Security Snacks #12 – SolarWinds authentication bypass, Corellium win for hackers & 2020 security retrospective

Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

This is it! The first day of a hopefully “normal” year. Security-wise, this has been a relatively slow week. Though cybercrime never stops and we continue hearing of new Solorigate developments, the Internet seems to have embraced a slower pace to bid 2020 farewell. So, what better time to reflect on the past year’s unforeseen events and what may come next?

Here is a roundup of our favorite retrospective articles and predictions, on various cybersecurity topics (threats, breaches, ransomware, Work From Home, etc).

Good reading and happy new year! 🎊

2020 Retrospective

2021 Cybersecurity Predictions

Notable Security News

CVE-2020-10148 SolarWinds Orion API authentication bypass and RCE

Researchers uncovered this new vulnerability in SolarWinds Orion. Simply by adding a parameter to an API request, attackers can bypass authentication and obtain remote code execution. As this is critical and is exploited in the wild, CISA is urging US government agencies to update Orion systems or take them offline.

Microsoft’s investigations revealed that some of their source code repositories were accessed by attackers. The impact was limited as they could only read and not modify it, and Microsoft plans security with an “assume breach” philosophy.

The SolarWinds attackers’ goal is also known now. According to Microsoft, it was leveraging the Solorigate (aka Sunburst) backdoor to compromise victims’ cloud infrastructure.

Interesting resources for defenders include this Timeline of the Supply-Chain Attack, Solorigate Resource Center by Microsoft and SolarWinds Security Advisory that are regularly updated as new technical information emerges.

Vietnam targeted in complex supply chain attack

Vietnam is also suffering a supply chain attack. ESET discovered that attackers backdoored a toolkit distributed by the Vietnam Government Certification Authority (VGCA). Any private companies and government agencies that want to submit files to the Vietnamese government have to sign them digitally, which makes the compromise of this toolkit an opportunity for APT groups.

Corellium notches partial victory in Apple iOS copyright case

A judge ruled in favor of Corellium in the case that had ethical hackers worried for a while. Corellium’s software helps hackers find vulnerabilities in Apple products, but Apple accused them of violating copyright law. The court rejected this claim, a big win for security researchers. However legal proceeding around Apple’s second claim, that Corellium circumvented their DRM unlawfully, will continue in 2021.

Other Interesting News

Cybercrime

Vulnerabilities

Reports

Responsible disclosure

Tech

Misc.