Weekly Cyber Briefing 27.10.2025
Weekly Cyber Briefing: 27 October 2025
AWS outage exposed the risk of cloud dependency; MoD investigates contractor ransomware incident that exposes sensitive information
The Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends and indicators, curated by our CISO, Nick Harris.
AWS outage exposed the risk of cloud dependency
- What? The outage in the US-EAST-1 region (Northern Virginia), one of AWS’s oldest and largest cloud regions, affected many SaaS platforms, including Zoom, Snapchat, Fortnite, Duolingo, Canva, Signal, and Amazon’s own services, such as Alexa and Prime.
- How? It occurred due to a component failure (DNS resolution on a DynamoDB API endpoint) with cascading dependencies. AWS hasn’t released a post-mortem detailing the incident, but they have confirmed it wasn’t due to a malicious event (e.g., a cyber attack). It is possible that the debilitating outage was caused by a configuration error or an update to a critical subsystem, which could imply human error (akin to CrowdStrike).
- How much? The consensus is that this outage cost AWS $75M per hour of downtime. This doesn’t factor in what some businesses (AWS customers) lost due to being unable to generate revenue that depends on AWS infrastructure.
Assured’s CISO reacts:
We’ve all lived in hope that AWS will never fail. This recent outage brings to light the blind faith we have in AWS, GCP, Azure, and the SaaS applications we depend upon. Key services with time-criticality to our business or customers should trigger the following considerations:
- Are our own apps and data in cloud infra, deployed with multi-region failover? If serving multiple jurisdictions, it is common for different regions to provide resiliency for one another.
- Going even further, are our apps and data deployed to multi-cloud (or can they be from back up) so GCP can provide the platform if AWS were to fail (or vice versa)?
- Is the SaaS we consume built with multi-region resilience? We often want to know which region it’s in from a GDPR/DPA18 compliance lens, but what about which regions?
- We may have the back-ups for the data and app configurations, but can we use them or deploy them if the entire enterprise app were to fail? E.g., we might have Salesforce data, but we need somewhere to deploy it if Salesforce.com isn’t available. In this example, HubSpot can’t take a Salesforce backup, so find a solution that keeps the business running.
MoD investigates contractor ransomware incident that exposes sensitive information
The Dodd Group, a maintenance and construction contractor for the UK Ministry of Defence, has been hit by a ransomware attack and data breach. The Lynx ransomware group—believed to be a rebranded version of INC Ransomware—claimed responsibility, asserting it stole 4TB of data. Leaked samples posted on the dark web reportedly include sensitive information about UK military assets, raising concerns about potential national security implications.
Assured’s CISO reacts:
This is another example of the dangers of placing sensitive data with a supplier. We know that Lynx was the ransomware group behind the attack, so we’ve looked into how to protect from their most common TTPs, including:
- Deletes shadow copies and disables snapshotting on both Windows and Linux/ESXi.
- Encrypts with AES-128 CTR + Curve25519, and renames files.LYNX, and uses restorable encryption APIs.
- Enumerates file shares, mounts hidden volumes, and accesses network drives to find and encrypt as much data as possible
1: T1078.004 – Valid Accounts: Cloud Accounts
Mitigation: M1030 – Use Strong Authentication
Platform: Intune
Implementation (Intune):
- Require devices to be Azure AD joined and compliant using a custom compliance policy:
- Apply Conditional Access to require MFA + compliant device for all vendor accounts:
- Risk: Medium & High
- Grant: Require MFA, Require a compliant device
- Session: Re-auth every 12 hrs
2: T1543.003 – Create or Modify System Process: Windows Service
Mitigation: M1042 – Control Application Access
Platform: GPO
Implementation (GPO):
- Restrict login rights for vendor accounts:
- Deny log on through RDP = ThirdPartyServiceAcct
- Disable elevation visibility:
- Enumerate admin accounts on elevation = Disabled
- Enable command-line auditing:
Audit Process Creation > Include command line = Enabled.
