The day the cloud got foggy.

An AWS outage sparks speculation. An F5 exposure and breach raise patching and supply-chain concerns. Salt Typhoon breaches a European telecom via a Netscaler flaw. A judge bans NSO Group from Whatsapp. China alleges “irrefutable evidence” of NSA hacking. Connectwise patches adversary in the middle risks. A Dolby decoder flaw enables zero-click remote code execution on Android. A Cyber M&A and funding surge signals a busy consolidation cycle. Our guest Jeff Collins, CEO of WanAware, sharing how hospital consolidations are reshaping IT asset visibility and what it takes to close these gaps. One man’s quest to make AI art legit. 

Today is Monday October 20th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

An AWS outage sparks speculation.

A widespread Amazon Web Services outage disrupted major apps worldwide, fueling attack rumors that sources say lack evidence.

Amazon’s status page reported increased error rates and latency in the US-EAST-1 region, cascading across services like Snapchat, Robinhood, Roblox, and Fortnite. Downdetector logged thousands of reports in the United States, Canada, and Europe. AWS said engineers were mitigating the issue and services were gradually recovering Monday morning.

It is noteworthy that a single cloud region’s failure can interrupt trading, communications, and gaming at scale. Security teams should stress test multi-region failover and vendor resilience. The speculation shows how routine outages can trigger geopolitical anxiety, so clear, timely incident communication remains essential.

An F5 exposure and breach raise patching and supply-chain concerns.

The Shadowserver Foundation found over 262,000 F5 BIG-IP systems exposed online, while F5 disclosed a nation-state breach with stolen BIG-IP source code.

Over 130,000 exposed systems are in the United States. Patch status remains unclear. F5 says attackers accessed BIG-IP development and engineering systems in August 2025. The company reports containment, no tampering with source code or supply chain, and limited customer configuration data stolen. F5 is notifying clients, filed a Form 8-K, and delayed disclosure at the U.S. government’s request. F5 privately links the activity to China-nexus group UNC5221 and warns about the Brickstorm backdoor.

Broad exposure plus uncertain patching increases exploitation risk. NCSC and CISA urge customers to locate F5 assets, secure management interfaces, assess for compromise, and apply current updates.

Salt Typhoon breaches a European telecom via a Netscaler flaw. 

China based group Salt Typhoon is exploiting a Citrix NetScaler Gateway flaw to infiltrate a European telecom, Darktrace reports. 

In July 2025 attackers moved from the gateway to Citrix Virtual Delivery Agent hosts. Attackers hid behind SoftEther VPN infrastructure. They deployed SNAPPYBEE, also called Deed RAT, via dynamic link library, DLL, sideloading with antivirus executables from Norton, Bkav, and IObit. Command and control used HTTP and unidentified TCP, with Internet Explorer headers observed.

The case underscores persistent, stealthy tradecraft that blends into trusted software. It highlights the need for anomaly based detection and proactive defense across critical sectors. Organizations should harden exposed appliances and monitor lateral movement from remote access gateways.

A judge bans NSO Group from Whatsapp. 

A federal judge barred NSO Group from targeting WhatsApp and cut Meta’s jury award to just over $4 million.

U.S. District Judge Phyllis Hamilton found evidence Pegasus spyware could still infiltrate WhatsApp, granted a permanent injunction, and capped punitive damages at 9 to 1. Meta’s 2019 suit alleged violations of the Computer Fraud and Abuse Act and the California Comprehensive Computer Data Access and Fraud Act, plus terms of service. The injunction covers WhatsApp only.

Hamilton wrote that NSO continued trying to bypass WhatsApp’s security, and that unauthorized access harms users’ informational privacy. This matters because the order blocks data collection and addresses zero click techniques, while signaling consequences for commercial spyware targeting encrypted communications.

China alleges “irrefutable evidence” of NSA hacking. 

China accused the U.S. NSA of hacking its National Time Service Center, citing “irrefutable evidence” and a detailed timeline.

