ZeroFox Daily Intelligence Brief - October 20, 2025

ZeroFox Daily Intelligence Brief - October 20, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Amazon Web Services Addresses Outage and Issues Initial Mitigation
• FTC Shuts Down “Tax Relief” Firm for Running Sophisticated Impersonation Scam
• Russian Hackers Leak Secret RAF and Navy Base Files in UK MoD Contractor Breach

Amazon Web Services Addresses Outage and Issues Initial Mitigation

Source: https://health.aws.amazon.com/health/status

What we know: Amazon Web Services (AWS) has zeroed-in on the potential root cause of a major outage that disrupted hundreds of services across the internet. At the time of reporting, AWS has applied initial mitigations and confirmed that there are “significant signs of recovery.”

Context: The issue reportedly stemmed from DNS resolution problems affecting AWS’s DynamoDB API in the US-EAST-1 region. The affected services reportedly ranged from online banking and gaming to smart-home devices.

Analyst note: Outages in third-party services can often lead to disruptions in operations for companies, including critical services, like banks. However, AWS’s prompt response on the issue will enable impacted companies to come up with work-arounds till the issue is completely resolved.

FTC Shuts Down “Tax Relief” Firm for Running Sophisticated Impersonation Scam

Source: https://www.ftc.gov/news-events/news/press-releases/2025/10/ftc-nevada-sue-tax-debt-relief-scammers-falsely-impersonating-government

What we know: The Federal Trade Commission (FTC) has halted American Tax Service (ATS) and its operators for running a fake tax relief scheme that impersonated government agencies, promised false settlements, and defrauded consumers of millions.

Context: Since 2019, ATS has allegedly been using forged IRS-style letters, false claims of investigations, and aggressive telemarketing to push victims into paying for services that were never delivered.

Analyst note: Taking on the disguise of a legit tax firm and mimicking IRS communication enabled an operation that was difficult for tax services consumers to detect. The victims targeted in the scam not only suffered financial losses, but are also likely to face damaged credit and psychological impacts, which can persist for months.

Russian Hackers Leak Secret RAF and Navy Base Files in UK MoD Contractor Breach

Source: https://databreaches.net/2025/10/19/uk-catastrophic-attack-as-russians-hack-files-on-eight-mod-bases-and-post-them-on-the-dark-web/

What we know: Russian hackers have breached a UK Ministry of Defense (MoD) contractor, stealing hundreds of sensitive military documents. The stolen data, now leaked on the dark web, includes details of eight Royal Air Force (RAF) and Royal Navy bases.

Context: The attackers, believed to be from Russian group Lynx, were able to bypass MoD’s cyber defences by targeting a third-party contractor. Among the compromised sites is RAF Lakenheath, the base of the U.S. F-35 jets.

Analyst note: Leaked base layouts and staff information are likely to be used in hostile state intelligence gathering, physical targeting, or cyber reconnaissance. The suspected link to the Lynx group suggests a ransomware attempt, with the data likely stolen to pressure the MoD or sold as part of a double-extortion scheme.

DEEP AND DARK WEB INTELLIGENCE

Verisure's Swedish partner breached: A breach at Verisure’s Swedish brand Alert Alarm exposed names, addresses, emails, and social security numbers of about 35,000 current and former customers. The company reports no compromise of its own systems. The threat actors behind this breach are likely to use the exposed details in further cyber crimes, like impersonation, social engineering, and identity theft. The impacted customers are also likely to include high-profile households, including those of celebrities, politicians, and journalists, who could be lucrative targets for social engineering scams.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-11492 and CVE-2025-11493: ConnectWise has released a security update for its Automate platform to fix flaws that could enable attackers to intercept or alter agent communications in certain on-prem setups. The latest patch enforces HTTPS and TLS 1.2. Adversaries are likely to exploit such vulnerabilities for network-based manipulation or to deliver malicious updates.

Affected products: ConnectWise Automate versions prior to 2025.9