New 'CacheOut' Attack Leaks Data From Intel CPUs, VMs, And SGX Enclave


New 'CacheOut' Attack Leaks Data From Intel CPUs, VMs, And SGX Enclave (Jan 28, 2020)

A vulnerability being registered as “CVE-2020-0549” named “CacheOut” has been discovered by Adelaide and Michigan University researchers. The vulnerability that would allow threat actors to choose what data to leak from the end user’s CPU L1 cache of ongoing processes and extract it for exfiltration. Intel CPUs built prior to October 2018 are known to be vulnerable to this exploit and would enable actors to leak sensitive data from the users OS kernel, co-resident VMs and Intel’s SGX enclave. The researchers have clarified that CacheOut does not leave any traces in the log file and is unlikely to identify if someone has exploited the vulnerability. CacheOut cannot be exploited remotely from web browsers and currently does not affect AMD processors.

Recommendation: Attacks based on vulnerabilities can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning-based detection systems. Threat actors are often observed to use vulnerabilities even after they have been patched by the affected company. As this story portrays with regards Intel CPUs, it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available in order to prevent exploitation by malicious actors.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.