Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

Click here to subscribe

This is it! The first day of a hopefully “normal” year. Security-wise, this has been a relatively slow week. Though cybercrime never stops and we continue hearing of new Solorigate developments, the Internet seems to have embraced a slower pace to bid 2020 farewell. So, what better time to reflect on the past year’s unforeseen events and what may come next?

Here is a roundup of our favorite retrospective articles and predictions, on various cybersecurity topics (threats, breaches, ransomware, Work From Home, etc).

Good reading and happy new year! 🎊

2020 Retrospective

• Swig Security Review 2020 – Part I & Part II

• 20 years of cyberthreats that shaped information security

• 2020 had its share of memorable hacks and breaches. Here are the top 10

• Ransomware in 2020: A Banner Year for Extortion

• 2020 Work-from-Home Shift: What We Learned

• Fines against banks for data breaches and noncompliance more than doubled in 2020

2021 Cybersecurity Predictions

• The Best Cybersecurity Predictions For 2021 Roundup

• 2021 threat predictions: Bad actors that honed their craft with COVID are ready to go big

• A Global Reset: Cyber Security Predictions 2021

Notable Security News

CVE-2020-10148 SolarWinds Orion API authentication bypass and RCE

Researchers uncovered this new vulnerability in SolarWinds Orion. Simply by adding a parameter to an API request, attackers can bypass authentication and obtain remote code execution. As this is critical and is exploited in the wild, CISA is urging US government agencies to update Orion systems or take them offline.

Microsoft’s investigations revealed that some of their source code repositories were accessed by attackers. The impact was limited as they could only read and not modify it, and Microsoft plans security with an “assume breach” philosophy.

The SolarWinds attackers’ goal is also known now. According to Microsoft, it was leveraging the Solorigate (aka Sunburst) backdoor to compromise victims’ cloud infrastructure.

Interesting resources for defenders include this Timeline of the Supply-Chain Attack, Solorigate Resource Center by Microsoft and SolarWinds Security Advisory that are regularly updated as new technical information emerges.

Vietnam targeted in complex supply chain attack

Vietnam is also suffering a supply chain attack. ESET discovered that attackers backdoored a toolkit distributed by the Vietnam Government Certification Authority (VGCA). Any private companies and government agencies that want to submit files to the Vietnamese government have to sign them digitally, which makes the compromise of this toolkit an opportunity for APT groups.

Corellium notches partial victory in Apple iOS copyright case

A judge ruled in favor of Corellium in the case that had ethical hackers worried for a while. Corellium’s software helps hackers find vulnerabilities in Apple products, but Apple accused them of violating copyright law. The court rejected this claim, a big win for security researchers. However legal proceeding around Apple’s second claim, that Corellium circumvented their DRM unlawfully, will continue in 2021.

Other Interesting News

Cybercrime

• Citrix confirms ongoing DDoS attack impacting NetScaler ADCs

• FBI: Recent Swatting Attacks Targeting Residents With Camera and Voice-Capable Smart Devices

• Multi-platform card skimmer found on Shopify, BigCommerce stores

• Kawasaki Heavy Industries reports data breach as attackers found with year-long network access

• The Russian cryptocurrency exchange Livecoin hacked on Christmas Eve

• Finland says hackers accessed MPs’ emails accounts

Vulnerabilities

• Cross-layer attacks: New hacking technique raises DNS cache poisoning, user tracking risk

Reports

• Rapid7 Labs’ 2020 Naughty List Summary Report to Santa

• Research: nearly all of your messaging apps are secure

• Code42 Data Exposure Report: COVID-19 Creates Perfect Storm for Insider Risk Growth, Organizations Unprepared to Protect Data

Responsible disclosure

• Hacker earns $2 million in bug bounties on HackerOne

• Third edition of US Army bug bounty program prepared for deployment

Tech

• CISA releases Azure, Microsoft 365 malicious activity detection tool

• Latest web hacking tools – Q4 2020

• Why AI is so power-hungry

Misc.

• 6 Questions Attackers Ask Before Choosing an Asset to Exploit

• GoDaddy apologized for insensitive phishing email sent to its employees offering a fake bonus

• Tickemaster pays $10M fine to settle charges of using stolen passwords to spy on rival company

• Into The Breach: How Data Is Driving The New U.S.-China Cold War

• NSO used real people’s location data to pitch its contact-tracing tech, researchers say

• From Antivirus to Zero-day exploit: 20 cybersecurity terms you need to know