Tech Risk Reading Picks

1. Attacking Chrome browser AI extensions: Cybersecurity researchers have uncovered a wave of attacks targeting 36 Chrome browser extensions, predominantly related to AI tools and VPNs, affecting approximately 2.6 million users. Malicious updates injected with data-stealing code compromised popular extensions like ChatGPT for Google Meet, Bard AI Chat, and VPNCity. This follows a phishing attack on security firm Cyberhaven, where attackers used a fraudulent email to gain control of an extension, enabling them to access sensitive user information, including Facebook Ads credentials. Researchers warn that extensions' deep access to browser data makes them a critical security risk, urging organizations to vet and secure extensions against malicious updates. [more]

2. OpenAI safer AI approach: Recently, OpenAI unveiled its advanced o3 and o3-mini AI models, emphasizing a novel "deliberative alignment" framework that integrates ethical reasoning into the inference phase, enhancing alignment with human safety values. Unlike traditional approaches relying on pre- and post-training interventions, this method embeds safety checks during response generation, using chain-of-thought reasoning and internal reference to safety policies. Synthetic data played a key role in development, offering scalability amid concerns about data quality and risks like Model Autophagy Disorder (MAD), where overreliance on AI-generated data creates feedback loops. The o3 models outperformed peers in resisting jailbreak techniques on benchmarks but face ongoing challenges from evolving adversarial attacks. OpenAI considers this framework a significant step toward scalable, reasoning-based ethical AI systems, set to debut next year. [more]

3. Exploiting AI model: Threat actors exploited versions 8.3.41 and 8.3.42 of the Ultralytics YOLO11 AI model, a popular open-source library for computer vision and AI, to inject malicious code that deployed cryptominers on affected devices. The compromised versions, downloaded over 260,000 times on PyPI and used as dependencies in SwarmUI and ComfyUI, triggered the installation of XMRig Miners connecting to a mining pool. The malicious code injection reportedly stemmed from hijacked pull requests originating in Hong Kong. Ultralytics has released a clean 8.3.43 version and is investigating the breach while enhancing security measures. Users are advised to scan systems for malicious payloads. [more]

4. Emerging AI cyber threats: Andrew Krug, Head of Security Advocacy at Datadog, predicts significant shifts in cybersecurity threats by 2025, particularly targeting AI compute resources and workloads. He foresees an evolution in cloud attacks from cryptojacking to more sophisticated lateral movement and data exfiltration, emphasizing the need for robust cloud visibility and monitoring. Threat actors are expected to exploit undocumented APIs and target software supply chains through repositories like npm and PyPI. With AI becoming a focal point for attackers, Krug highlights the risk of compromised AI compute resources. He advocates for Cloud SIEM with workload security and a move toward passwordless, centralized identity management using temporary credentials, as traditional authentication methods face increasing vulnerabilities. [more]

5. Treasury report on AI risks and opportunities: The U.S. Department of the Treasury released a report summarizing feedback from its 2024 Request for Information (RFI) on AI in financial services, emphasizing the growing adoption of AI, including Generative AI, and its potential to expand opportunities while heightening risks like data privacy concerns, bias, and third-party vulnerabilities. The report highlights Treasury’s ongoing efforts to address AI-related cybersecurity risks and includes recommendations for next steps. These include fostering international and domestic collaboration to develop robust standards, analyzing regulatory gaps, enhancing risk management frameworks, improving AI information-sharing, and ensuring financial firms review AI use cases for legal compliance. The RFI, issued in June 2024, garnered input from 103 stakeholders across various sectors. [more][more-Treasury_ai_opportunities_and_risk_report]

