Cybersecurity Weekly: DNS flaw, Natura data leak, ZLoader banking malware

May 26, 2020 by Sam Fay

A new DNS vulnerability lets attackers launch large-scale DDoS attacks. Cosmetic brand Natura exposes personal details of its users. The ZLoader banking malware has been deployed in over 100 campaigns. All this, and more, in this week’s edition of Cybersecurity Weekly.


1. New DNS vulnerability lets attackers launch large-scale DDoS attacks

Cybersecurity researchers disclosed details about a new flaw impacting DNS protocol that can be exploited to launch amplified, large-scale DDoS attacks to take down targeted websites. Called NXNSAttack, the flaw hinges on the DNS delegation mechanism to force DNS resolvers to generate more DNS queries to authoritative servers of attacker’s choice.
Read more »


2. Cosmetic brand Natura exposes personal details of its users

Brazil’s biggest cosmetics company, Natura, accidentally left hundreds of gigabytes of its customers’ personal and payment-related information accessible online that could have been accessed by anyone without authentication. Security researchers found over 1.5 terabytes of data in a public-facing database.
Read more »


3. ZLoader banking malware deployed in over 100 campaigns

A banking malware called ZLoader, last seen in early 2018, has been spotted in more than 100 email campaigns since the beginning of the year. The trojan is under active development with 25 versions seen in the wild since its comeback in December 2019, with the latest observed this month. The malicious email campaigns target users with COVID-19 topics and invoices.

Read more »


4. Police arrest hacker who tried selling billions of stolen records

Ukrainian police arrested a hacker who made headlines in January 2019 by posting a massive database containing 773 million stolen email addresses and 21 million unique plaintext passwords for sale on various underground hacking forums. In an official statement, police identified the hacker by his screen name Sanix.
Read more »


5. Mathway investigates data breach after 25 million records sold on dark web

Earlier this month, a cyber intelligence firm tracked a potential data breach of Mathway after a purported database was being sold in private sales. This week, a data breach seller known as Shiny Hunters began to publicly sell an alleged Mathway database on a dark web marketplace for $4,000.
Read more »


6. Bluetooth flaw exposes devices to BIAS attacks

A team of cyber researchers uncovered a new vulnerability in the Bluetooth wireless communication protocol that exposes a wide range of devices, such as smartphones, laptops, and smart-home devices, to bluetooth impersonation attacks. Any standard-compliant Bluetooth device can be expected to be vulnerable.
Read more »


7. Hackers tried to use Sophos zero-day to deploy ransomware

Hackers tried to exploit a zero-day in the Sophos XG firewall to distribute ransomware to Windows machines but were blocked by a hotfix. At the end of April, attackers utilized a zero-day SQL injection vulnerability that leads to remote code execution in Sophos XG firewalls. Attackers used this vulnerability to install various ELF binaries and scripts. 

Read more »


8. Silent Night banking trojan charges top dollar on the underground

A descendant of the infamous Zeus banking trojan, dubbed Silent Night, has emerged on the scene with a host of functionalities available in a spendy malware-as-a-service model. Custom builds can run as much as $4,000 per month to use, which is now placing the code out of the range of any but large cybercriminal groups.
Read more »


9. Supreme Court phish targets Office 365 credentials

A highly-targeted phishing attack pretends to deliver subpoenas, but actually ends up collecting victims’ Office 365 credentials. The ongoing campaign hit several C-Suite level victims thus far. The phishing emails spoof the U.S. Supreme Court, aiming to capitalize on scare tactics to convince targets to click on an embedded link.
Read more »


10. Ragnar Locker ransomware uses virtual machines for evasion

The Ragnar Locker ransomware has been deploying a full virtual machine to ensure that it can evade detection. The cybercriminals behind Ragnar Locker use various exploits or target Remote Desktop Protocol connections to compromise networks and steal data from targeted networks prior to deploying ransomware.
Read more »

Posted: May 26, 2020
Sam Fay
View Profile