Oracle is caught up in a cybersecurity mess right now, with claims about a massive data breach affecting…

Oracle is caught up in a cybersecurity mess right now, with claims about a massive data breach affecting its cloud infrastructure. Last week, Hackread.com **published an article** based on the findings of cybersecurity firm CloudSEK revealing that a threat actor had stolen 6 million records from Oracle Cloud. The hacker, identified as “**rose87168**“, claimed to have compromised a key Single Sign-On (SSO) endpoint, resulting in the exfiltration of sensitive data including SSO and LDAP credentials, OAuth2 keys, and customer tenant information.

****Oracle’s Firm Denial****

Shortly after the story broke, Oracle issued a categorical denial, making a strong statement that “**There has been no breach of Oracle Cloud**.” The company maintained that the credentials published by the threat actor were not associated with Oracle Cloud and emphasized that no Oracle Cloud customers were affected. This statement directly contradicted the findings of CloudSEK, which had alerted the public and Oracle via formal reports.

****CloudSEK’s Follow-Up Investigation****

However, CloudSEK has doubled down on Oracle’s claims with a new follow-up analysis, presenting what it calls “conclusive evidence” of the breach. In a **blog post**, which the company shared with Hackread.com ahead of its publishing over the weekend, CloudSEK outlined how their researchers detected the threat actor’s activities on March 21, 2025.

According to the cybersecurity firm, they traced the attack to a compromised production SSO endpoint (**login.us2.oraclecloud.com**), which the hacker exploited to steal records from more than 140,000 tenants.

CloudSEK also found evidence that the threat actor had actively used the compromised domain to authenticate API requests via **OAuth2 tokens**, as seen in an archived public GitHub repository under Oracle’s official **"oracle-quickstart"** account. The endpoint was proven to be in use for production purposes, contradicting Oracle’s assertion that the credentials were unrelated to their infrastructure.

****New Evidence: Real Customer Data Confirmed****

One of the most noteworthy pieces of evidence involves real customer domain names that the hacker provided as samples. CloudSEK verified the domains against publicly available data and found that they were, in fact, valid Oracle Cloud customers. Some of the domain names identified include:

*   **sbgtv.com**

*   **nexinfo.com**

*   **nucor-jfe.com**

*   **rapid4cloud.com**

*   **cloudbasesolutions.com**

These domains were present in GitHub repositories and Oracle partner documentation, and CloudSEK confirmed they were not mere dummy or canary accounts. Additionally, the compromised endpoint, **login.us2.oraclecloud.com**, was validated as an active production SSO setup, used in real-world configurations by OneLogin and Rainfocus.

The screenshot shared by CloudSEK shows “login.us2.oraclecloud.com” was a production SSO setup

****The Impact and Concerns****

The impact of this breach, if proven, could be serious. The exposure of 6 million records, including encrypted SSO and LDAP passwords risks unauthorized access, espionage, and data breaches across affected systems. Additionally, the inclusion of JKS files and OAuth2 keys means attackers might gain long-term control over affected services.

CloudSEK warns that the compromised credentials could potentially be cracked and reused in a way that poses further risks to enterprise environments. The hacker is also reportedly demanding **ransom payments** from affected firms to delete the stolen data, amplifying both financial and reputational threats.

****CloudSEK’s Stance: Evidence over Speculation****

In response to Oracle’s denial, Rahul Sasi, CEO of CloudSEK, stated that the company is focused on providing transparency and evidence rather than speculation. CloudSEK has been sharing its findings through public reports and free tools to help organizations assess whether they are affected.

Additionally, Rahul recommends companies change their SSO and LDAP credentials right away and set up multi-factor authentication (MFA) to add extra protection. It’s also important to take a closer look at logs to spot any unusual activity related to the compromised endpoint. Keeping an eye on **dark web forums** for any signs of leaked data is a good move too. On top of that, it’s a good idea to get in touch with Oracle Security to figure out any weak spots and fix them.

****Questions Are Pouring In Already****

Cybersecurity experts are already questioning Oracle’s quick denial. **Chad Cragle**, CISO at Deepwatch, a San Francisco, Calif.-based AI+Human Cyber Resilience Platform stressed that Oracle needs to address the questions raised by CloudSEK to maintain its credibility.

_“_CloudSEK raises a critical point. If there was no breach, how did a threat actor allegedly upload a file to the Oracle Cloud subdomain?_“_ argued Chad. _“_This indicates unauthorized access, even if it wasn’t a full-scale compromise.”

_“_Dismissing the incident without addressing this key detail raises more questions than answers. If Oracle wants to maintain credibility, the company must clarify how the file ended up there, whether any security gaps were exploited, and why the subdomain was taken down,_“_ he added.

**Heath Renfrow**, CISO and Co-founder at Fenix24 a Chattanooga, Tennessee-based cyber disaster recovery firm, expressed concerns about Oracle’s stance on the breach and the threat actor’s ability to upload files within critical infrastructure.

_“_Regardless of Oracle’s position, the presence of a threat actor-uploaded file in the webroot of what appears to be an Oracle Cloud Infrastructure (OCI) login subdomain is deeply concerning,_“_ said Health. _“_This detail, coupled with the public availability of sensitive data on forums, raises valid questions about the scope of compromise and whether customers with federated login configurations could be at risk._“_

Hackread.com has reached out to Oracle. Stay tuned for updates!

CloudSEK Disputes Oracle Over Data Breach Denial with New Evidence

Oracle denies breach claims as hacker alleges access to 6 million cloud records. CloudSEK reports a potential zero-day exploit affecting 140,000 tenants.

A recent investigation by CloudSEK’s XVigil platform has uncovered a cyberattack targeting Oracle Cloud, resulting in the exfiltration of six million records and potentially affecting over 140,000 tenants. Reportedly, a threat actor, identified as ‘rose87168,’ perpetrated this attack that involved the theft of sensitive data, including JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys, which are now being sold on Breach Forums and other dark web forums.

