Cyber Security Headlines – October 24, 2025

Host: Steve Prentiss, CISO Series
Main Theme: Key cybersecurity incidents and issues spanning cloud exploits, nation-state cyber operations, emerging tech work culture shifts, major service outages, and governmental legal responses.

Episode Overview

This episode offers a rapid-fire roundup of the day's most significant cybersecurity news, including:

The emergence of the "Jingle Thief" exploit targeting cloud environments in retail
North Korean Lazarus Group attacks on European defense companies
The rise of the intense 72-hour workweek in deep tech
Microsoft's survey about bringing Copilot AI to Exchange Server
A technical deep-dive into Amazon Web Services’ DNS outage
A massive uptick in smishing attacks
New cyber incidents affecting U.S. regional governments
Political pressure in the UK for urgency on cyber legislation

Key Discussion Points & Insights

1. Jingle Thief Exploit: Gift Card Theft via Cloud Attacks

[00:06-01:50]

Nature of Attack: Jingle Thief group is actively targeting cloud environments used by retail and consumer service organizations, focusing on gift card systems.
Tactics: Utilizes phishing and smishing (SMS phishing) to steal credentials. Once inside, conducts long-term reconnaissance, lateral movement, and stealthy operations for up to a year.
Attribution: Linked to Atlas Lion and Storm 0539 groups.
Quote:

“…maintains footholds within compromised organizations for extended periods up to a year, conducting extensive reconnaissance to map the cloud environment, moving laterally across the cloud and taking steps to sidestep detection.”
— Steve Prentiss [00:38]

2. Lazarus Group Targets European Defense with Operation Dream Job

[01:51-02:33]

Incident: North Korean threat actors (Lazarus) compromised three European defense firms (UAV developers) using fake job offers to lure staff.
Technique: Posing as recruiters for "high-profile roles," a recurring Lazarus tactic.
Discovery: ESET identified the campaign but has not detailed its full impact yet.
Quote:

“This headhunting approach is a typical technique for Lazarus, in which their agents pose as recruiters and approach employees at organizations of interest with job offers for a high-profile role.”
— Steve Prentiss [02:13]

3. Tech Sector Eyes 72-Hour Workweek (996) in the U.S.

[02:34-03:09]

Trend: US deep tech startups (AI, semiconductors, quantum) are adopting the "996" work culture (9am-9pm, six days a week) already prevalent in China.
Implication: Some startups make acceptance of the 996 schedule a condition for hiring.
Quote:

“Many startups in the US are asking prospective employees if they are willing to commit to the 996 approach and to get the job, the answer needs to be an unequivocal yes.”
— Steve Prentiss [02:58]

4. Microsoft Surveys Admins on Copilot for Exchange Server

[03:10-03:57]

Announcement: Microsoft is asking Exchange Server admins about enabling its AI assistant, Copilot, for on-premises use, which would require sending some data to the cloud.
Concerns: Data privacy, regulatory compliance, and the ability to isolate data are at the forefront.
Key Capabilities Sought: Email summarization, monitoring server health, compliance assurances.
Quote:

“...what requirements are non negotiable such as regulatory compliance, data boundary assurances, admin defined restrictions and complete Internet disconnection.”
— Steve Prentiss [03:46]

5. AWS DNS Outage: DNS Race Condition Identified

[04:25-05:30]

Incident: Last Monday’s AWS US East 1 region outage due to a DNS race condition in DynamoDB’s DNS management.
Technical Details: Empty DNS records were created by a latent defect. This prevented EC2 servers (droplets) from obtaining leases, impacting state changes.
Quote:

“The cause of that DNS failure has now been revealed as a race condition in DynamoDB's automated DNS management system that left an empty DNS record for the service's regional endpoint.”
— Steve Prentiss [04:44]

6. Surge in Smishing Triad Campaigns

[05:31-06:21]

Findings: Researchers highlight a vast, Chinese-managed text phishing (smishing) campaign named Smishing Triad, involving almost 195,000 malicious domains.
Operation: Decentralized, using text lures for personal and financial info; impersonates banks, healthcare, law enforcement.
Scope: Two-thirds of domains registered via Hong Kong-based Dominet Limited, with hosts in the US, China, Singapore.
Quote:

