Cybersecurity Update  18-31 October 2025  

United States of America

Amazon Reveals Cause of AWS Outage. On 20 October 2025, AWS, experienced a significant outage, impacting online services worldwide for at least 15 hours. Major platforms like Canva, Coinbase, Disney+, Facebook, Fortnite, Lloyds Banking Group, Lyft, McDonalds, Perplexity, Reddit, Ring Doorbell, Roblox, Snapchat, United Airlines, WhatsApp, Zoom, AWS itself, and check-in kiosks at LaGuardia Airports — highlighting AWS's central role in digital infrastructure. The issue was a result of a bug in its automation software that corrupted a DNS record in the Amazon’s US-East-1 region. The issue resulted in customers were unable to connect to DynamoDB, the database system where AWS customers store their data, due to “a latent defect within the service’s automated DNS [domain name system] management system”. DynamoDB maintains hundreds of thousands of DNS records. It uses automation to monitor the system to ensure records are updated frequently to ensure additional capacity is added as required, hardware failures are handled and traffic is distributed efficiently. Unfortunately, there was an empty DNS record for the Virginia-based US-East-1 data center region. The bug failed to automatically repair, and required manual operator intervention to correct. At least 2,000 companies affected by the outage. (BleepingComputer, AWS Post Mortem, Bloomberg, MSN, CNBC, The Guardian, GeekWire,

Microsoft Releases Out-of-Band Security Update to Mitigate Windows Server Update Service (WSUS) Vulnerability. On 23 October 2025, Microsoft pushed an emergency out-of band patch for vulnerability (CVE-2025-59287) to address a critical remote code execution vulnerability impacting Windows Server Update Service (WSUS) in Windows Server (2012, 2016, 2019, 2022, and 2025). The prior update (14 October 2025) did not fully mitigate the issue. CISA strongly urges organizations to implement Microsoft’s guidance, or risk an unauthenticated actor achieving remote code execution with system privileges. Palo Alto’s Unit 42 and Trend Micro’s Zero Day Initiative are seeing at least 500,000 Internet facing servers are being exploited. Following initial access, the malicious actor (tracked as UNC6512) has been observed executing a series of commands to conduct reconnaissance on the compromised host and the associated environment. Google's Threat Intelligence Group has also observed exfiltration from impacted hosts. (CISA.GOV, The Register, Unit 42 Analysis, Microsoft)

US court bars NSO Group from targeting WhatsApp. On 17 October 2025, the United States District Court of California ordered Israeli spyware firm NSO Group to stop targeting Meta's WhatsApp. The court document stated, "[D]efendants freely acknowledge that they continue to use Whatsapp to collect users’ messages....The argument for an injunction is even stronger in this case, because there is no dispute that defendants still possess the software at issue in this litigation, as well as the source code and other data illegally acquired from Whatsapp.” The judge also deemed that the punitive damages imposed on NSO were excessive, and reduced the amount NSO owes Meta from $167 million to just $4 million. The injunction preventing NSO from targeting WhatsApp may be more unfavorable for the spyware firm than monetary damages, however; the company had previously argued that such an injunction "would put NSO’s entire enterprise at risk" and "force NSO out of business.” (US District Court Document, Reuters)

Malicious Actors Breach Kansas City National Security Campus (KCNSC). In October 2025, CSO Online published a story about how malicious actors (China and Russia) exploited SharePoint vulnerabilities (CVE-2025-53770 and CVE-2025-49704) to breach the Kansas City National Security Campus (KCNSC), which manufactures roughly 80% of the non-nuclear parts in the US's nuclear stockpile. It produces non-nuclear mechanical, electronic, and engineered material components used in US nuclear defense systems. It also provides specialized technical services, including metallurgical analysis, analytical chemistry, environmental testing, the US National Nuclear Security Administration (NNSA) and its broader facilities were impacted (likely slow to patch). In August and September, federal responders, including personnel from the NSA, were on-site at the Kansas City facility to conduct forensic analysis and worked to clean up KCNSC’s networks. (CSO Online, Bleeping Computer)

Former L3 Harris Executive Pleads Guilty to Selling Exploits to Russia. On 14 October 2025, the U.S. Justice Department has unveiled charges— of two felony counts— against Peter Williams, a former executive of Trenchant, the cyber unit of defense contractor L3Harris. The charges read, “Between on or about April 2022 and in or about June 2025, within the District of Columbia and elsewhere, the defendant, Peter Williams, a United States resident, with the intent to convert a trade secret, that is related to and included in a product that is produced for, and placed in, interstate and foreign commerce, to the economic benefit of someone other than the owner of the trade secret, and intending and knowing that the offense will injure any owner of that trade secret, did knowingly steal, and without authorization, appropriate, take, carry away, conceal, and by fraud, artifice and deception, obtain such information, to wit, seven trade secrets.” The buyer was in Russia. Mr Williams is a citizen of Australia and formerly worked for the Australian Signals Directorate (ASD) in the 2010s. There was an eighth trade secret sold between June and 6 August 2025. Unfortunately, Williams was working on exploits for Apple’s software, which may have been part of the sale. On 29 October 2025, Mr. Williams pleaded guilty to stealing trade secrets to sell to a buyer in Russia. He will be sentenced in January 2026. (District Court Document, TechCrunch, Bloomberg, CyberScoop, Reuters, ABCNet)

