Cybersecurity

Oracle has started sending out written notifications to customers regarding the recent cybersecurity incident, but faces mounting criticism over the way it handled the disclosure of the hack. A hacker announced on a cybercrime forum on March 20 that they had hacked Oracle Cloud servers, offering to sell millions of records allegedly associated with over 140,000 tenants, including encrypted/hashed credentials.  Oracle rushed to categorically deny that there had been a breach of Oracle Cloud systems, making it appear as if it was completely denying getting hacked.  However, the hacker started leaking stolen information, which security firms assessed as likely being genuine, and some Oracle customers confirmed that their data was included in the leak. As more evidence of a data breach affecting Oracle systems came to light, Oracle started privately informing customers — reportedly through verbal notifications — that some systems were indeed breached, but pointed out that they were not Oracle Cloud systems. On April 7, more than two weeks after the hack came to light, Oracle started sending out written notifications to customers, reiterating that Oracle Cloud Infrastructure (OCI) has “NOT experienced a security breach”. “No OCI customer environment has been penetrated. No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way,” reads a notification email obtained by security expert Max Solonski.  However, the notification confirmed that “a hacker did access and publish user names from two obsolete servers that were never part of OCI”.“The hacker did not expose usable passwords because the passwords on those two servers were either encrypted and/or hashed. Therefore the hacker was not able to access any customer environments or customer data,” Oracle noted. It’s worth noting that the hacker did admit that they were unable to crack the encrypted passwords. Solonski and others have criticized Oracle for its response to this incident. Solonski pointed out that it may still be possible for someone to crack the passwords, and noted that even if the hacker only obtained usernames, that could be considered customer data. Security researcher Kevin Beaumont, who has been monitoring the incident, has also criticized Oracle, describing its notification as “an exceptionally poor response for a company that manages extremely sensitive data”. Beaumont believes the hacker may have targeted servers associated with Oracle Classic (also referred to as Gen1 servers), which is the name used for legacy cloud services. This enables Oracle to categorically deny a breach of OCI. Several other questions remain unanswered, including the method used to hack Oracle systems and the age of the compromised data.  According to some reports, Oracle systems were breached through the exploitation of an old vulnerability. As for the age of the data, Oracle has reportedly told customers that it’s old, but some reports indicated that it’s as recent as 2024 and the hacker claimed to have obtained data from 2025. 

Siemens has published nine new advisories. One advisory urges customers to replace the Sentron 7KT PAC1260 Data Manager with the newer PAC1261. The former is affected by critical vulnerabilities that can allow an attacker to access files and execute arbitrary code, but it will not receive any patches. A critical flaw has also been found in Industrial Edge. The product is affected by a weak authentication issue that “could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user”. Siemens has also notified customers about the recently disclosed IngressNightmare vulnerabilities affecting its Insights Hub Private Cloud solution. The company has also informed customers about high-severity issues patched in Sidis Prime and Solid Edge products, as well as medium-severity bugs in Siemens License Server, ICMP industrial devices, and Mendix Runtime. Schneider Electric has published two new advisories. One describes two high-severity vulnerabilities in ConneXium Network Manager, including one that can allow remote code execution and DoS attacks on engineering workstations. The second advisory covers three medium-severity flaws in Trio Q Licensed Data Radios that could lead to unauthorized access and the exposure of sensitive information. However, exploitation requires physical access. Rockwell Automation has published one advisory to inform customers about nearly a dozen local code execution vulnerabilities affecting its Arena product. Exploitation involves tricking the targeted user into opening a malicious file.  The flaws were discovered by researcher Michael Heinzl, who is often credited by vendors (including Rockwell) for reporting potentially serious vulnerabilities whose exploitation involves opening specially crafted files.   Just before Patch Tuesday, ABB published two new advisories that describe dozens of vulnerabilities found in the past years in third-party components used by its Arctic wireless gateways. Source Cybersecurityweek