“The fake sites impersonate trusted organizations across industries like finance, healthcare, ecommerce and law enforcement, making the campaign one of the most widespread smishing operations to date.”
— Steve Prentiss [06:14]

7. Wave of Cyber Incidents in U.S. Local Governments

[06:22-07:02]

Victims: Coffman County (TX), La Verne (TN), DeKalb County (IN), and Chester County Library System (PA).
Impacts: Outages affected courthouse systems, city operations, and library services; emergency systems mostly unaffected.
Quote:

“Coffman County, a suburb outside of Dallas, announced a cyber attack that was discovered on Monday, taking down several county systems, including the county courthouse, but not the sheriff’s office or emergency services.”
— Steve Prentiss [06:32]

8. UK Cyber Law Delays Draw Criticism

[07:03-07:50]

Issue: Opposition MPs criticize government for delayed introduction of new cybersecurity laws, especially in wake of recent attacks on major UK brands.
Calls for Action: Parliament may use the "10 minute rule motion" to press for overhaul, mainly as a campaign rather than direct lawmaking.
Quote:

“Describing the process as operating at a glacial pace, Members of Parliament are proposing the little used 10 minute rule motion to call for an overhaul of how the UK handles ransomware attacks.”
— Steve Prentiss [07:31]

Notable Quotes & Memorable Moments

“...maintains footholds within compromised organizations for extended periods up to a year…” [00:38]
“This headhunting approach is a typical technique for Lazarus…” [02:13]
“...the answer needs to be an unequivocal yes.” (re: deep tech work culture) [02:58]
“The cause of that DNS failure has now been revealed as a race condition in DynamoDB’s automated DNS management system...” [04:44]
“...making the campaign one of the most widespread smishing operations to date.” [06:14]

Important Timestamps

Jingle Thief Exploit: [00:06–01:50]
Lazarus Group – Operation Dream Job: [01:51–02:33]
Deep Tech 72-Hour Workweek: [02:34–03:09]
Microsoft Copilot for Exchange: [03:10–03:57]
AWS DNS Race Condition Outage: [04:25–05:30]
Smishing Triad Surge: [05:31–06:21]
US Local Government Cyber Attacks: [06:22–07:02]
UK Cyber Law Delays: [07:03–07:50]

Overall Tone

Informative and urgent, highlighting technical details and underlying policy consequences
Neutral and concise, as is standard in daily cybersecurity newscasts
Occasional commentary on the scale or serious implications of incidents

For full details on any story, visit the episode’s show notes at CISOseries.com

Transcript

A (0:00)

From the CISO series, it's Cybersecurity Headlines.

B (0:06)

