Cyber threats
Barometer

Late March, Oracle acknowledged to its customers that it had been the target of two separate cyberattacks, both of which led to leaks of sensitive data.

The first attack, detected on February 20, 2025, affected Oracle Health data migration servers inherited from Cerner, which Oracle acquired in 2022. These systems, which had not been migrated to Oracle Cloud Infrastructure and were believed to be inactive, still contained copies of data as part of transfer operations. According to Oracle, compromised customer credentials were used to access these servers as early as January 22. Data was then extracted to a remote infrastructure. Several US healthcare providers are affected. In France, the university hospitals in Rouen, Caen, and Amiens have been alerted.
The FBI has opened an investigation into this incident, particularly due to extortion attempts reported by some hospitals. Oracle has confirmed that the affected customers have been notified but that it will not contact patients directly.

The second attack concerns a claim made on March 20 by a malicious actor calling themselves “rose87168,” who claimed to have compromised an Oracle Cloud environment. The individual published a sample of 6 million records, including encrypted IDs, professional email addresses, usernames, and company names. This data is believed to be linked to approximately 140,000 customers. Although Oracle has not confirmed the origin or exact scope of this leak, several affected companies have acknowledged the partial authenticity of the disclosed information. At this stage, there is no certainty regarding the initial point of entry, although the exploitation of the CVE-2021-35587 vulnerability has been mentioned. An investigation has also been launched by the FBI, in coordination with cybersecurity experts, to determine the exact circumstances of the breach.

These two events, although different in nature and intrusion vectors, highlight multiple exposures affecting both operational cloud environments and legacy infrastructures. They serve as a reminder of the strategic importance of monitoring and continuously securing aging assets, which are often overlooked but always accessible.

A legacy system refers to an older application, infrastructure, or technology component that is still in production but often incompatible with modern security, maintenance, or interoperability requirements.

These systems may be based on obsolete technologies, no longer supported by their vendors, or unable to receive security patches. They are generally kept operational due to business or technical constraints, but they represent a potential attack surface.

Malware, critical vulnerabilities, advanced persistent threats, industries particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected by Gatewatcher CTI, our Cyber Threat Intelligence platform.

Gatewatcher CTI’s automated collection, analysis and correlation engines are continuously fed by more than 4000 data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.