The cybersecurity agency CISA on Wednesday issued guidance following the recent incident impacting a legacy Oracle cloud environment.
News of Oracle cloud systems getting breached emerged on March 20, when a hacker offered to sell millions of data records, including encrypted/hashed credentials, allegedly stolen from Oracle Cloud servers.
Oracle initially appeared to categorically deny that any of its systems had been compromised, but it turned out — after the hacker started leaking information and security firms assessed it as likely being genuine — that some systems were indeed breached, just not actual Oracle Cloud systems.
Oracle confirmed that some servers were indeed hacked, but pointed out that the incident impacted two obsolete servers that were never part of Oracle Cloud Infrastructure.
It is believed that the hacker managed to obtain the data from a legacy Oracle cloud environment.
“The hacker did not expose usable passwords because the passwords on those two servers were either encrypted and/or hashed. Therefore the hacker was not able to access any customer environments or customer data,” Oracle said.
Oracle has been criticized for its response to the hack, but the hacker did admit that they were unable to immediately crack the encrypted passwords.
Nevertheless, some experts pointed out that the compromised credentials can still pose a risk to users, and CISA seems to agree.
“While the scope and impact remains unconfirmed, the nature of the reported activity presents potential risk to organizations and individuals, particularly where credential material may be exposed, reused across separate, unaffiliated systems, or embedded (i.e., hardcoded into scripts, applications, infrastructure templates, or automation tools),” the agency said. “When credential material is embedded, it is difficult to discover and can enable long-term unauthorized access if exposed.”
CISA warned that threat actors often use compromised credentials to escalate privileges within networks, access cloud and identity management systems, and conduct phishing and other types of attacks. Threat actors can also sell or trade such data on cybercrime marketplaces.
In order to help mitigate potential risks, CISA has shared recommendations for both users and organizations. The advice for users includes updating exposed passwords, ensuring that the new password is strong and that the account is protected by MFA, and that they remain vigilant to phishing attempts.
The list of recommendations for organizations includes a link to cloud security resources made available last year by CISA and the NSA.
In addition to resetting compromised passwords, organizations are advised to review source code and other files for hardcoded or embedded credentials, monitor authentication logs for suspicious activity, and enforce MFA for all users and administrators.
Related: CISA Urges Urgent Patching for Exploited CentreStack, Windows Zero-Days
Related: Five Eyes Agencies Release Guidance on Securing Edge Devices