These are the cybersecurity headlines for Friday, October 24, 2025. I'm Steve Prentiss. Jingle Thief Hackers steal millions in gift cards by exploiting cloud infrastructure Researchers at Palo Alto Networks unit 42 are warning of this group that is specifically targeting cloud environments associated with retail and consumer services organization organizations. They describe the group as using phishing and smishing techniques to steal credentials in order to compromise organizations that issue gift cards, and this is likely for resale on grey markets. The activity has been tentatively attributed to the groups Atlas lion and Storm 0539. The jingle thief group is considered somewhat dangerous since it maintains footholds within compromised organizations for extended periods up to a year, conducting extensive reconnaissance to map the cloud environment, moving laterally across the cloud and taking steps to sidestep detection. Lazarus Hackers target European Defense Companies the North Korean Lazarus group compromised three European defense sector companies in late March of this year in a campaign named Operation Dream Job, which once again used fake recruitment lures. The targeted companies are involved in the development of unmanned aerial vehicle technology. This headhunting approach is a typical technique for Lazarus, in which their agents pose as recruiters and approach employees at organizations of interest with job offers for a high profile role. Eset, which made the discovery, has not yet elaborated on the success of this particular campaign. Deep Tech Work culture pushes for 72 hour work weeks the pace and intensity of development and growth in tech sectors responsible for AI, semiconductors and quantum computing has resulted in many companies eyeing an extended work culture to keep up. An article in Wired describes the spread of the 996 work culture already established in China, in which employees are expected to work 9am to 9pm six days a week, thus creating a 72 hour workweek. As the article says, many startups in the US are asking prospective employees if they are willing to commit to the 996 approach and to get the job, the answer needs to be an unequivocal yes. A link to this article is available in the show notes to this episode. Microsoft offers Copilot for Exchange Server Microsoft is now asking admins if they would like the AI assistant on prem. In a 10 question form posted on its Tech Community blog, it asks, would your organization be comfortable enabling Copilot for Exchange Server if it requires sending some Exchange Server data to the cloud? Despite many admins likely having concerns with Exchange Server data being sent to Microsoft's cloud, the survey seeks to find out what capabilities such as summarizing emails or monitoring exchange server health would be useful. And what requirements are non negotiable such as regulatory compliance, data boundary assurances, admin defined restrictions and complete Internet disconnection. End quote Huge thanks to our sponsor ThreatLocker. Imagine having the power to decide exactly what runs in your IT environment and blocking everything else by default. That's what ThreatLocker delivers as a zero trust endpoint protection platform. ThreatLocker fills the gaps traditional solutions leave behind, giving your business stronger security and control. Don't just react to threats, stop them with ThreatLocker. DNS race condition brought AWS to a crawl last Monday following up on Monday's AWS outage, Amazon has now released a report on the day long incident. At the time, we reported that the cause was a DNS failure in AWS's critical US East 1 region. The cause of that DNS failure has now been revealed as a race condition in DynamoDB's automated DNS management system that left an empty DNS record for the service's regional endpoint. This was triggered, the company says, by a latent defect within the service's automated DNS management system. As described in the Register. The Droplet Workflow Manager, which maintains leases for physical servers hosting EC2 instances, depends on dynamics. When DNS failures caused the Droplet Workflow Manager state checks to fail droplets. The EC2 servers couldn't establish new leases, for instance, state changes, end quote Amazon has apologized for the incident. Researchers warn of surge in high level Smishing Triad activity Researchers from Palo Alto Networks unit 42 have uncovered a massive Chinese managed fishing campaign called Smishing Triad involving thousands of Cybercriminals and nearly 195,000 malicious domains operating since January 2024. The decentralized operation primarily uses text messages to lure victims into revealing sensitive data such as national IDs, financial details and login credentials. Over two thirds of the domains were registered through Hong Kong based Dominet limited with most hosted on US Chinese and Singaporean servers. The fake sites impersonate trusted organizations across industries like finance, healthcare, E commerce and law enforcement, making the campaign one of the most widespread smishing operations to date. Cyber incidents in Texas, Tennessee, Indiana and Pennsylvania impact critical government services. In the ongoing series of attacks on regional governments, four more got added to the list this week. Coffman County, a suburb outside of Dallas, announced a cyber attack that was discovered on Monday, taking down several county systems, including the county courthouse, but not the sheriff's office or emergency services. On Friday, the Tennessee city of La Verne suffered a cyber attack Indiana's DeKalp county and the library system of Chester County, Pennsylvania also reported outages and cyber attacks in this last month. UK cyber law delays deeply concerning, say MPs the British government's opposition party said this past week that it was deeply concerning that the government had still not introduced new cybersecurity laws to Parliament, warning that gaps in legislation are fueling even greater threats against the country. End quote. Describing the process as operating at a glacial pace, Members of Parliament are proposing the little used 10 minute rule motion to call for an overhaul of how the UK handles ransomware attacks, end quote. This rule is generally used when campaigning on an issue rather than introducing new laws. But on the heels of the attacks on Marks and Spencer, the Co Op Harrods and Jaguar Land Rover, faster methods are being pushed for if you are going to be in New York City in early November, you need to join us for a CISO Series podcast recording. We'll be recording at Faircon 25 on November 5th at the beautiful Glass House on 12th Avenue. The conference is stacked with everything you'd ever want to know about cyber risk management. If you want to join us for the show and the podcast recording, we've got a promo code to save you 75% off registration. Just head to the events page@cisoseries.com to register and we have some exciting news. We are launching a brand new show this Monday, October 27th called the Department of Know that is K N O W. We'll be live at 4:00pm Eastern Time bringing together two Cybersecurity leaders to help you start out your week in cybersecurity. If you want to know what cybersecurity news from the past week, you need to integrate into your next team meeting. You've got to come to the show. It streams live at 4pm every Monday on our YouTube channel, so block out the time on your calendar. Really subscribe to the CISO Series YouTube channel and join us Monday, October 27th at 4pm for the debut of the Department of NOH. Just as a note, this new Department of NOH will be replacing our Friday Week in Review show in our lineup. Our last episode is happening today 3.30pm Join us for the Last Week in review show later today 3:30pm Eastern. Sign up same place the events page@cisoseries.com and finally, if you have some thoughts on the news from today or about the show in general, please please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentice, reporting for the CISO series.