Warrant issued to ChatGPT. On 24 September 2025, the District Court of Maine authorized a search warrant to support search and seizure of property of a resident in Northern California. Open AI complied with the warrant. The affidavit describes a long-running child exploitation investigation into multiple dark web sites hosting child sex abuse material (CSAM), whose administrator the government sought to identify. As the affidavit describes, an agent from Homeland Security Investigations (HSI) had been chatting undercover with the admin, who described to the agent his ChatGPT usage, including specific prompts and partial or full responses. Based on that information, the government sought and obtained a warrant to OpenAI for “various kinds of information on the person who entered the prompts, including details of other conversations they’d had with ChatGPT, names and addresses associated with the relevant accounts, as well as any payment data.” The affidavit includes two “unique, specific” prompts and the “unique responses” that ChatGPT generated. The case shows how our law enforcement officials can use ChatGPT prompts to gather data on users suspected of criminal activity. This led to the arrest of the individual. (US District Court of Maine, Forbes, TechCrunch, CyberLaw, Arrest Information, Warrant)

International Items of Interest

China Accuses the US of Hacking its National Time Center. On 19 October 2025, China's Ministry of State Security (MSS) accused the US National Security Agency (NSA) of hacking the National Time Service Center (NTSC), a public institute responsible for maintaining standard time in China. The NTSC "provides high-precision time services for sectors such as national communications, finance, electric power, transportation, surveying and mapping, and national defense.” China's CERT published a technical analysis of the incident. It concluded that between August 2023 and June 2024, NSA had deployed 42 different operations against multiple internal network systems of the time service center. These were primarily designed to maintain long-term access, build covert communication channels, and extract sensitive data from target systems. NSA also attempted lateral penetration into the High-Accurate Ground-based Time Service System, pre-positioning the capabilities to disable and sabotage the system. An NSA official said in a statement, "NSA does not confirm nor deny allegations in the media regarding its operations. Our core focus is countering foreign malign activities persistently targeting American interests, and we will continue to defend against adversaries wishing to threaten us.” (The Record, Associated Press, Weixin, Global Times, CERT-CN Analysis)

Chatbots Are Pushing Sanctioned Russian Propaganda. In a recent report published by the Institute of Strategic Dialogue (ISD), researchers claim that Russian propaganda has targeted and exploited data voids—where searches for real-time data provide few results from legitimate sources—to promote false and misleading information. Almost one-fifth of responses to questions about Russia’s war in Ukraine, across the four chatbots (ChatGPT, Gemini, DeepSeek, and Grok) cited Russian state-attributed sources. The findings raise questions about the ability of large language models (LLMs) to restrict sanctioned media. According to the report, around 18% of all 300 prompts, languages (e.g., English, French, German, Italian, and Spanish) and LLMs returned results linked to state-funded Russian media, sites “linked to” Russia’s intelligence agencies, or disinformation network.” (Wired, Data Void Report)

The United Nations Signed a Cybercrime Treaty. On 25 October 2025, 72 countries signed the United Nations Convention Against Cybercrime. The convention, which will take effect after it is ratified by 40 nations, is expected to streamline international cooperation against cybercrime. The convention targets a broad spectrum of offenses from phishing and ransomware to online trafficking and hate speech, the U.N. has said, citing estimates that cybercrime costs the global economy trillions of dollars each year. The U.N. Office on Drugs and Crime (UNODC), which led the treaty negotiations, said the agreement includes provisions to protect human rights and promotes legitimate research activities. (Reuters, CybersecurityDive, UN Convention Against Cyber Crime)

Jaguar Land Rover Ransomware Attack Is Costliest in UK History. On 31 August 2025, Jaguar Land Rover (JLR) suffered a cyber attack that severely disrupted vehicle production in the UK, China, India, and Slovakia as well as new car sales. The ransomware gang, Scattered Spider, took credit for the incident. It is the costliest cyberattack in UK history. The incident will cost approximately £1.9 billion (US$2.5 billion) and affected at least 5,000 businesses across the supply chain. Experts estimate that JLR will need at least until January 2026 to fully recover its operations. (BBC)

North Korea’s Operation DreamJob Targets European Defense Companies. In October 2025, ESET researchers uncovered a fresh wave of Operation DreamJob, a long-running campaign linked to North Korea’s Lazarus Group — this time targeting European defense firms developing drone technology. The malicious actor used fake job offers to trick victims into opening malware-laced PDF readers that deployed a remote access Trojan, giving them full system control. They successfully penetrated three defense firms. The suspected primary goal of the attackers was likely the theft of proprietary information and manufacturing know-how. The three targeted organizations manufacture different types of military equipment (or parts thereof), many of which are currently deployed in Ukraine as a result of European countries’ military assistance. More generally, these entities are involved in the production of types of materiel that North Korea also manufactures domestically, and for which it might be hoping to perfect its own designs and processes. (InfoSecMagazine, WeLiveSecurity, 38th North)