The attacker, active since January 2025, claims to have compromised a subdomain login.us2.oraclecloud.com, which has since been taken down. This subdomain was found to be hosting Oracle Fusion Middleware 11G, as evidenced by a Wayback Machine capture from February 17, 2025. They are demanding ransom payments from affected tenants for the removal of their data and have even offered incentives for assistance in decrypting the stolen SSO and LDAP passwords.

CloudSEK’s analysis indicates that the threat actor may have compromised a vulnerable version of Oracle Cloud servers, potentially leveraging an older flaw, CVE-2021-35587, which affects Oracle Fusion Middleware (OpenSSO Agent) with the following identified as the impacted versions:

*   11.1.2.3.0
*   12.2.1.3.0
*   12.2.1.4.0

This CVE, added to the CISA KEV catalogue in December 2022, allows unauthenticated attackers to compromise Oracle Access Manager, potentially leading to a complete takeover. This aligns with the type of data exfiltrated and shared by the attacker. Its exploitation could allow attackers to gain initial access to the environment and then move laterally within the Oracle Cloud environment to access other systems and data. Further investigation revealed that the Oracle Fusion Middleware server was last updated around September 27, 2014, indicating outdated software.

“Due to lack of patch management practices and/or insecure coding, the vulnerability in Oracle Fusion Middleware was exploited by the threat actor. This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager,” CloudSEK researchers noted in the blog post shared exclusively with Hackread.com.

However, Oracle has issued a statement denying any breach of its cloud infrastructure. “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data,” Oracle stated in response to the reports. This directly contradicts CloudSEK’s findings and the attacker’s claims.

Nonetheless, if it occurred the breach’s impact could be substantial as the exposure of a whopping six million records raises the risk of unauthorized access and corporate espionage. The exfiltration of JKS files is most concerning as these contain cryptographic keys, which could be used to decrypt sensitive data or gain access to other systems within the affected organizations. Moreover, the compromise of encrypted SSO and LDAP passwords could lead to further breaches across Oracle Cloud environments. The use of a zero-day vulnerability also raises concerns about the overall security of Oracle Cloud.

CloudSEK recommends immediate credential rotation, thorough incident response and forensics, continuous threat intelligence monitoring, and engagement with Oracle Security for verification and mitigation. They also advise strengthening access controls to prevent future incidents.

Oracle Denies Breach Amid Hacker’s Claim of Access to 6 Million Records

UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting.

By Jung soo An, Asheer Malhotra, Brandon White, and Vitor Ventura.

*   Cisco Talos discovered a malicious campaign we track under the UAT-5918 umbrella that has been active since at least 2023. 
*   UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting. 
*   We assess that UAT-5918's post-compromise activity, tactics, techniques, and procedures (TTPs), and victimology overlaps the most with Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit intrusions we’ve observed in the past.

**UAT-5918’s activity cluster****Overview **

Talos assesses with high confidence that UAT-5918 is an advanced persistent threat (APT) group that targets entities in Taiwan to establish long-term persistent access in victim environments. UAT-5918 usually obtains initial access by exploiting N-day vulnerabilities in unpatched web and application servers exposed to the internet. The threat actor will subsequently use a plethora of open-source tools for network reconnaissance to move through the compromised enterprise. 

The activity that we monitored suggests that the post-compromise activity is done manually with the main goal being information theft. Evidently, it also includes deployment of web shells across any discovered sub-domains and internet-accessible servers to open multiple points of entry to the victim organizations. UAT-5918's intrusions harvest credentials to obtain local and domain level user credentials and the creation of new administrative user accounts to facilitate additional channels of access, such as RDP to endpoints of significance to the threat actor.

Typical tooling used by UAT-5918 includes networking tools such as FRPC, FScan, In-Swor, Earthworm, and Neo-reGeorg. Credential harvesting is accomplished by dumping registry hives, NTDS, and using tools such as Mimikatz and browser credential extractors. These credentials are then used to perform lateral movement via either RDP, WMIC (PowerShell remoting), or Impacket. 

**UAT-5918 activity cluster overlapping **

UAT-5918's tooling and TTPs overlap substantially with several APT groups including Volt Typhoon, Flax Typhoon and Dalbit. 

Figure 1. UAT-5918 TTPs and tooling overlaps with similar APT groups.

There is a significant overlap in post-compromise tooling and TTPs with Volt Typhoon, such as using ping and tools like In-Swor for network discovery; gathering system information such as drive and partition; gathering logical drive information such as names, IDs, size, and free spaces; credential dumping from web browser applications; using open-source tools such as frp, Earthworm, and Impacket for establishing control channels; and the absence of custom-made malware. The U.S. government assesses that Volt Typhoon is a PRC state-sponsored actor conducting cyberattacks against U.S. critical infrastructure. 

Multiple tools used in this intrusion also overlap with tooling used by Flax Typhoon in the past, such as the Chopper web shell, Mimikatz, JuicyPotato, Metasploit, WMIC and PowerShell, along with the use of tactics such as relying on RDP and other web shells to persist in the enterprise and WMIC for gathering system information. The U.S. government attributes Flax Typhoon, a Chinese government-sponsored threat actor, to the Integrity Technology Group, a PRC-based company.

Additionally, tooling such as FRP, FScan, In-Swor, and Neo-reGeorg, as well as filepaths and names used by UAT-5918, overlap with those used by Tropic Trooper. Tropic Trooper’s malware suite, specifically Crowdoor Loader and SparrowDoor, overlap with the threat actors known as Famous Sparrow and Earth Estries. We have also observed overlaps in tooling and tactics used in this campaign operated by UAT-5918 and in operations conducted by Earth Estries, including the use of FRP, FScan, Webshells, Impacket, living-off-the-land binaries (LoLBins), etc. Furthermore, we’ve discovered similar tooling between UAT-5918 and Dalbit consisting of port scanners, proxying tools, reverse shells, and reconnaissance TTPs.