Cyber Security Headlines – October 24, 2025

Episode Overview

This episode offers a rapid-fire roundup of the day's most significant cybersecurity news, including:

The emergence of the "Jingle Thief" exploit targeting cloud environments in retail
North Korean Lazarus Group attacks on European defense companies
The rise of the intense 72-hour workweek in deep tech
Microsoft's survey about bringing Copilot AI to Exchange Server
A technical deep-dive into Amazon Web Services’ DNS outage
A massive uptick in smishing attacks
New cyber incidents affecting U.S. regional governments
Political pressure in the UK for urgency on cyber legislation

Key Discussion Points & Insights

1. Jingle Thief Exploit: Gift Card Theft via Cloud Attacks

[00:06-01:50]

Nature of Attack: Jingle Thief group is actively targeting cloud environments used by retail and consumer service organizations, focusing on gift card systems.
Tactics: Utilizes phishing and smishing (SMS phishing) to steal credentials. Once inside, conducts long-term reconnaissance, lateral movement, and stealthy operations for up to a year.
Attribution: Linked to Atlas Lion and Storm 0539 groups.
Quote:

“…maintains footholds within compromised organizations for extended periods up to a year, conducting extensive reconnaissance to map the cloud environment, moving laterally across the cloud and taking steps to sidestep detection.”
— Steve Prentiss [00:38]

2. Lazarus Group Targets European Defense with Operation Dream Job

[01:51-02:33]

Incident: North Korean threat actors (Lazarus) compromised three European defense firms (UAV developers) using fake job offers to lure staff.
Technique: Posing as recruiters for "high-profile roles," a recurring Lazarus tactic.
Discovery: ESET identified the campaign but has not detailed its full impact yet.
Quote:

“This headhunting approach is a typical technique for Lazarus, in which their agents pose as recruiters and approach employees at organizations of interest with job offers for a high-profile role.”
— Steve Prentiss [02:13]

3. Tech Sector Eyes 72-Hour Workweek (996) in the U.S.

[02:34-03:09]

Trend: US deep tech startups (AI, semiconductors, quantum) are adopting the "996" work culture (9am-9pm, six days a week) already prevalent in China.
Implication: Some startups make acceptance of the 996 schedule a condition for hiring.
Quote:

“Many startups in the US are asking prospective employees if they are willing to commit to the 996 approach and to get the job, the answer needs to be an unequivocal yes.”
— Steve Prentiss [02:58]

4. Microsoft Surveys Admins on Copilot for Exchange Server

[03:10-03:57]

Announcement: Microsoft is asking Exchange Server admins about enabling its AI assistant, Copilot, for on-premises use, which would require sending some data to the cloud.
Concerns: Data privacy, regulatory compliance, and the ability to isolate data are at the forefront.
Key Capabilities Sought: Email summarization, monitoring server health, compliance assurances.
Quote:

“...what requirements are non negotiable such as regulatory compliance, data boundary assurances, admin defined restrictions and complete Internet disconnection.”
— Steve Prentiss [03:46]

5. AWS DNS Outage: DNS Race Condition Identified

[04:25-05:30]

Incident: Last Monday’s AWS US East 1 region outage due to a DNS race condition in DynamoDB’s DNS management.
Technical Details: Empty DNS records were created by a latent defect. This prevented EC2 servers (droplets) from obtaining leases, impacting state changes.
Quote:

“The cause of that DNS failure has now been revealed as a race condition in DynamoDB's automated DNS management system that left an empty DNS record for the service's regional endpoint.”
— Steve Prentiss [04:44]

6. Surge in Smishing Triad Campaigns

[05:31-06:21]

