Credential Stuffing, Oracle Zero-Days, and Attacking Public Safety

Show Notes

This week on Cyber Scoops & Digital Shenanigans, host Mike Housch delves into the recent credential stuffing campaign targeting DraftKings users and the sophisticated exploitation of a critical Oracle E-Business Suite zero-day flaw. We also examine breaches at military radio manufacturer BK Technologies and beer giant Asahi, emphasizing how even essential and everyday businesses are prime targets for skilled threat actors.

Transcript

Welcome back to Cyber Scoops & Digital Shenanigans, the podcast dedicated to tracking the latest threats, vulnerabilities, and the inevitable digital mischief happening across the globe. I'm your host, Mike Housch, and we have a packed show today covering major attacks hitting everything from sports betting apps to critical enterprise software.

We're kicking off with a deep dive into identity compromise, something that affects almost all of us who reuse passwords.

First up, one of my personal favorite sports betting sites DraftKings is back in the news. The company recently warned users about a credential stuffing campaign targeting their online accounts. This attack was discovered on September 2nd.

Now, it’s crucial to understand what credential stuffing is. DraftKings confirmed they have observed no evidence that the login credentials used in this attack were obtained from their systems, nor that their computer systems or networks were breached. Instead, the attackers relied on credentials stolen from non-DraftKings sources and used them to log into users' accounts—that’s classic credential stuffing.

What were the hackers able to access? Unfortunately, quite a bit of personal information. The compromised data likely includes users' names, addresses, phone numbers, and email addresses. Attackers may have temporarily logged in and accessed dates of birth, profile photos, transaction information, account balances, details on when passwords were last changed, and even the last four digits of payment cards.

However, DraftKings specifically noted they have no evidence that highly sensitive information, such as government-issued ID numbers or financial account numbers, was compromised.

This isn't the first time DraftKings has dealt with this specific digital shenanigan. Back in 2022, they disclosed a similar credential stuffing campaign that impacted approximately 68,000 user accounts. That led to the sentencing of Joseph Garrison to 18 months in prison, and the indictment of two other individuals, Nathan Austad and Kamerin Stokes.

To address this current incident, DraftKings has launched an investigation. They are requiring potentially impacted individuals to reset their account passwords and are also requiring multifactor authentication for logins to DraftKings Horse accounts. This is a great reminder, folks: use unique passwords everywhere, and turn on MFA!

Moving from betting apps to enterprise software, we have a major story concerning a long-running zero-day exploitation targeting Oracle E-Business Suite, or EBS.

It has come to light that threat actors knew about this severe vulnerability for at least two months before it was patched. The zero-day, tracked as CVE-2025-61882, carries a high CVSS score of 9.8. It specifically impacts the BI Publisher Integration component of Oracle Concurrent Processing.

The scary part? An unauthenticated attacker can exploit this flaw for remote code execution.

The initial warnings came from the Google Threat Intelligence Group and Mandiant on October 2nd, after executives at various organizations started receiving extortion emails from the notorious Cl0p cybercrime group. It’s since been confirmed that Cl0p was behind these attacks, managing to steal large volumes of data from targeted EBS instances possibly since August. CrowdStrike has been monitoring the activity and ties the exploitation, with moderate confidence, to a Russia-linked actor they track as Graceful Spider, which is known to conduct attacks using Cl0p ransomware. The earliest evidence suggests the zero-day was first exploited on August 9th.

The exploit chain itself shows a high level of sophistication. Security firm WatchTowr analyzed the published proof-of-concept, which was released by hacker groups ShinyHunters and Scattered Spider (who now call themselves Scattered LAPSUS$ Hunters). WatchTowr noted that the chain orchestrates at least five distinct bugs together to achieve pre-authenticated Remote Code Execution. That demonstrates a high level of skill and effort on the part of the attackers.