It is worth noting that a sub-set of tools UAT-5918 uses such as LaZagne, SNetCracker, PortBrute, NetSpy etc., have not been seen being used by the aforementioned threat actors in public reporting. It is highly likely that this tooling might be exclusively used by UAT-5918 or their usage by other related groups may have been omitted in publicly available disclosures. 

**Victimology and targeted verticals **

UAT-5918 also overlaps with the previously mentioned APT groups in terms of targeted geographies and industry verticals, indicating that this threat actor’s operations align with the strategic goals of the aforementioned set of threat actors. 

We have primarily observed targeting of entities in Taiwan by UAT-5918 in industry verticals such as telecommunications, healthcare, information technology, and other critical infrastructure sectors. Similar verticals and geographies have also been targeted by APT groups such as Volt Typhoon, Flax Typhoon, Earth Estries, Tropic Trooper, and Dalbit. 

**Initial access and reconnaissance **

UAT-5918 typically gains initial access to their victims via exploitation of known vulnerabilities on unpatched servers exposed to the internet. Activity following a successful compromise consists of preliminary reconnaissance to identify users, domains, and gather system information. Typical commands executed on endpoints include: 

ping <IP> 
net user 
systeminfo 
arp –a 
route print 
tasklist 
tasklist -v 
netstat -ano 
whoami 
ipconfig 
query user 
cmd /c dir c:\\users\\<username>\\Desktop 
cmd /c dir c:\\users\\<username>\\Documents 
cmd /c dir c:\\users\\<username>\\Downloads 

 Initial credential reconnaissance is carried out using the cmdkey command: 

cmdkey /list 

The threat actor then proceeds to download and place publicly available red-teaming tools (illustrated in subsequent sections) on endpoints to carry out further actions. In some cases, UAT-5918 also disabled Microsoft Defender’s scanning of their working directories on disk: 

powershell.exe -exec bypass Add-MpPreference -ExclusionPath <working\_directory> 
powershell Get-MpPreference 

**Post-compromise tooling **

UAT-5918's post-compromise tooling consists of web shells, some of which are publicly available, such as the Chopper web shell, multiple red-teaming and network scanning tools, and credentials harvesters.

**Reverse proxies and tunnels **

The actor uses FRP and Neo-reGeorge to establish reverse proxy tunnels for accessing compromised endpoints via attacker controlled remote hosts. The tools are usually downloaded as archives and extracted before execution:

The Earthworm (ew) tool for establishing proxies is also run: 

**Port scanning **

FScan is a port and vulnerability scanning tool that can scan ranges of IP addresses and Ports specified by the attackers:

Talos has observed the actor scanning of these ports in particular: 

 21 22 80 81 83 91 135 443 445 888 808 889 5432 8000 8080 54577 11211

The threat actor also relies extensively on the use of In-Swor, a publicly available tool authored and documented by Chinese speaking individuals, for conducting port scans across ranges of IP addresses. A sample command of In-Swor's use is: 

Run\[.\]exe -h <ip\_range>/24 -nopoc -pwdf pw\[.\]txt -p 1521,6379 -t 4 

In-Swor was used to scan for the following ports across IP address ranges: 

22		SSH 
80		HTTP 
135		RPC 
445		SMB 
1433		SQL server 
1521		Oracle DBs 
3306		MySQL 
3389		RDP 
4194 		Kubernetes? 
5432 		PostgreSQL 
5900 		VNC 
6379 		Redis 
10248 	    ? 
10250 	    Kubernetes 
10255 	    MongoDB 

In other instances, In-Swor was used to establish proxy channels:

svchost\[.\]exe proxy -l \*:22 -k 9999   
svchost\[.\]exe proxy -l \*:443 -k 9999   
svchost\[.\]exe proxy -hc -l \*:443 -k 99997654    
svchost\[.\]exe -hc proxy -l \*:443 -k 99997654    
svchost\[.\]exe proxy -l 443 –v 

 svchost\[.\]exe -type server -proto tcp -listen :443    
svchost\[.\]exe -type server -proto http -listen :443    
svchost\[.\]exe -type server -proto rhttp -listen :443 

In addition to FScan, PortBrute, another password brute forcer for multiple protocols such as FTP, SSH, SMB, MYSQL, MONGODB, etc., was also downloaded and used:

PortBruteWin(5).exe -up <username>:<password> 

**Additional network reconnaissance **

The threat actor uses two utilities for monitoring the current connection to the compromised hosts — NirSoft's CurrPorts utility and TCPView. Both tools are likely used to perform additional network discovery to find accessible hosts to pivot to: 

C:\\Users\\<compromised\_user>\\Desktop\\cports-x64/cports.exe   
C:\\Users\\<compromised\_user>\\Desktop\\TCPView\\tcpview64.exe 

The threat actor also uses PowerShell-based scripts to attempt SMB logins to specific endpoints already identified by them:

powershell\[.\]exe -file C:\\ProgramData\\smblogin-extra-mini.ps1 

Netspy, another tool authored and documented by Chinese speaking individuals, is a network segmentation discovery tool that UAT-5918 employs occasionally for discovery. The fact that the operator had to check the tool help denotes the lack of automation and the unusual usage of such tool:

netspy\[.\]exe -h 

**Gathering local system information **

The attackers may also gather commands to profile the endpoint and its drives:

wmic diskdrive get partitions /value    
fsutil fsinfo drives    
wmic logicaldisk get DeviceID,VolumeName,Size,FreeSpace    
wmic logicaldisk get DeviceID,VolumeName,Size,FreeSpace /format:value 

**Maintaining persistent access to victims **

The threat actor attempts to deploy multiple web shells on systems they find are hosting web applications. The web shells are typically ASP or PHP-based files placed deep inside housekeeping directories such as image directories, user files etc. 