North Korean Malicious EtherHiding. On 16 October 2025, Google Threat Intelligence Group (GTIG) published a blog that it has observed the North Korea (DPRK) threat actor UNC5342 ((aka Famous Chollima) using ‘EtherHiding’ to deliver malware and facilitate cryptocurrency theft, the first time GTIG has observed a nation-state actor adopting this method. EtherHiding involves embedding malicious code, often in the form of JavaScript payloads, within a smart contract on a public blockchain like BNB Smart Chain or Ethereum. This approach essentially turns the blockchain into a decentralized and highly resilient command-and control (C2) server. North Korea's social engineering campaign is a sophisticated and ongoing cyber espionage and financially motivated operation that cleverly exploits the job application and interview process. This campaign targets developers, particularly in the cryptocurrency and technology sectors, to steal sensitive data, cryptocurrency, and gain persistent access to corporate networks. (HackerNews, Google Threat Intelligence)

North Korea Continues to Target CryptoCurrency. On 28 October 2025, Kaspersky published a blog outlining how North Korea’s hackers are using advanced AI tools to scan codebases, identify vulnerabilities, and replicate successful exploits across multiple blockchains within minutes. BlueNoroff, also known by aliases including Sapphire Sleet, APT38, and Alluring Pisces, continues to evolve its attack tactics while maintaining its primary focus on financial gain. BlueNoroff approaches Web3 developers and tricks them into downloading and executing a GitHub repository containing malware under the guise of a skill assessment during a recruitment process. (Kaspersky, CoinDesk, GB Hackers)

Cyberattack on Russia’s Food Safety Agency Disrupts Product Shipments. On 22 October 2025, the state agency, Rosselkhoznadzor, said it was targeted by a large-scale distributed denial of-service (DDoS) attack that affected its online infrastructure, including “VetIS” and “Saturn” — systems that track the movement of agricultural products and chemicals. According to reports from the Russian trade outlet Shopper’s, the disruption caused serious delays in food deliveries after the electronic veterinary certification platform Mercury — part of VetIS — became unavailable. Two major dairy producers and a baby food manufacturer told Shopper’s that they were unable to ship products for several hours. The business disruption lasted most of the day and the lack of an emergency procedure allowing shipments without digital paperwork led to financial losses. The organization was not fully operational as of 24 October 2025. This is reportedly the fourth attack on Mercury this year. (TheRecord, Shoppers Media)

UK’s Announces First Renewable-powered Sovereign Cloud. On 23 October 2025, Argyll Data Development (“Argyll”) announced a strategic partnership with SambaNova, a next-gen AI infrastructure leader, to deliver the UK’s first renewable-powered AI inference cloud. The site, located on Scotland’s Cowal Peninsula, will be powered by wind, wave and solar energy and occupy a 184 acre campus. It will deploy SambaNova’s air-cooled SN40L systems, in which each rack draws roughly one-tenth the power of traditional GPU systems, eliminating the need for liquid cooling, the company said. “Together with SambaNova and our strategic partners, we’re building a sovereign AI infrastructure powered by renewable energy, demonstrating that sustainability and scale can go hand in hand. Our goal isn’t just to make AI greener, but to make it competitive, compliant and cost-effective,” said Peter Griffiths, executive chairman at Argyll. (ITPro, SambaNova Press Release)

Swedish Power Grid Operator Discloses Breach. On 25 October 2025, Svenska kraftnät disclosed that it was the victim of a cyber breach. The company operates Sweden’s electricity transmission system. The Russian ransomware syndicate, Everest, claimed responsibility and posted the company’s data on the gang’s dark web leak site. It is threatening to leak at least 280BG of data, unless the company pays the ransom. The attack did not disrupt any critical systems and hasn't affected the company's ability to supply power. (SVK Press Release, CyberNews, The Record, Security Week)

Hundreds Flee Bombed Myanmar Scam Compound. In late October 2025, the Myanmar military began conducting a series of military operations and bombing campaigns against the KK Park cybercrime compound, driving more than 1,500 people from 28 countries into the Thai border town of Mae Sot. Most of these people are victims of human trafficking and forced labor, pressured to carry out online scams under threat of violence. Many of the individuals come from India, China, the Philippines, Vietnam, Ethiopia, and Kenya. Authorities in Thailand are working to process the victims and repatriate them to their home countries. KK Park is well known for its involvement in transnational cyber scams. The scompound and others nearby are run primarily by Chinese criminal gangs and guarded by local militia groups aligned to Myanmar's military. (AP, Reuters, Reuters)