In today’s cybersecurity news…
Jingle Thief hackers steal millions in gift cards by exploiting cloud infrastructure
Researchers at Palo Alto Networks Unit 42 are warning of this group that is specifically targeting cloud environments associated with retail and consumer services organizations. They describe the group as “using phishing and smishing techniques to steal credentials in order to compromise organizations that issue gift cards,” likely for resale on gray markets. The activity has been tentatively attributed to the groups Atlas Lion and Storm-0539. The Jingle Thief group is considered somewhat dangerous since it “maintains footholds within compromised organizations for extended periods…conducting extensive reconnaissance to map the cloud environment, moving laterally across the cloud, and taking steps to sidestep detection.”
Lazarus hackers targeted European defense companies
The North Korean Lazarus group compromised three European defense sector companies in late March of this year, in a campaign named Operation DreamJob which used fake recruitment lures. The targeted companies are involved in the development of unmanned aerial vehicle (UAV) technology. This is a typical technique for Lazarus, in which their agents pose as recruiters and approaches employees at an organization of interest with job offers for a high-profile role. ESET, who made the discovery has not yet elaborated on the success of this campaign.
Deep Tech work culture pushes for 72 hour workweeks
The pace and intensity of development and growth in tech sectors responsible for AI, semiconductors and quantum computing has resulted in many companies eyeing an extended work culture to keep up. An article in Wired describes the spread of the 996 work culture, already established in China, in which employees are expected to work 9 am to 9 pm, six days a week, thus creating a 72-hour work week. As the article states, “many startups in the U.S. are asking prospective employees if they are willing to commit, and to get the job, the answer needs to be an unequivocal yes.” A link to the article is available in the shownotes to this episode.
(Wired)
Microsoft offers Copilot for Exchange Server
Microsoft is now asking admins if they would like the AI assistant on-prem. In a ten-question form posted on its techcommunity blog, it asks, “Would your organization be comfortable enabling Copilot for Exchange Server if it requires sending some Exchange Server data to the cloud?” Despite many admins likely having concerns with Exchange Server data being sent to Microsoft’s cloud, the survey seeks to find out what capabilities such as summarizing emails or monitoring Exchange Server health, would be useful, and requirements are non-negotiable, “such as regulatory compliance, data boundary assurances, admin-defined restrictions, and complete internet disconnection.”
Huge thanks to our sponsor, ThreatLocker
A DNS race condition brought AWS to a crawl last Monday
Following up on Monday’s AWS outage, Amazon has now released a report on the day-long outage. At the time we reported that the cause was a DNS failure in AWS’s critical US-East-1 region. The cause of that DNS failure has now been revealed as “a race condition in DynamoDB’s automated DNS management system that left an empty DNS record for the service’s regional endpoint,” This was triggered, the company says, “by a latent defect within the service’s automated DNS management system.” As described in The Register, “the DropletWorkflow Manager (DWFM), which maintains leases for physical servers hosting EC2 instances, depends on DynamoDB. When DNS failures caused DWFM state checks to fail, droplets – the EC2 servers – couldn’t establish new leases for instance state changes.” Amazon has apologized for the incident.
Researchers warn of surge in high-level Smishing Triad activity
Researchers from Palo Alto Networks’ Unit 42 have uncovered a massive, Chinese-managed phishing campaign called Smishing Triad, involving thousands of cybercriminals and nearly 195,000 malicious domains since January 2024. The decentralized operation primarily uses text messages to lure victims into revealing sensitive data such as national IDs, financial details, and login credentials. Over two-thirds of the domains were registered through Hong Kong-based Dominet (HK) Limited, with most hosted on U.S., Chinese, and Singaporean servers. The fake sites impersonate trusted organizations across industries like finance, healthcare, e-commerce, and law enforcement, making the campaign one of the most widespread smishing operations to date.
Cyber incidents in Texas, Tennessee, Indiana, and Pennsylvania impact critical government services
In the ongoing series of attacks on regional governments, three more got added to the list this week. A large was one of multiple municipalities across the U.S. this week to report cyber incidents affecting public services. Kaufman County, a suburb outside of Dallas has announced a cyberattack that was discovered on Monday, taking down several county systems including the county courthouse, but not the Sheriff’s Office or emergency services were not impacted. On Friday, the Tennessee city of La Vergne took down some if its city offices have been closed since the cyberattack was discovered. Indiana’s Dekalb (de-capp) County and the library system of Chester County, Pennsylvania, both reported outages and cyberattacks in the last month as well.
UK cyber law delays ‘deeply concerning,’ say MPs
The British government’s opposition party said this past week it was “deeply concerning the government had still not introduced new cybersecurity laws to Parliament, warning that gaps in legislation are “fuelling even greater threats against the country.” Describing the progress as operating at a “glacial pace,” members of Parliament are proposing the little used Ten Minute Rule Motion “to call for an overhaul of how the U.K. handles ransomware attacks.” This rule is generally used campaigning on an issue rather than introducing new laws, but on the heels of the attacks on Marks & Spencer, the Co-op, Harrods and Jaguar Land Rover faster methods are being pushed for.