The threat actor uses JuicyPotato’s (a privilege escalation tool) web shell variant that allows JuicyPotato to act as a web shell on the compromised system accepting commands from remote systems to execute:

JuicyPotato is then run to spawn cmd\[.\]exe to run a reverse shell that allows the threat actor to run arbitrary commands: 

Run.exe -t t -p c:\\windows\\system32\\cmd.exe -l 1111 -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D} 

UAT-5918 will also use PuTTY’s pscp tool to connect to and deliver additional web shells to accessible endpoints (likely servers) within the network:

pscp\[.\]exe <web\_shell> <user>@<IP>:/var/www/html/<web\_shell> 

Furthermore, Talos has observed UAT-5918 execute reverse Meterpreter shells to maintain persistent access to the compromised hosts:

C:\\ProgramData\\bind.exe 

C:\\ProgramData\\microbind.exe 

C:\\ProgramData\\reverse.exe 

cmd /c C:/ProgramData/microbind.exe 

**Backdoored user account creation **

UAT-5918 regularly creates and assigns administrative privileges to user accounts they’ve created on compromised endpoints: 

net user <victimname\_username> <password> /add   
net localgroup administrators <username> /add   
net group domain admins <username> /add /domain 

Credential harvesting is a key tactic in UAT-5918 intrusions, instrumented via the use of tools such as Mimikatz, LaZagne, and browser credential stealers: 

**Mimikatz**: A commonly used credential extractor tool is run to obtain credentials from the endpoint:

**LaZagne**: LaZagne is an open-sourced credential extractor: 

C:/ProgramData/LaZagne.exe   
C:/ProgramData/LaZagne.exe -all >> laz.txt 

**Registry dumps**: The “reg” system command is used to take dumps of the SAM, SECURITY and SYSTEM hives:

**Google Chrome information**: The adversary also uses a tool called BrowserDataLite, a tool to extract Login information, cookies, and browsing history from web browsers. The extracted information is subsequently accessed via notepad\[.\]exe: 

BrowserDataLite\_x64.exe 

 C:\\Windows\\system32\\NOTEPAD.EXE Chrome\_LoginPass.txt   
C:\\Windows\\system32\\NOTEPAD.EXE Chrome\_Cookies.txt   
C:\\Windows\\system32\\NOTEPAD.EXE Chrome\_History.txt 

**SNETCracker**: A .NET-based password cracker (brute forcer) for services such as SSH, RDP, FTP, MySQL, SMPT, Telnet, VNC, etc.: 

Finding strings related to credentials such as: 

findstr /s /i /n /d:C:\\ password \*.conf 

**Pivoting to additional endpoints **

UAT-5918 consistently attempts to gain access to additional endpoints within the enterprise. They will perform network reconnaissance cyclically to discover new endpoints worth pivoting to and make attempts to gain access via RDP or Impacket: 

mstsc.exe -v <hostname> 

Impacket was also used on multiple occasions to pivot into additional endpoints and copy over tools: 

python wmiexec\[.\]py Administrator:<password>@<IP> -codec big5 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\ADMIN$\\\_\_<timestamp> 2>&1 

 cmd\[.\]exe /Q /c echo python wmiexec\[.\]py Administrator:<password>@<IP> -codec big5 ^> \\\\<hostname>\\C$\\\_\_output 2^>^&1 > C:\\Windows\\jFcZpIUm\[.\]bat & C:\\Windows\\system32\\cmd\[.\]exe /Q /c C:\\Windows\\jFcZpIUm\[.\]bat & del C:\\Windows\\jFcZpIUm\[.\]bat 

 cmd\[.\]exe /Q /c net use \[\\\]\[\\\]<IP>\\c$ /user:<username> 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1   
cmd\[.\]exe /Q /c dir \[\\\]\\\[\\\]<IP>\\c$ 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1    
cmd\[.\]exe /Q /c copy fscan64\[.\]exe \[\\\]\[\\\]<IP>\\c$\\ 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1    
cmd\[.\]exe /Q /c copy \[\\\]\[\\\]<IP>\\c$\\<scan\_result>.txt 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1    
cmd\[.\]exe /Q /c copy fscan\[.\]exe \[\\\]\[\\\]<IP>\\c$\\ 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1    
cmd\[.\]exe /Q /c copy mimikatz\[.\]exe \[\\\]\[\\\]<IP>\\c$ 1> \[\\\]\[\\\]127\[.\]0\[.\]0\[.\]1\\<share>\_\_ 2>&1 

**File collection and staging **

UAT-5918 pivots across endpoints enumerating local and shared drives to find data of interest to the threat actor. This data may include everything that furthers the APT’s strategic and tactical goals and ranges from confidential documents, DB exports and backups to application configuration files. In one instance, the threat actor used the SQLCMD\[.\]exe utility to create a database backup that could be exfiltrated: 

C:/ProgramData/SQLCMD.EXE -S <target\_server\_DB> -U <username> -P <password> -Q BACKUP DATABASE <NAME> to disk='<db\_backup\_location>.bak' 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**IOCs **

IOCs for this research can also be found at our GitHub repository here. 

