The Cybersecurity & Infrastructure Security Agency this past week published new guidance and best practices designed for Oracle Cloud customers, following public reports of "potential unauthorized access to a legacy Oracle cloud environment."
WHY IT MATTERS
The Homeland Security division notes that while "the scope and impact remains unconfirmed, the nature of the reported activity presents potential risk to organizations and individuals."
In particular, CISA notes that anywhere login credential material could be exposed or reused across separate and unaffiliated systems, or "embedded" – hardcoded into scripts, applications, infrastructure templates, or automation tools – organizations could be at risk of compromise
"When credential material is embedded, it is difficult to discover and can enable long-term unauthorized access if exposed," the agency notes.
THE LARGER TREND
In March, reports emerged that Oracle had experienced two separate data breaches in recent months, one affecting Oracle Health customers and another said to result from an exploit targeting Oracle Cloud login servers.
The website Bleeping Computer cited reports from customers that suggested millions of records may have been compromised after an alleged breach of Oracle Cloud federated SSO login servers, and pointed to an online account that claimed to have gained access to authentication data and encrypted passwords of as many as 6 million users.
Despite other security researchers offering similar evidence, Oracle initially disputed the claims.
"There has been no breach of Oracle Cloud," the company told Bleeping Computer. "The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."
Since that time, Oracle did confirm one hack, affecting a pair of "obsolete servers," but again reiterated its insistence that its Oracle Cloud servers were not compromised.
“Oracle would like to state unequivocally that the Oracle Cloud – also known as Oracle Cloud Infrastructure or OCI – has not experienced a security breach," officials said in an email to customers. "No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way."
In light of those reports, CISA recommends a series of actions for healthcare and other organizations using Oracle Cloud, as a preventative best practice to help them reduce risks associated with any potential credential compromise:
-
Reset passwords for any known affected users across enterprise services, particularly where local credentials may not be federated through enterprise identity solutions
-
Review source code, infrastructure-as-code templates, automation scripts, and configuration files for hardcoded or embedded credentials and replace them with secure authentication methods supported by centralized secret management
-
Monitor authentication logs for anomalous activity, especially involving privileged, service, or federated identity accounts, and assess whether additional credentials (such as API keys and shared accounts) may be associated with any known impacted identities
-
Enforce phishing-resistant multi-factor authentication for all user and administrator accounts wherever technically feasible
-
It also points to information sheets on cloud security best practices from CISA and NSA
For individual end-users, CISA suggests immediately updating any potentially affected passwords that might have been reused on other platforms; create strong, unique passwords for each account and enable phishing-resistant MFA and stay alert against phishing attempts such as referencing login issues, password resets or suspicious activity notifications.
ON THE RECORD
"The compromise of credential material, including usernames, emails, passwords, authentication tokens, and encryption keys, can pose significant risk to enterprise environments," said CISA officials in the announcement.
"Threat actors routinely harvest and weaponize such credentials to escalate privileges and move laterally within networks; access cloud and identity management systems; conduct phishing, credential-based, or business email compromise campaigns; resell or exchange access to stolen credentials on criminal marketplaces [and] enrich stolen data with prior breach information for resale and/or targeted intrusion."
Mike Miliard is executive editor of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.