Findings: Researchers highlight a vast, Chinese-managed text phishing (smishing) campaign named Smishing Triad, involving almost 195,000 malicious domains.
Operation: Decentralized, using text lures for personal and financial info; impersonates banks, healthcare, law enforcement.
Scope: Two-thirds of domains registered via Hong Kong-based Dominet Limited, with hosts in the US, China, Singapore.
Quote:

“The fake sites impersonate trusted organizations across industries like finance, healthcare, ecommerce and law enforcement, making the campaign one of the most widespread smishing operations to date.”
— Steve Prentiss [06:14]

7. Wave of Cyber Incidents in U.S. Local Governments

[06:22-07:02]

Victims: Coffman County (TX), La Verne (TN), DeKalb County (IN), and Chester County Library System (PA).
Impacts: Outages affected courthouse systems, city operations, and library services; emergency systems mostly unaffected.
Quote:

“Coffman County, a suburb outside of Dallas, announced a cyber attack that was discovered on Monday, taking down several county systems, including the county courthouse, but not the sheriff’s office or emergency services.”
— Steve Prentiss [06:32]

8. UK Cyber Law Delays Draw Criticism

[07:03-07:50]

Issue: Opposition MPs criticize government for delayed introduction of new cybersecurity laws, especially in wake of recent attacks on major UK brands.
Calls for Action: Parliament may use the "10 minute rule motion" to press for overhaul, mainly as a campaign rather than direct lawmaking.
Quote:

“Describing the process as operating at a glacial pace, Members of Parliament are proposing the little used 10 minute rule motion to call for an overhaul of how the UK handles ransomware attacks.”
— Steve Prentiss [07:31]

Notable Quotes & Memorable Moments

“...maintains footholds within compromised organizations for extended periods up to a year…” [00:38]
“This headhunting approach is a typical technique for Lazarus…” [02:13]
“...the answer needs to be an unequivocal yes.” (re: deep tech work culture) [02:58]
“The cause of that DNS failure has now been revealed as a race condition in DynamoDB’s automated DNS management system...” [04:44]
“...making the campaign one of the most widespread smishing operations to date.” [06:14]

Important Timestamps

Jingle Thief Exploit: [00:06–01:50]
Lazarus Group – Operation Dream Job: [01:51–02:33]
Deep Tech 72-Hour Workweek: [02:34–03:09]
Microsoft Copilot for Exchange: [03:10–03:57]
AWS DNS Race Condition Outage: [04:25–05:30]
Smishing Triad Surge: [05:31–06:21]
US Local Government Cyber Attacks: [06:22–07:02]
UK Cyber Law Delays: [07:03–07:50]

Overall Tone

Informative and urgent, highlighting technical details and underlying policy consequences
Neutral and concise, as is standard in daily cybersecurity newscasts
Occasional commentary on the scale or serious implications of incidents

For full details on any story, visit the episode’s show notes at CISOseries.com

wavePod

Jingle Thief exploit, Lazarus targets jobseekers, the 72 hour workweek

Summary

Cyber Security Headlines – October 24, 2025

Episode Overview

Key Discussion Points & Insights

1. Jingle Thief Exploit: Gift Card Theft via Cloud Attacks

2. Lazarus Group Targets European Defense with Operation Dream Job

3. Tech Sector Eyes 72-Hour Workweek (996) in the U.S.

4. Microsoft Surveys Admins on Copilot for Exchange Server

5. AWS DNS Outage: DNS Race Condition Identified

6. Surge in Smishing Triad Campaigns

7. Wave of Cyber Incidents in U.S. Local Governments

8. UK Cyber Law Delays Draw Criticism

Notable Quotes & Memorable Moments

Important Timestamps

Overall Tone

Transcript

Summary

Cyber Security Headlines – October 24, 2025

Episode Overview

Key Discussion Points & Insights

1. Jingle Thief Exploit: Gift Card Theft via Cloud Attacks

2. Lazarus Group Targets European Defense with Operation Dream Job

3. Tech Sector Eyes 72-Hour Workweek (996) in the U.S.

4. Microsoft Surveys Admins on Copilot for Exchange Server

5. AWS DNS Outage: DNS Race Condition Identified

6. Surge in Smishing Triad Campaigns

7. Wave of Cyber Incidents in U.S. Local Governments

8. UK Cyber Law Delays Draw Criticism

Notable Quotes & Memorable Moments

Important Timestamps

Overall Tone