6F6F7AA6144A1CFE61AC0A80DB7AD712440BDC5730644E05794876EB8B6A41B4 
BAB01D029556CF6290F6F21FEC5932E13399F93C5FDBCFFD3831006745F0EB83 
F7F6D0AFB300B57C32853D49FF50650F5D1DC7CF8111AA32FF658783C038BFE5 
497A326C6C207C1FB49E4DAD81D051FCF6BCBE047E0D3FE757C298EF8FE99ABA 
F9EB34C34E4A91630F265F12569F70B83FEBA039C861D6BF906B74E7FB308648 
DD832C8E30ED50383495D370836688EE48E95334270CBBCE41109594CB0C9FD1 
F7B52EE613F8D4E55A69F0B93AA9AA5472E453B0C458C8390DB963FF8B0B769C 
B994CBC1B5C905A2B731E47B30718C684521E8EC6AFB601AFECF30EF573E5153 
12D4EFE2B21B5053A3A21B49F25A6A4797DC6E9A80D511F29CA67039BA361F63 
2272925B1E83C7C3AB24BDEB82CE727DB84F5268C70744345CDA41B452C49E84 
71EB5115E8C47FFF1AB0E7ACEBAEA7780223683259A2BB1B8DB1EB3F26878CA4 
E159824448A8E53425B38BD11030AA786C460F956C9D7FC118B212E8CED4087A 
7EF22BFB6B2B2D23FE026BDFD7D2304427B6B62C6F9643EFEDDB4820EBF865AF 
EFC0D2C1E05E106C5C36160E17619A494676DEB136FB877C6D26F3ADF75A5777 
B7690c0fc9ec32e1a54663a2e5581e6260fe9318a565a475ee8a56c0638f38d0 
A774244ea5d759c4044aea75128a977e45fd6d1bb5942d9a8a1c5d7bff7e3db9 
31742ab79932af3649189b9287730384215a8dccdf21db50de320da7b3e16bb4 
09cea8aed5c58c446e6ef4d9bb83f7b5d7ba7b7c89d4164f397d378832722b69 
D47e35baee57eb692065a2295e3e9de40e4c57dba72cb39f9acb9f564c33b421 
1753fa34babeeee3b20093b72987b7f5e257270f86787c81a556790cb322c747 
F4ea99dc41cb7922d01955eef9303ec3a24b88c3318138855346de1e830ed09e 
5b0f8c650f54f17d002c01dcc74713a40eccb0367357d3f86490e9d17fcd71e8 
3588bda890ebf6138a82ae2e4f3cd7234ec071f343c9f5db5a96a54734eeaf9f 
95eee44482b4226efe3739bed3fa6ce7ae7db407c1e82e988f27cd27a31b56a6 
02ab315e4e3cf71c1632c91d4914c21b9f6e0b9aa0263f2400d6381aab759a61 
D1825cd7a985307c8585d88d247922c3a51835f9338dc76c10cdbad859900a03 
234899dea0a0e91c67c7172204de3a92a4cbeef37cdc10f563bf78343234ad1d 
8d440c5f0eca705c6d27aa4883c9cc4f8711de30fea32342d44a286b362efa9a 
Ffb8db57b543ba8a5086640a0b59a5def4929ad261e9f3624b2c0a22ae380391

UAT-5918 targets critical infrastructure entities in Taiwan

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two security flaws impacting Adobe ColdFusion and Oracle Agile Product Lifecycle Management (PLM) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The vulnerabilities in question are listed below -

CVE-2017-3066 (CVSS score: 9.8) - A deserialization vulnerability impacting

Two Actively Exploited Security Flaws in Adobe and Oracle Products Flagged by CISA

The sudden rise of DeepSeek has raised questions of data origin, data destination, and the security of the new AI model.

The sudden rise of DeepSeek has raised concerns and questions, especially about the origin and destination of the training data, as well as the security of the data.

For those returning from a short holiday away from the news, DeepSeek is a new player on the Artificial Intelligence (AI) field. The Chinese startup has certainly taken the app stores by storm: In just a week after the launch it topped the charts as the most downloaded free app in the US. This caused an upset on the stock markets that cost nVidia and Oracle shareholders a lot of money.

DeepSeek has been called an open-source project, however this technically is not true because only the model’s outputs and certain aspects are publicly accessible. This makes it qualify as an open-weight model. Anyway, the important difference is that the underlying training data and code necessary for full reproduction of the models are not fully disclosed.

And it’s the data that pose a concern to many. OpenAI has accused DeepSeek of using its ChatGPT model to train DeepSeek’s AI chatbot, which triggered quite some memes. If only because OpenAI previously suffered accusations of using data that was not its own in order to train ChatGPT.

Authorities have started to ask questions as well. The Italian privacy regulator GPDP has asked DeepSeek to provide information about the data it processes in the chatbot, and its training data.  Because it sees a risk to the privacy of millions of Italian citizens, GDPD has demanded DeepSeek answers within 20 days questions about:

*   Which personal data is collected
*   The origin of the data
*   Purpose for the collection
*   Whether the data is stored on servers in China

According to the Italian press agency ANSA, DeepSeek disappeared on January 29, 2025 from Google and Apple’s app stores in Italy.

And if all that isn’t scary enough, researchers at Wiz have found a publicly accessible database belonging to DeepSeek.

> “This database contained a significant volume of chat history, backend data and sensitive information, including log streams, API Secrets, and operational details. “

The database was not just accessible and readable, it was also open to control and privilege escalation within the DeepSeek environment. No authentication was required, so anybody that stumbled over the database was able to run queries to retrieve sensitive logs and actual plaintext chat messages, and even to steal plaintext passwords and local files.

Needless to say, this oversight put DeepSeek and its users at risk.

We have said this before and we’ll probably have to repeat it numerous times, but the need for fast developments in this field is creating privacy risks that we have never seen before, simply because security is an afterthought for the developers. So, no matter which AI chatbot you prefer, always be mindful of the information you feed it: It may find its way to unexpected and undesirable places.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 The DeepSeek controversy: Authorities ask where does the data come from and how safe is it? 

The new administration moved quickly to remove any constraints on AI development and collected $500 billion in investment pledges for an American-owned AI joint venture.

Source: Andrey Popov via Alamy Stock Photo

President Donald Trump revoked former President Joe Biden's 2023 executive order aimed at putting security guardrails around artificial intelligence (AI) systems and their potential impact to national security, giving a major boost to private sector companies like OpenAI, Oracle, and Softbank. They responded in kind with collective pledges to spend up to $600 billion on building out AI infrastructure in the US.

Biden's AI executive order required developers of AI and large language models (LLMs) like ChatGPT to develop safety standards and share results with the federal government to help prevent AI-powered cyberattacks against citizens, critical infrastructure, dangerous biological weapons, and other areas affecting US national security.