The Ministry of State Security said NSA exploited mobile phone vulnerabilities of center employees since March 25, 2022, and used stolen credentials from April 18, 2023, to access computers. Private servers masked origins. The Xi’an facility supports high precision time services and international time calculation.

The claims point to risks for critical infrastructure that supports government, civil society, and industry. They also come amid escalating U.S. China tensions and mutual cyber accusations. Defenders should review protections for time sources and monitor for credential abuse and mobile exploitation.

Connectwise patches adversary in the middle risks.

ConnectWise has patched two adversary in the middle flaws, urging on-prem customers to update and enforce TLS 1.2.

CVE-2025-11492 (CVSS 9.6) exposed cleartext transmissions. CVE-2025-11493 (8.8) lacked integrity checks on downloads. Agents configured for HTTP or weak encryption risked intercepted communications or malicious update replacement. The patch enforces HTTPS for all agent traffic.

The vulnerabilities meant local network attackers could view, modify, and tamper with Automate operations. Patch immediately and validate secure configurations.

A Dolby decoder flaw enables zero-click remote code execution on Android. 

A Dolby Unified Decoder flaw, CVE-2025-54957, enables remote code execution, including zero click exploitation on Android, researchers from Google report.

The decoder processes Dolby Digital Plus, AC-4, and other formats. Project Zero found an out of bounds write triggered by evolution data handling. Integer wrap causes an undersized buffer and a bounds check failure, enabling overwrite of struct members, including a pointer used on a following syncframe. Audio messages can trigger the flaw.

Android decodes audio automatically, enabling zero click code execution in the mediacodec context. Microsoft addressed the issue in October updates with user interaction required on Windows, and Google included patches in ChromeOS releases. 

A Cyber M&A and funding surge signals a busy consolidation cycle. 

On today’s Business roundup, cyber dealmaking accelerated across spyware, managed security, email, and identity, as NSO confirmed a sale and major roll ups advanced.

NSO said a US investment group acquired the firm for tens of millions, while keeping Israeli regulatory and operational control. Calcalist reported a Robert Simonds led investor group, not confirmed by NSO. LevelBlue agreed to acquire Cybereason, adding SoftBank Corp., SoftBank Vision Fund 2, and Liberty Strategic Capital as LevelBlue investors, and aligning with prior Trustwave and Stroz Friedberg deals. Kaseya acquired INKY, which remains standalone and joins Kaseya 365 User. Pentera bought DevOcean to extend from adversarial testing to remediation. French MSSP Nomios acquired Intragen, targeting €75 million EBITDA and €650 million revenue in 2026.

Capital flowed to core security segments: Resistant AI raised $25 million Series B. Pantherun secured $12 million Series A. Authentic8 obtained $12 million in debt financing. Sitehop raised £7.5 million. Arcjet announced $8.3 million Series A. Mind The Hack closed €2.8 million seed. Nymiz raised €2 million. Talion secured £2 million. HyperBunker raised €800,000. [INFERENCE] The pattern points to bundling XDR, MDR, DFIR, email security, and IAM at scale.

 

 

One man’s quest to make AI art legit. 

Jason Allen is still fighting to prove that a robot-assisted masterpiece can, in fact, belong to its human co-pilot.

In 2022, Allen stunned — and infuriated — the art world by winning the Colorado State Fair’s Fine Arts Competition with an image spun up by Midjourney, the then-new AI art generator. Since then, he’s spent three years in legal limbo, trying to convince the U.S. Copyright Office that his digital muse didn’t steal his thunder. In August, he filed yet another brief, hoping to claim authorship over Théâtre D’opéra Spatial — and, conveniently, to sell limited-edition oil-print “elegraphs” of it that promise the gravitas of a 19th-century masterwork, minus the hand cramps.

Allen insists the creative act lies in the hundreds of prompts he typed to coax the machine into beauty. Whether the courts will agree is anyone’s guess. Whether it’s art or algorithm, Allen’s work has definitely sparked some creative debate.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.