This post covers 2022-06-14 to 2022-06-20.
Vulnerabilities#
Hertzbleed#
In a new paper the Hertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86 is described. Hertzbleed is a new family of side-channel attacks: frequency side channels. At the heart of the issue stands dynamic voltage and frequency scaling (DVFS) in certain x86 CPUs. Based on this setting a bit’s position in a word can be distinguished through frequency changes. The research team showcased the extraction of a constant-time algorithm over the wire. The latter was based on a chosen-ciphertext attack (CCA) attack. Also, in an unoptimized szenario it can take 36 and 89 hours to fully recover a key, depending on the utilized library. Mitigations by Intel and AMD are not planned.
News#
Android Malware by APT-Q-39/SideWinder in Google Play#
Qi Anxin Threat Intelligence Center analyzed samples were installed mainly in South Asia and have over 1k installs. Especially the concealment of the C2 address in the installation link parameters seems interesting.
Malicious Dependency in multiple PyPI packages#
In 2020 Tencent Onion Anti-Intrusion System detected the upload of the typo-squatting package request, which tries to impersonate the legitimate requests package. Even though the package was removed some mirrors did not delete the malicious package. Now, in 2022 multiple developers seem to have made the honest mistake of a typo