, highlighting outdated systems and poor management responses.

Key Points:

• Outdated Infrastructure: Oracle continues to run unsupported 11G systems, maintaining legacy software with minimal patches.
• Management Issues: The internal communication breakdown leads to misleading public statements, reflecting a lack of effective cybersecurity governance.
• Worst Offender Allegation: Oracle is characterized as historically poor in security practices, worse than even Microsoft at times.

Notable Quote:
Patrick Gray [09:35-16:08]:
“Oracle just don't really have great practices. They tend to scapegoat researchers as well... Oracle is a company that does not get it.”

Other Security News

Signal Gate Update

The episode revisits last week’s topic on Signal Gate, exploring the misuse of Signal by high-profile individuals and the resulting security implications.

Key Points:

• Public Exposure: Signal messages from officials like Pete Hegseth and Mike Waltz were leaked, revealing insecure communication practices.
• Government Critique: The U.S. administration criticizes Signal, leading to political fallout and increased scrutiny of civilian apps for official use.
• Endpoint Compromise: Experts suggest that compromised endpoints likely exposed these communications to foreign intelligence services.

Notable Quote:
Patrick Gray [19:00-24:33]:
“It's not a good look. I don't think ordinary people quite understand just how, just how sort of reckless all of this has been.”

FBI Ransom Recovery Efforts

Coverage of the FBI’s successful efforts to recover a significant portion of ransom paid by Caesar's Entertainment in a ransomware attack.

Key Points:

• Recovery Success: Out of $15 million paid, the FBI froze approximately $11.8 million through cooperative actions with cryptocurrency exchanges.
• Effective Tracking: The ability to track and freeze funds in real-time demonstrates improved capabilities in combating ransomware payments.

Notable Quote:
Adam Boileau [31:46-33:23]:
“They managed to track down, seize almost 300 bitcoin... which is like 11ish million dollars.”

Morse Corp Penalty Under False Claims Act

The defense contractor Morse Corp faces a $4.6 million penalty for violating the False Claims Act by misrepresenting compliance with security standards.

Key Points:

• Self-Assessment Failure: Morse Corp’s self-assessment rated them highly, but a third-party evaluation revealed significant deficiencies.
• Legal Ramifications: Failure to update the government on non-compliance led to substantial penalties under the False Claims Act.

Notable Quote:
Patrick Gray [34:14-34:39]:
“That would be the false claim part of this.”

Palo Alto Network Device Scanning Surge

Gray Noise reports a significant increase in scans targeting Palo Alto network devices, suggesting imminent exploitation campaigns.

Key Points:

• Coordinated Attacks: Approximately 23,000 IP addresses are actively scanning for Palo Alto devices, indicating a potential large-scale attack.
• Preparedness: Organizations using such devices are urged to enhance their security measures in anticipation of targeted exploits.

Notable Quote:
Adam Boileau [35:24-36:21]:
“Probably precursor to someone dropping some sweet, sweet Palo Global protect VPN bugs.”

New Malware Targeting Ivanti O Day

Emerging malware exploits a previously patched vulnerability in Ivanti systems, effectively treating it as a zero-day due to its exploitability timeline.

Key Points:

• Timely Exploitation: Despite being patched earlier in the year, the slow adoption of updates renders the vulnerability a near-zero-day threat.
• Complexity in Malware: The stack buffer overflow in Ivanti products allows for sophisticated exploitation, emphasizing the need for rapid patch management.

Notable Quote:
Patrick Gray [36:32-37:43]:
“So there was a while back when we talked about it... and it sounds like he probably wanted to keep working on it.”

Arrest of Aubrey Cottle

Aubrey Cottle, aged 37, is arrested in Canada on charges related to hacking activities, including targeting the Texas Republican Party.

Key Points:

• Public Taunting: Cottle's public boasting on social media about his hacking exploits likely contributed to his arrest.
• Legal Proceedings: Facing charges both in Canada and the United States, Cottle represents the growing crackdown on visible cybercriminals.

