By Satnam Narang: On 21 March 2025, a threat actor, “rose87168,” was found selling 6M records exfiltrated from Oracle Cloud. The data includes JKS files, encrypted SSO passwords, key files and enterprise manager JPS keys. The threat actor gained access by hacking a login endpoint that was last updated in 2014. Additionally, the middleware server had a known and exposed critical vulnerability, CVE-2021-35587, which affected the access manager.
Initial reports of a breach surfaced after a threat actor made claims, which were later echoed by security researchers and cybersecurity firms. Additionally, CISA acknowledged public reports of possible unauthorized access to a legacy Oracle cloud environment. This attack is a stark reminder of how poor identity protection and critical vulnerabilities make organizations ripe targets for cybercriminals.
FCRF x CERT-In Roll Out National Cyber Crisis Management Course to Prepare India’s Digital Defenders
Why is security patchy in the cloud?
Cloud infrastructure has become the epicenter of major business operations. Organizations are at the highest risk due to “the toxic cloud trilogy” of publicly exposed, critically vulnerable and highly privileged cloud workloads. Even a combination of one or two of these risk factors can pose serious security implications for an organization, let alone all three. This combination creates a high-risk attack path, making cloud workloads prime targets for malicious actors.
In the case of Oracle, the critical vulnerability, coupled with poor identity and access management, led to the compromise. These kinds of incidents are not isolated, as the “toxic cloud trilogy” is often overlooked. In fact, 38% of organizations have workloads with a toxic cloud trilogy. This means over one-third of organizations are highly vulnerable to cyberattacks in the cloud.
The prime culprit here is the delay in remediating high-risk vulnerabilities on priority. With so many vulnerabilities in existence, it’s hard to identify which ones to plug first. A major “drag” factor in security is that vulnerability remediation is a time-consuming task. As a result, teams often follow a batch-the-patch approach — try to save time by waiting to fix everything at once. Although this may seem efficient, it compromises the security posture and opens the door to attacks.
The primary reason behind delayed remediation is the lack of comprehensive visibility into the entire cloud or hybrid infrastructure. This lack of visibility complicates the identification, analysis, and patching of cyber threats. Gaining a holistic view of the environment can significantly improve the speed and effectiveness of threat preparedness.
How to restore order in chaotic cloud environments?
Organizations must streamline workload monitoring, manage entitlements effectively, and build a solid security posture by bringing multiple cloud environments under one roof. This unified approach enables end-to-end visibility, strengthens tracking mechanisms, and helps to protect against security breaches.
It is equally important to foster a culture where vulnerabilities are addressed proactively. When organizations rely on multi-cloud security tools with separate configuration settings and isolated shared responsibility models, they lose visibility into the broader ecosystem. Insights become fragmented, making it difficult to connect the dots, coordinate across teams, and respond efficiently. Therefore, in order to adopt a proactive stance, organizations need a vendor-agnostic, cloud-native application protection platform (CNAPP).
A CNAPP platform with a strong cloud security posture management (CSPM) component will help organizations centrally harden configurations across multi-cloud environments. That’s because CNAPP platforms continuously monitor the cloud and enforce security policies in areas such as access control and data encryption. Without an automated, centralized system, you won’t have holistic and comprehensive visibility of your configurations across all your clouds and your organization will be at heightened risk of cyberattacks.
CNAPP tools codify policies and regularly check how compliant an organization’s multi-cloud environment is. They gather in-depth audit reports, provide insights, and automate the process of fixing insecure and faulty configurations. This level of automation simplifies compliance and ensures that misconfigurations are spotted and corrected before they turn into real threats.
Whether an organization has a public Amazon EC2 instance with known exploitable vulnerabilities or misconfigured infrastructure served manually, when cloud exposures are exploited, attackers immediately target an identity. Attackers test entitlements to move laterally or escalate privileges in an attempt to access sensitive data and other resources.
A better way to secure identities is to integrate security tools like CNAPP and Cloud Infrastructure Entitlement Management (CIEM) into a single platform that delivers rich context across the attack surface. Integrated tooling enables the standardization of what “critical” truly means and a better understanding of the attack pathways that attackers can leverage to cause damage in the cloud environment. It’s also much easier to update when new threats and zero-days are discovered.
For instance, an organization has 100 publicly accessible cloud workloads, but only 10 of them have critical vulnerabilities and only five of those have critical vulnerabilities and high privileges. This context gives security teams insight into where they should put their efforts based on what is most likely to be exploited. Too often, security teams end up trying to address all 100 public workloads because siloed tools lack the integration and identity-focused context needed to efficiently address threats. CNAPP empowers organizations to get ahead of identity-related threats and prioritize vulnerabilities that demand immediate attention.
Treat the cloud as one system, not many silos
Multi-cloud integrations have become a playground for cyber attackers. The key to building a strong and secure cloud infrastructure lies in treating it as a unified system. A CNAPP lays the foundation for such an ecosystem, as it dynamically identifies risks and resolves vulnerabilities, especially those contributing to the “toxic cloud trilogy.”
As security threats grow more sophisticated by the day, organizations need a comprehensive exposure management strategy that identifies and addresses risk across every layer of the organization. It’s crucial to integrate a flexible, adaptable solution that aligns seamlessly with the organization’s broader risk posture. That alignment makes all the difference and can help avoid scenarios like the recent Oracle breach.
About The Author: Satnam Narang, Senior Staff Research Engineer, Security Response, Tenable
