Weekly in Security is a summary of the cybersecurity news from the past week. This post covers 2022-06-14 to 2022-06-20.
In a new paper the Hertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86 is described. Hertzbleed is a new family of side-channel attacks: frequency side channels. At the heart of the issue stands dynamic voltage and frequency scaling (DVFS) in certain x86 CPUs. Based on this setting a bit’s position in a word can be distinguished through frequency changes. The research team showcased the extraction of a constant-time algorithm over the wire. The latter was based on a chosen-ciphertext attack (CCA) attack. Also, in an unoptimized szenario it can take 36 and 89 hours to fully recover a key, depending on the utilized library. Mitigations by Intel and AMD are not planned.
Qi Anxin Threat Intelligence Center analyzed samples were installed mainly in South Asia and have over 1k installs. Especially the concealment of the C2 address in the installation link parameters seems interesting.
In 2020 Tencent Onion Anti-Intrusion System detected the upload of the typo-squatting package request, which tries to impersonate the legitimate requests package. Even though the package was removed some mirrors did not delete the malicious package. Now, in 2022 multiple developers seem to have made the honest mistake of a typo