Notable Quote:
Adam Boileau [39:05-39:50]:
“...if you're going to shell things and then gloat about it on public social media, I kind of don't know what else you expect.”

GCHQ Intern Data Theft

Hassan Arshad, a 25-year-old intern at GCHQ, is charged with stealing top-secret data, highlighting insider threats in high-security environments.

Key Points:

• Intentional Theft: Arshad copied sensitive data onto personal devices, potentially aiming to continue work unauthorized.
• Security Oversight: The breach underscores the necessity for rigorous monitoring and auditing of internal access to classified information.

Notable Quote:
Adam Boileau [40:25-41:49]:
“...running a large company with a weird insular culture that doesn't listen to anyone else when you also don't really quite know what you're doing.”

Sponsor Interview: Trail of Bits with Jaden Hess

The episode features an interview with Jaden Hess from Trail of Bits, focusing on the catastrophic Bybit cryptocurrency exchange breach where $1.5 billion was stolen by North Korean actors.

Key Discussion Points:

Bybit's Security Flaws

Jaden Hess:

• Cold Wallet Mismanagement: Emphasizes that cold wallets must remain entirely offline to prevent malicious code infiltration. Bybit's approach, which connected cold wallets to an online provider, was fundamentally flawed.

Notable Quote:
Jaden Hess [43:04-44:03]:
“For one thing, if you're going to have a cold wallet, it has to be offline... someone has connected their cold wallet to an Internet wallet provider.”

Improper Transaction Signing Procedures

Jaden Hess:

• UI and Policy Shortcomings: Bybit’s transaction signing flow allowed overriding security policies, increasing vulnerability to unauthorized transactions. Proper user interfaces should intuitively display all transaction effects to prevent deceptive manipulations.

Notable Quote:
Jaden Hess [45:06-46:24]:
“...restrict the sort of variety of transactions that can be signed... the wallet needs to be rich enough to display intuitively all of the different effects of a transaction.”

Threat Modeling and Operational Guidelines

Jaden Hess:

• Insufficient Threat Modeling: Bybit lacked comprehensive threat modeling and relied on insecure web-based transaction proposals, which should be isolated from full cold wallets.
• Best Practices Not Followed: Compared to U.S.-based organizations with robust procedures, Bybit was notably more lax in securing its cryptocurrency assets.

Notable Quote:
Jaden Hess [48:25-51:27]:
“...the typical thing that we would find if we did a review... a lot of these things are actually not that complex.”

Industry Implications and Lessons Learned

Jaden Hess:

• Cryptocurrency Security Standards: Highlights the rapid evolution of crypto security practices and the importance of integrating strong cryptographic measures with operational protocols.
• North Korean Sophistication: Acknowledges North Korea's advanced yet opportunistic cyber capabilities, emphasizing that even basic security oversights can lead to massive financial losses.

Notable Quote:
Jaden Hess [51:45-53:31]:
“...they understand these processes internally with the... the degree to which they understand these processes...”

Conclusion

Patrick Gray wraps up the episode by reiterating the critical takeaways from Oracle’s security failures and the broader implications for cybersecurity practices across industries. The episode underscores the importance of rigorous threat modeling, maintaining updated systems, and fostering a security-first culture to prevent significant breaches.

Final Remarks:
Patrick Gray [54:44-54:44]:
“...thanks for listening.”

Notable Resources and Links

• Lawrence Abrams, Bleeping Computer: Comprehensive reporting on Oracle breaches.
• Becker’s Health: In-depth analysis of health data security issues.
• Watchtower Labs: Detailed write-up on Ivanti’s stack buffer overflow vulnerability.
• CrowdStrike Recommendations: Suggestions for enhancing VPN security.

End of Summary
For more detailed discussions and security insights, listen to the full episode of Risky Business #786 – "Oracle is lying."