3: T1021.002 – Remote Services: SMB/Windows Admin Shares
Mitigation: M1026 – Audit Network Share Access
Platform: Intune
Implementation (Intune):
- Enable audit policies using OMA-URI:
- Enable ASR rule in Endpoint Security:
- Rule: “Audit access to network shares by untrusted processes”
- Trigger alert on share access by vendor accounts outside business hours.
4: T1490 – Inhibit System Recovery
Mitigation: M1023 – Restrict System Access to Essential Systems
Platform: GPO
Implementation (GPO):
- Limit Shadow Copy service:
- Volume Shadow Copy service → Startup: Manual or Disabled
- Run under a restricted service account, not LocalSystem
- Lock down the VSS folder:
- Remove inheritance on C:\System Volume Information
- Permit only SYSTEM and Administrators
5: T1570 – Lateral Tool Transfer
Mitigation: M1049 – Minimize Lateral Movement
Platform: Intune
Implementation (Intune):
- Use AppLocker in Intune via OMA-URI to deny vendor tools:
- Deny execution in C:\Users\ThirdPartyVendor\Tools\*
- Device restrictions:
- “Private network sharing” = Not allowed
- “Prohibit access to removable storage” = Yes
- “Prohibit cross-domain connectivity” = Yes
6: T1486 – Data Encrypted for Impact
Mitigation: M1018 – Data Backup and Recovery
Platform: GPO
Implementation (GPO):
- Enable audit for VSS deletion:
- Advanced Audit Policy > Object Access > Audit File System = Success, Failure
- Set SACL on snapshot dirs for Audit: Delete → Fail
- Prevent backup deletion:
- Windows Components > Windows Backup > Prevent deletion of backups = Enabled
- Create Scheduled Task (hourly):
Get-VolumeShadowCopy | Out-File “C:\Logs\VSSList.log” -Append
./Device/Vendor/MSFT/AppLocker/ExecutableRules/Policy
./Device/Vendor/MSFT/Policy/Config/WindowsEventLogging/EnableAuditObjectAccess = 1
./Device/Vendor/MSFT/Policy/Config/WindowsEventLogging/AuditDetailedFileShareAccess = 1
CSP: ./Device/Vendor/MSFT/Policy/Config/Identity/RequireDeviceAzureADJoined = true
CSP: ./Device/Vendor/MSFT/Policy/Config/Identity/RequireDeviceCompliant = true
Topics
- AI
- Application Security
- Authentication
- Aviation
- Business Risk
- Car Hacking
- Certification & Accreditation
- ciso
- Cloud
- Cloud Security
- CNI
- Compliance
- Cyber attacks
- Cyber insurance
- Cyber Law
- Cyber Resilience
- Cyber Risk
- Data Breaches
- Directors and NEDs
- Diversity
- Encryption
- Ethical Hacking
- Events
- government
- Hiring & Firing
- Human Factor Risk
- Incident Response
- Internet of Things
- Internet of Things (IoT)
- Labour
- Leadership
- Legislation & Regulation
- Malware
- Mental Health
- multi stakeholder
- network
- network security
- open source
- OS
- Phishing
- Policies
- Privacy
- Public Sector
- Quantum
- Ransomware
- report
- reporting
- security by design
- security foundation
- Social Media
- Supply Chain Risk
- Sustainability
- terminology
- Threat Intelligence
- Training & Awareness
- vendor management
- vendors
- Venture Capital
- Vulnerability Disclosure
- windows
- windows10
- zero-day
- zero-trust
Latest articles
Features 24.10.2025
AI Autopsy: Capita’s 2023 Breach Laid Bare by the ICO
A £14m regulatory fine is just the tip of the iceberg.
Blogs & Opinions 21.10.2025
UK Rail Industry Faces Growing Cyber Threat as New Legislation Demands Urgent Action
New government legislation threatens tougher penalties for operators failing to protect essential services
Weekly Cyber Briefing 20.10.2025
Weekly Cyber Briefing: 20 October 2025
F5 breach exposes source code in suspected state-backed cyber attack; UK Government tells Boards that cyber accountability sits with them; Ransomware campaign abusing Azure certificates disrupted by Microsoft