6. Technical disruption due to technology failure: A technical issue grounded American Airlines flights across the U.S. for about an hour on Christmas Eve, disrupting operations during a peak travel season expected to see nearly 40 million passengers screened. The problem, attributed to an unspecified "vendor technology" failure, affected systems essential for flight releases and prompted a nationwide stop order requested by the airline. American Airlines assured customers that the issue was resolved and flights had resumed, while encouraging them to check its app or website for updates. The brief disruption, though significant, was less severe than previous IT failures in the airline industry, such as Southwest Airlines' meltdown two years ago or Delta's IT issues during a Crowdstrike outage. [more]

7. Japan Airlines’ security event: apan Airlines (JAL) has resumed normal operations after a cyberattack caused delays to over 40 domestic and international flights on Thursday. The airline identified the incident as a Distributed Denial-of-Service (DDoS) attack, which overwhelmed its network systems. To mitigate the issue, JAL temporarily shut down affected systems, suspended same-day ticket sales, and limited online services. While the attack disrupted baggage management systems and the company’s mobile app, no customer data was compromised, and flight safety was unaffected. The airline emphasized that flights are now operating normally and urged impacted passengers to reach out for assistance. JAL confirmed that no customer information was leaked and there was no damage from computer viruses. Cyberattacks on the aviation sector are increasingly common, with recent incidents targeting air traffic control systems in Germany, Mexican airports, and politically motivated attacks disrupting services in other regions. [more][more-recordedfuture]

8. Milan’s airports DDoS: 29 Nov - around ten official Italian websites, including those of the Foreign Ministry and Milan's airports, were temporarily disrupted by a cyber attack claimed by pro-Russian hacker group Noname057(16), who cited Italy's "Russophobia" as the motive. The attack, identified as a Distributed Denial of Service (DDoS), aimed to overwhelm networks with excessive data traffic. Italy's cyber security agency swiftly intervened, mitigating the impact within two hours. The airports' operations and mobile apps remained unaffected, ensuring no flight disruptions occurred despite the temporary website outages. [more]

Web3 Cryptospace Spotlight

1. Web3 Security Report 2024: Hacken’s 2024 Web3 Security Report reveals that the crypto sector suffered $1.7B in losses from access breaches, comprising 78% of total crypto losses, underscoring the critical need for improved operational security and key management. While DeFi hack losses decreased by 40%, CeFi losses doubled, reaching over $500M, with incidents like WazirX, DMM Exchange, and Radiant Capital highlighting vulnerabilities in access controls and token approvals. The metaverse and gaming sectors accounted for 18% of losses, while bridge hacks plummeted by 94% since 2022. The report emphasizes secure cryptographic key generation, encrypted storage, and multi-signature schemes as essential measures to mitigate future security risks. [more][more-hacken_report]

2. Crypto wallet exposed private key: Cryptocurrency wallet provider Tangem addressed a critical vulnerability in its mobile app that exposed certain users’ private keys via email, following widespread criticism from Redditors. The issue, stemming from a bug in the app's log processing system, inadvertently logged private keys when users generated wallets with seed phrases and contacted support within seven days. Although Tangem asserted that fewer than 0.1% of users were affected and no funds or accounts were compromised, critics accused the company of downplaying the issue by not making public announcements on social media. Tangem resolved the problem on 30 Dec, deleted all logs containing sensitive data, proactively reached out to affected users, and introduced enhanced security measures, including a bug bounty program. Users were advised to update their apps to prevent future risks. [more]

3. Bandit resurfaced: The infamous "Blockchain Bandit," known for exploiting weak cryptographic keys to steal over 45,000 ETH between 2016 and 2018, has resurfaced, consolidating 51,000 ETH (worth $172 million) and 470 BTC into a multisig wallet on December 30. This move involved 10 dormant wallets, last active in January 2023. The Bandit's signature technique, "Ethercombing," exploited predictable flaws in private key generation to compromise 732 wallets across 49,060 transactions. Speculation links the Bandit to state-sponsored actors, such as North Korean hacker groups, due to similarities with other crypto heists. The use of multisig wallets suggests preparations to obscure the stolen funds' origins, potentially via mixers or decentralized exchanges. [more]