**Artificial Intelligence Private Sector Ponies Up**

Fast on the heels of that revocation, the Trump administration unveiled Project Stargate, which is intended to funnel hundreds of billions into AI infrastructure in the US. The Stargate event at the White House was attended by SoftBank CEO Masayoshi Son, who had already pledged $100 billion to the fund. OpenAI CEO Sam Altman and Oracle co-founder Larry Ellison each pledged an initial $100 billion, all of which will be used to set up a separate company committed to US AI infrastructure. Microsoft, Nvidia, and semiconductor company Arm are also involved as technology partners.

During the ceremony, Ellison said there are already data centers in Texas under construction as part of Project Stargate.

Leading AI CEOs, including Marty Sprinzen, CEO of Vantiq, were delighted by the news.

"As I sit here at the World Economic Forum in Davos, Switzerland, the atmosphere is charged with enthusiasm following President Trump's announcement of the Stargate initiative — a collaboration between OpenAI, SoftBank, and Oracle to invest up to $500 billion in artificial intelligence infrastructure," Sprinzen said in a statement.

One outlier with less enthusiasm for Project Stargate is Elon Musk, who claimed the companies don't have the cash to cover the pledges.

**Trump Administration's AI Cybersecurity Plan**

It's still not completely clear this means if or how there will be any federal oversight of AI technology or its development.

The Biden AI executive order was far from perfect, according to Max Shier, CISO at Optiv, but he still would like to see some federal oversight of AI development.

"I don't disagree with the reversal per se, as I don't think the EO that Biden signed was adequate and it had its flaws," Shier says. "However, I would hope that they replace it with one that levies more appropriate controls on the industry that are not as overbearing as the previous EO and still allows for innovation."

Shier anticipates standards developed by the National Institute for Standards and Technology (NIST) and the International Organization for Standardization (ISO) will help "provide guardrails for ethical and responsible use."

For now, the new administration is ready to leave the task of developing AI with adequate safety controls in private sector hands. Adam Kentosh at Digital.ai says he is confident they are up to the task.

"The rapid pace of AI development makes it essential to strike a balance between innovation and security. While this balance is critical, the responsibility likely falls more on individual corporations than on the federal government to ensure that industries adopt thoughtful, secure practices in AI development," Kentosh says. "By doing so, we can avoid a scenario where government intervention becomes necessary."

That might not be enough, according to Shier.

"Private enterprise should not be allowed to govern themselves or be trusted to develop under their own standards for ethical use," he stresses. "There has to be guardrails provided that don't stifle smaller companies from participating in innovation but still allow for some oversight and accountability. This is especially true in instances where public safety or national security is at risk or has the potential to cause risk."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Trump Overturns Biden Rules on AI Development, Security

Oracle is urging customers to apply its January 2025 Critical Patch Update (CPU) to address 318 new security vulnerabilities spanning its products and services.
The most severe of the flaws is a bug in the Oracle Agile Product Lifecycle Management (PLM) Framework (CVE-2025-21556, CVSS score: 9.9) that could allow an attacker to seize control of susceptible instances.
"Easily exploitable

Oracle Releases January 2025 Patch to Address 318 Flaws Across Major Products

Over the past few years, decentralised finance (DeFi) has revolutionised the financial sector. DeFi introduced transparent, permissionless and…

Over the past few years, decentralised finance (DeFi) has revolutionised the financial sector. DeFi introduced transparent, permissionless and efficient payment systems, streamlining international transactions. However, this growth has been accompanied by a rise in security challenges and there have been several notable incidents over the years.

DeFi exchanges have become prime targets for hackers, leading to billions of dollars in losses in recent years. Amidst this turbulent landscape, PARSIQ’s Reactive Network emerges as a promising solution to safeguard DeFi ecosystems. With its innovative cross-chain capability, upcoming mainnet launch and the introduction of the REACT token, Reactive Network is setting the stage for a more secure DeFi future.

****The Escalating Threat of DeFi Exchange Hacks****

The frequency of DeFi hacks has increased tremendously in recent years. This poses a significant threat to the industry. According to Immunify, security breaches in DeFi exchanges accounted for $1.2 billion in financial losses in 2024 alone. Alarmingly, breaches in centralised finance (CeFi) platforms saw a staggering 984% increase in 2024, as reported by BeInCrypto. This trend highlights the vulnerabilities that exist across both centralised and decentralised financial platforms.

High-profile attacks illustrate the scale and sophistication of these exploits. For example, the $625 million Ronin Network hack from 2022 is a stark reminder of the risks associated with weak security protocols. Similarly, the $100 million breach of Atomic Wallet just a year later highlights the vulnerabilities in wallet services. These incidents underscore the urgent need for advanced security measures to protect user funds, maintain trust in DeFi and promote growth in the coming days.

****Introducing Reactive Network: The Future of DeFi Security****

PARSIQ’s Reactive Network is a groundbreaking innovation and the platform has achieved significant milestones in its mission to revolutionise blockchain security. Last year, the platform launched its testnet, providing developers with tools to build more secure and efficient decentralised applications (dApps). In the coming months, PARSIQ plans to launch the Reactive Network mainnet along with the REACT token.

At the core of the Reactive Network lies the concept of Inversion of Control (IoC). This technology empowers smart contracts to operate autonomously, responding dynamically to events across connected blockchains. With Reactive Smart Contracts (RSCs), users can experience seamless and secure cross-chain transactions without manual intervention. This innovation not only simplifies workflow but also enhances overall network security. 

****Enhanced Security Protocols****

Reactive Network’s architecture addresses common vulnerabilities that have traditionally plagued DeFi exchanges. By tackling issues like reentrancy attacks and oracle manipulation, the platform offers robust protection against sophisticated hacking techniques. Automated incident response strategies further strengthen the network’s defence, ensuring timely threat detection and mitigation.

****Autonomous Smart Contract Functionality****

One of Reactive Network’s standout features is its ability to autonomously monitor and respond to suspicious activities. This reduces reliance on manual intervention, minimising human error, which is a major contributing factor in security breaches.

****Cross-Chain Interoperability****

In a DeFi landscape where interoperability is essential, the Reactive Network ensures secure and efficient cross-chain transactions. This minimises the risks associated with bridge exploits, which is a common entry point for attackers. This empowers users to transact across multiple blockchains with confidence, knowing that their assets are protected 24/7.

