Cyber Security Headlines – February 17, 2021

Security bugs left unpatched in Android app with one billion downloads

The security vulnerabilities impact the Android version of SHAREit, a mobile app that allows users to share files with friends or between personal devices. According to Trend Micro, the bugs can be exploited to run malicious code on smartphones where the SHAREit app is installed, including running custom code, overwriting the app’s local files, or installing third-party apps without the user’s knowledge in ways that would be difficult for users to detect or defend against. Trend Micro disclosed its research publicly yesterday three months after reporting the vulnerability to the app vendor, who has yet to respond.

(ZDNet)

LastPass will restrict free users to only one type of device starting next month

Starting on March 16, 2021, the popular password manager app will restrict its free service to only one device type, meaning those who sign up will be required to pick between their computer or their smartphone. For current free users, the first device type they log in to after March 16 will set their active type. They will have three chances to pick between device types before the choice is locked in. After that, they – and everyone else will need to sign up for LastPass Premium to access the service on any additional platforms.

(9to5Google)

North Korea accused of hacking Pfizer for Covid-19 vaccine data

South Korea’s National Intelligence Agency privately briefed lawmakers about the alleged attack, according to local news agency Yonhap. North Korea has yet to report a single case of coronavirus, yet it is due to receive two million doses of the AstraZeneca-Oxford vaccine in the coming weeks. In November, Microsoft said at least nine health organizations including Pfizer had been targeted by state-backed organizations in North Korea and Russia, and that while many of the break-in attempts failed, some had been successful.

(BBC News)

Misconfigured baby monitors allow unauthorized viewing

Potentially hundreds of thousands of live devices have been affected by a misconfiguration of the Real-Time Streaming Protocol (RTSP), meaning no authentication is needed for unknown parties to connect, allowing images of children in their own bedrooms or in daycare centers to be streamed to the internet. According to the SafetyDetectives cybersecurity team, in addition to video being redirected to the internet, IP webcams that are repackaged as baby monitors. It is vital, they said to ensure that any video baby monitor or other RTSP device be password protected.

(ThreatPost)

Thanks to our episode sponsor, Kenna Security

In just one hour, learn how to prioritize your riskiest vulnerabilities and lower your cyber risk through Kenna Katalyst, the newest on-demand educational series from Kenna Security designed to kickstart your risk-based vulnerability management program and equip you with expert tips you can implement today. Backed by (ISC)², participants can earn 1 CPE credit. Start now at kennasecurity.com/katalyst.

Microsoft pulls Windows servicing stack

Microsoft has pulled a problematic Windows update to its servicing stack – the component used by the OS to correctly receive and install updates – after blocking Windows 10 and Windows Server customers from installing the security updates released during this month Patch Tuesday. The bug was observed by customers who tried installing the February 9 security updates on systems running Windows Server 2016 and all editions of Windows 10, version 1607, after the installation progress was halted. The stack in question is labelled KB4601392. A manual uninstall followed by a reboot should allow the updated KB5001078 to take its place.

(Bleeping Computer)

TikTok targeted  in Europe over ‘misleading’ privacy practices and ‘ambiguous’ terms

The complaints address TikTok’s “unclear” and “ambiguous” terms of service, its alleged failure to protect children and teenagers from hidden advertising and harmful content, and its “misleading” privacy practices. Watchdogs also say TikTok is breaking the EU’s GDPR, because it doesn’t clearly tell its users which personal data it is collecting and why. A more novel complaint involved its virtual gift system, in which users can purchase coins used to buy gifts – in which TikTok claims an absolute right to modify the exchange rate between the coins and the gifts, potentially skewing the financial transaction in its own favor.”

(Fortune)

Cybercrooks rake in the cash in romance scams

Romance scams remain the most successful fraud strategy for cybercrooks, and represents a growing sector, according to the Federal Trade Commission. Last year, they accounted for a record $304 million raked into illicit coffers, up about 50 percent from 2019. They have flourished during the COVID-19 pandemic, thanks to more people turning to virtual ways of connecting, and using social media and online dating apps more. In addition to standard requests for money, some of these scammers are using their victims to launder money, by sending them amounts of cash and then asking for it back by claiming an emergency such as a health problem or sudden job loss.

(ThreatPost)

FBI issues warning about TeamViewer and Windows 7

In the aftermath of the Oldsmar incident, where an unidentified attacker gained access to a water treatment plant’s network and modified chemical dosages to dangerous levels, the FBI sent out an alert yesterday, raising attention to three security issues that have been seen on the plant’s network following last week’s hack. The FBI specifically names TeamViewer as a desktop sharing software to watch out for after the app was confirmed as the attacker’s entry point into the Oldsmar water treatment plant’s network. The FBI alert also warned about the continued use of Windows 7, an operating system that reached its end-of-life last year. It had issued this same warning a year ago.

(ZDNet)


Steve Prentice
Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.