And the threat isn't over. Since the PoC is now public, the cybersecurity industry expects other groups to add CVE-2025-61882 to their arsenal. Organizations running EBS need to check their systems immediately, as Censys reported seeing over 2,000 internet-exposed instances of Oracle E-Business Suite, and The Shadowserver Foundation found over 570 potentially vulnerable instances. The United States holds the highest number of these exposed EBS instances, followed by China.

Our next two stories cover data breaches involving companies critical to public service and global operations.

First, let’s talk about BK Technologies Corp. This Florida-based company provides wireless communications equipment—specifically two-way land mobile radios, repeaters, and base stations—primarily for public safety and government agencies, including police, fire, and military customers. A company built on reliability, any cyber wobble is static they could do without.

BK Technologies detected an IT intrusion on September 20th. While they launched an investigation and took immediate action to remove the attacker, the investigation revealed that hackers accessed and stole non-public information from compromised systems. The company stated that files containing information of current and former employees may have been exfiltrated.

The good news is that they believe the attack only resulted in "minor disruptions" to non-critical systems, and their operations continued in all material respects throughout the incident. They also noted that a significant portion of the costs for containing, investigating, and remediating the incident are covered by insurance. As of now, no group has claimed responsibility for this attack.

Next, across the globe, the Qilin ransomware group has claimed responsibility for an attack that disrupted the operations of the beer giant Asahi in Japan. Asahi initially disclosed system failures that disrupted order and shipment operations, as well as call center services.

On October 6th, Asahi confirmed ransomware was used in the attack and that hackers had stolen data. Qilin subsequently added Asahi to its leak site, claiming the theft of 27 gigabytes of data. This stolen information reportedly includes over 9,000 files, encompassing contracts, employee information, financial documents, forecasts, and other business data. Asahi later confirmed the stolen data had been published on the internet.

While 27 GB might sound low compared to other Qilin claims, a data researcher noted that this quantity doesn't diminish the sensitivity of the financial and employee data involved. This incident marks the 19th confirmed attack on a food and beverage manufacturer this year. Despite the breach, Asahi has stated that its domestic subsidiaries have fully or partially resumed production, and product shipments are back on track.

We wrap up today with a look at a vulnerability that highlights the growing risks associated with AI-driven development tools.

Cybersecurity researchers recently disclosed details of a now-patched vulnerability in the popular figma-developer-mcp Model Context Protocol (MCP) server. This flaw, tracked as CVE-2025-53967, is severe, allowing attackers to achieve remote code execution, or RCE.

The root cause is a command injection bug, meaning the server was constructing and executing shell commands using unsanitized user input directly within command-line strings. This oversight introduces the possibility of shell metacharacter injection (things like pipes, redirects, and semicolons).

Imperva, the company that discovered and reported the issue in July 2025, described the flaw as a "design oversight" in a fallback mechanism. Essentially, the issue resides in the code that handles fetching content. If the standard fetch API failed, the system would attempt to execute a curl command via child_process.exec. Because the URL and header values were directly interpolated into this shell command string, a malicious actor could craft a URL or header to inject arbitrary shell commands, leading to RCE.

Why is this relevant to AI? The Framelink Figma MCP server exposes tools to perform operations in Figma using AI-powered coding agents, such as Cursor. An attacker could potentially trick the MCP client into executing unintended actions by means of an indirect prompt injection.

The vulnerability was addressed in version 0.6.3 of figma-developer-mcp, released on September 29th, 2025. The lesson here, as noted by the security firm: As AI-driven development tools accelerate adoption, security considerations must keep pace, because even tools meant to run locally can become powerful entry points for attackers.

So, whether it’s highly sophisticated zero-day exploits hitting critical infrastructure, or basic credential stuffing that succeeds due to password reuse, identity and data protection remain job number one.

That’s all the time we have for this edition of Cyber Scoops & Digital Shenanigans. Remember to patch fast, use unique passwords, and keep that MFA turned on. I’m Mike Housch, and we’ll catch you next time in the digital trenches.