****The Future of Secure DeFi Exchanges****

As DeFi continues to grow, the need for robust security solutions becomes increasingly critical. Reactive Network stands at the forefront of this evolution, offering advanced tools and technologies to protect users and platforms alike.

The highly anticipated Reactive Network mainnet launch promises enhanced features and capabilities over the testnet. Developers and businesses are preparing to leverage the platform’s tools to create secure, scalable and efficient dApps. The introduction of the REACT token alongside the mainnet launch will further enrich the Reactive Network ecosystem.

The token will play a crucial role in transaction processing and network governance, incentivising participation and fostering a vibrant community. With its carefully designed tokenomics, REACT aims to align the interests of all stakeholders, ensuring long-term growth and sustainability. Additionally, existing PRQ token holders can seamlessly 1:1 swap them for the REACT tokens.

By addressing the common challenges and vulnerabilities plaguing the industry, Reactive Network is paving the way for a safer and more reliable DeFi ecosystem. Developers, businesses and investors can consider exploring the capabilities of Reactive Network by engaging with the testnet and preparing for the mainnet launch.

With the REACT token set to revolutionise transaction and governance processes, now is the time to join this innovative ecosystem. Stay tuned to the official Reactive Network blog and developer documentation to learn more and take the first step toward a more secure DeFi future.

1.  **6 of the Best Crypto Bug Bounty Programs**
2.  **We Need Smarter Smart Contracts To Prevent DeFi Hacks**
3.  **Top 5 Platforms for Identifying Smart Contract Vulnerabilities** 
4.  **Enhancing Blockchain Randomness To Eliminate Trust Issues**
5.  **5 Ways Smart Contracts Are Making A Real-World Difference**

PARSIQ’s Reactive Network Provides Solution for DeFi Exchange Vulnerabilities

TikTok is now unavailable in the United States—and getting around the ban isn’t as simple as using a VPN. Here’s what you need to know.

After an opaque and uncertain saga, TikTok went dark on millions of phones across the United States on Saturday evening around 10:30 pm EST. Google Play and Apple’s App Store both pulled the app late Saturday as well. If it was already installed prior to Saturday evening, the app is still there on your phone, but launching it only reveals a pop-up warning about the ban. As the deadline loomed, TikTok users had been bracing for the change and flooding other platforms, including the Chinese social app Xiaohongshu or “RedNote.” But if you’re not quite ready to give up the latest skin-care hacks, budgeting tips, and pet tortoise influencers, there are some options for circumventing the ban and continuing to use the platform.

“Sorry, TikTok isn’t available right now,” the app alert reads. “A law banning TikTok has been enacted in the U.S. Unfortunately, that means you can’t use TikTok for now. We are fortunate that President Trump has indicated that he will work with us on a solution to reinstate TikTok once he takes office. Please stay tuned!” Other ByteDance-owned apps, including CapCut and Lemon8, also disappeared from US app stores.

Such a ban has never existed in the US before, so the technical methods being employed to implement it are still evolving, and circumvention techniques may need to change as well. The law driving the situation, the Protecting Americans From Foreign Adversary Controlled Applications Act (PAFACA), doesn’t make it illegal to have TikTok on your phone. And, notably, it also doesn’t say that TikTok itself has to stop the app from working in the US.

Nonetheless, the company said in the days before the law took effect that it planned to make the app inaccessible to US users—a level of cooperation and accommodation that the outgoing Biden White House called a “stunt” on Saturday afternoon. Even if TikTok itself had obligations under the law, the Biden White House had signaled that it did not plan to enforce the ban before Trump took office on Monday.

Rather than putting the pressure on TikTok, PAFACA requires app stores and cloud hosting services to stop doing anything to “distribute, maintain or update” TikTok. That puts the pressure on Apple and Google to stop new users from downloading TikTok, as well as infrastructure providers like Oracle to keep new content or software updates from reaching the app’s users. Over time, TikTok would likely degrade and become unusable.

Officials in India banned TikTok in 2020, and the company also proactively blacked out the app in that case. When Indian users who already had the app installed tried to launch it, a pop-up appeared telling them that they couldn’t access the service.

Devashish Gosain, a network analysis researcher and assistant professor at the Indian Institute of Technology Bombay, says that in India, TikTok users must remove their Indian SIM card from their phone or use an international SIM card and then run a VPN in order to load content in the app.

“Even VPNs do not lead to circumvention” in India, Gosain told WIRED.

In the early hours of the US ban, it was unclear exactly how feasible it would be to get around the restrictions for US accounts. It seemed that TikTok had taken a more extreme approach, turning any US builds of the app dark—blacking out versions of the TikTok app software that had been made to be downloaded and used by US users. It also seemed that US-linked accounts were being blocked regardless of IP address or SIM country information.

Running a VPN alone was certainly not enough to circumvent the ban and get back on TikTok. But seemingly using a non-US TikTok account after removing a SIM (or on a device without a US SIM card/US phone number) worked when combined with a VPN. Similarly, using a VPN with a desktop browser or the Tor Browser was enough to get a non-US TikTok account to load in the US early on Sunday morning, though TikTok’s desktop version has always been much more limited than its mobile app.

“TikTok inspects the source IP of the network packets—if the source IP belongs to India, it drops the packets,” Gosain explains, of the restrictions in India. “Also, the TikTok app fetches the country information embedded in the SIM card, and if the country code is ‘IN,’ it filters the network connection. When we remove the SIM card, the TikTok app fails to identify Indian users from the SIM card, and when we use VPNs, the IP address changes, and it no longer belongs to the Indian IP range. Thus, TikTok again fails to identify that the user is accessing from India. This is how we bypass the filtering.”

