Weekly Top 10: 10.13.2025: Ransomware Arrests Tied to Kido Education Attack; Discord Confirms 70,000 Users’ ID Photos Exposed; Azure Outage Tied to Kubernetes Crash at Microsoft Front Door, and More.

WEEKLY TOP TEN: October 13, 2025, 16:00 GMT

1. Azure Outage Tied to Kubernetes Crash at Microsoft Front Door
   
   Microsoft Azure experienced a significant outage after a Kubernetes crash knocked out about 30% of Microsoft Front Door capacity, heavily impacting the Azure Portal and Microsoft Entra, primarily across EMEA. Microsoft clarified that a bad deployment did not cause the event; the recovery process necessitated restarting the underlying Kubernetes instances and experiencing failures over the Microsoft 365 Portal. The disruption underscores the vulnerability of orchestrator dependencies and the devastating impact when global edge services fail. Customers relying on portal access, management APIs, and identity services reported disruptions until capacity returned and services recovered.
2. Credential-Stuffing Campaign Hits DraftKings Accounts
   
   DraftKings warned customers about a recent credential-stuffing wave targeting its online accounts. Attackers leveraged reused passwords to gain access, highlighting user hygiene issues and the importance of MFA enforcement by service providers. DraftKings is notifying impacted users, monitoring for abnormal transactions, and advising immediate password changes and enabling multi-factor authentication. The incident underscores continuing abuse of breach-dumped credentials and automated tooling to monetize access rapidly across online betting and fintech platforms.
3. Delta Electronics Diascreen Vulnerabilities (ICS Advisory)
   
   CISA released an ICS advisory for Delta Electronics DIAScreen, detailing multiple vulnerabilities (including critical issues) affecting industrial HMIs. Exploitation could allow remote code execution or device compromise in operational technology environments. Asset owners using DIAScreen should apply mitigations, limit network exposure, and monitor for abnormal traffic. The advisory provides CVE details, severity, and protective controls to reduce attack surfaces in ICS/OT networks where patch windows are constrained.
4. Discord Confirms 70,000 Users’ ID Photos Exposed
   
   Discord disclosed a data breach at a customer-support vendor that exposed government ID photos for roughly 70,000 users. The company said attackers accessed stored identity verification images, prompting steps to invalidate records and notify affected individuals. While payment data wasn’t involved, the exposure of sensitive documents raises account takeover, fraud, and phishing risks. Discord is enhancing vendor oversight and security controls while law enforcement investigates. Impacted users were advised to monitor for suspicious activity and consider re-verification. The incident underscores third-party risk and the sensitivity of KYC-style artifacts retained for account support workflows.
5. Elite US Law Firm Emails Breached via Zero-Day
   
   Washington firm Williams & Connolly confirmed a breach of “a handful” of attorney email accounts through a zero-day exploited by a nation-state-linked group. Working with CrowdStrike, the firm reported no evidence of database exfiltration but acknowledged the sensitivity of client matter data. The intrusion resembles broader campaigns targeting professional-services entities to harvest legal, policy, and deal intelligence. The Register ties the case to earlier warnings from Google and Mandiant about Chinese-nexus clusters exploiting multiple zero-days to infiltrate firms and conduct bulk Microsoft 365 email access and exfiltration.
6. Fortra Goanywhere MFT: Active Exploitation
   
   Microsoft reported live exploitation against Fortra’s GoAnywhere MFT, with attackers chaining flaws to exfiltrate data from organizations running the file-transfer platform. The post details observed TTPs, detections, and recommended mitigations such as credential rotation, hardening, and hunting queries.
   
   Fortra customers face elevated risk from initial access via vulnerable GoAnywhere endpoints and follow-on data theft. Microsoft provides advice on how to block common warning signs, check that admin accounts are secure, and evaluate the risk of MFT instances that can be accessed from outside. The write-up stresses urgency in patching and monitoring, particularly for internet-facing deployments and partners that handle sensitive transfers for multiple tenants.
7. FBI Seizes Breachforums Portal Used in Salesforce Extortion Wave
   
   The FBI seized a BreachForums domain used by ShinyHunters/“Scattered LAPSUS$ Hunters” to extort dozens of Salesforce customers after widespread tenant data theft. The seizure disrupted a key pressure point for public leaks while investigations continue. Attackers had threatened to publish customer data if negotiations failed, coordinating deadlines and using the portal as a leak-site replacement. Google and Salesforce urged organizations to assume compromise, rotate credentials, and audit access tokens and third-party integrations.
8. Rockwell Automation Stratix Switch Vulnerabilities (ICS Advisory)
   
   CISA released an advisory for Rockwell Automation Stratix switches, detailing high-severity flaws that could potentially affect industrial networking equipment. The notice includes affected models, CVSS scores, and defensive steps—segmentation, access control, and timely firmware updates. In environments where downtime is costly, CISA suggests compensating controls until patch cycles are complete. Asset inventories and targeted monitoring are recommended to detect exploitation attempts and lateral movement across ICS networks.
9. Ransomware Arrests Tied to Kido Education Attack
   
   Authorities arrested suspects linked to the ransomware attack on Kido Education, the global nursery and preschool operator. The investigation followed service disruptions and data-theft claims during the earlier incident. The report covers the group’s tactics against Kido and law-enforcement coordination that led to arrests, illustrating how high-impact attacks on childcare providers bring operational and privacy stakes that extend to families. Kido continues to harden systems and notify impacted parties as required.
10. Widespread Sonicwall SSLVPN Compromise & Device Theft
    
    Huntress observed mass compromises of SonicWall SSLVPN/SMA 100 devices, including cases of stolen credentials, VPN seed data, and persistent backdoors surviving factory resets. The team outlines triage steps, artifacts to collect, and a remediation playbook—rotate all credentials (including OTP seeds), rebuild devices, and eliminate persistence. The post ties to ongoing exploitation of legacy and EoL appliances and warns of re-compromise risks if organizations only patch without credential rotation.