Virtual private networks, or VPNs, work by passing your internet traffic through servers that are physically maintained in locations around the world, so you can select an IP address that is tied to a different location than where you physically are. For example, American TikTok users can use VPNs to make it look like they are accessing the internet from outside the US. VPNs also stop your internet service provider (ISPs) from seeing your browsing data, adding an extra potential layer of privacy. When you’re using a VPN, your ISP will simply see connections to the VPN instead of having access to the detailed list of all the websites you’re visiting.

As a result of these capabilities, VPNs are frequently used in attempts to get around digital geolocation restrictions, like those on Netflix or other streaming platforms. They’re also an important, and familiar, tool for circumventing internet censorship programs for people living under authoritarian regimes like those in Russia, China, and Iran.

Using a VPN comes with caveats, though. Some commercial VPNs log people’s browsing history, which essentially just shifts data collection from ISPs to VPN makers. This means that the data isn’t more protected, and that law enforcement could request it from a VPN provider in the same way that they make requests to ISPs. As a result, picking a free VPN is generally not a good idea—with some even selling access to your home internet connections. But some VPNs publish no-logging policies and offer third-party audits and other transparency features in an attempt to show their compliance.

For now, it seems that TikTok’s efforts to block US users are extremely draconian, and even a non-US SIM card or no SIM card plus a VPN may not be a workable path to getting back on the app with a US TikTok account. But the restrictions may only be temporary anyway. In practice, there seems to be little appetite for a permanent ban in the US. And, in spite of originating the idea, President Trump has said in recent days that he doesn’t want the app to be banned.

“My decision on TikTok will be made in the not too distant future, but I must have time to review the situation,” Trump said in a Truth Social post on Friday. “Stay tuned!”

How to Get Around the US TikTok Ban

A critical security breach in the software supply chain has been detected. An attacker accessed Kong’s DockerHub account…

A critical security breach in the software supply chain has been detected. An attacker accessed Kong’s DockerHub account and replaced the legitimate Kong Ingress Controller v.3.4.0 image with a malicious version.

A critical security vulnerability was identified in Kong Ingress Controller version 3.4.0. This vulnerability stemmed from an unauthorized image uploaded to DockerHub on December 23rd, 2024. The affected image (hash: sha256:a00659df0771d076fc9d0baf1f2f45e81ec9f13179f499d4cd940f57afc75d43) contained malicious code that enabled cryptojacking. 

This malicious code directed the controller to pool.supportxmr.com, a crypto mining site, which means the image contained code that secretly mined cryptocurrency. Moreover, it would have been executed by any system running the compromised image, effectively turning those systems into unintended mining rigs.

The Kong team became aware of the issue on January 2nd, 2025 and took swift action. They removed version 3.4.0 and all associated tags from DockerHub. Additionally, they rotated all access keys used for DockerHub access. Finally, a patched version, 3.4.1, was released on January 2nd, 2025. This version removed the unauthorized cryptojacking code.

There is currently no evidence to suggest that any Kong Ingress Controller versions besides 3.4.0 (specifically the image hash mentioned above) were affected.

****What You Should Do:****

If you deployed Kong Ingress Controller version 3.4.0 between December 22nd, 2024 and January 3rd, 2025, immediate action is required. You should remove this image from all internal registries and clusters.

To fix the issue, remove the vulnerable image (sha256:a00659df0771d076fc9d0baf1f2f45e81ec9f13179f499d4cd940f57afc75d43) from internal registries and clusters, pull a remediated image from either the patched version 3.4.1 or a clean version 3.4.0.

The fixed image hashes for the clean, re-tagged version of 3.4.0 are:

AMD64: sha256:b358296fa6a1458c977c0513ff918e80b708fa9d7721f9d438f3dfce24f60f4f

ARM64: sha256:e0125aa85a4c9eef7822ba5234e90958c71e1d29474d6247adc3e7e21327e8ee

By taking these steps, you can ensure you are no longer running a vulnerable image and protect your systems from cryptojacking attempts.

Dan Lorenc, CEO and founder of software supply chain security platform Chainguard provided Hackread.com with a detailed comment addressing the core issues within this attack stating, “Supply-chain breaches happen, and it looks like the kong/kubernetes-ingress-controller images are the latest to fall victim. Here’s what we know so far:

*   A DockerHub PAT used to upload release images was compromised sometime before Dec. 23rd
*   The attacker used this PAT to upload a malicious version of the 3.4.0 release image directly to DockerHub
*   This image contained code to mine cryptocurrency and send results to a specific wallet
*   High CPU usage was reported by a user on December 29th, and the malicious images were taken down by January 2nd
*   New versions were uploaded, and the keys used to upload were revoked/rotated by the maintainers

“How should you protect against attacks like this? As a maintainer, any key you have is a key that you can leak,” said Dan. “Lock down and regularly audit all systems that have access to PATs like this, or choose systems that allow OIDC-based authentication to avoid this altogether. CI/CD pipelines are notoriously hard to configure securely; tools like Zizmor (lnkd.in/eGSGrMqm) help here. Signing artefacts can help even if you can’t use OIDC to publish or users pull from mirrors out of your control.”

“As an end-user, pin images you receive from third-parties by digest and test/malware scan them before upgrading. Check signatures if they exist,” Dan explained.

Nevertheless, a crypto mining attack on organizations could have drastic implications, including increased resource consumption, higher energy costs, and a multitude of security risks. The compromised image could have introduced vulnerabilities or backdoors, allowing attackers to gain further access, highlighting the importance of software supply chain security, particularly for critical components like container images. Organizations should employ image integrity verification mechanisms, and conduct regular security audits to identify and mitigate vulnerabilities.

1.  **OracleIV DDoS Botnet Hits Docker Engine API Instances**
2.  **Malware Hits 9Hits, Turns Docker Servers into Crypto Miners**
3.  **Hackers hijacking Bitbucket and Docker Hub for Monero mining**
4.  **TeamTNT Exploits 16M IPs in Malware Attack on Docker Clusters**
5.  **Linux Malware Alert: ‘Spinning YARN’ Hits Docker, Other Key Apps**

Tag

#oracle