EmergingTech Spotlight

1. AI powered crime: The FBI in recent months observed a proliferation of fraudulent AI-generated websites infected with malware featuring engaging content and multimedia that hackers use to trick unsuspecting users. Threat actors have also explored and used AI models available on the dark web that provide capabilities that aren't accessible through traditional open-source AI models provided by large legitimate companies. The FBI highlighted that AI has enabled threat actors to produce and disseminate realistic synthetic content for negligible time and monetary costs. Moreover, seasoned cybercriminals are exploiting the AI technology to develop new malware attacks and better delivery methods for them, and helping them develop polymorphic malware, which can evade antivirus software. [more][more-2]

2. Attack on LLM: Researchers at Carnegie Mellon University last week showed that adding a simple incantation to a prompt—a string text that might look like gobbledygook to you or me but which carries subtle significance to an AI model trained on huge quantities of web data—can defy all of these defenses in several popular chatbots at once. The work suggests that the propensity for the cleverest AI chatbots to go off the rails isn’t just a quirk that can be papered over with a few simple rules. Instead, it represents a more fundamental weakness that will complicate efforts to deploy the most advanced AI. [more]

3. IoT/OT targetted: New research from Nozomi Networks looked at public IoT/OT cyber incidents over the past six months and found that various threat actors, including ransomware and DDoS cyber attackers, have unleashed a barrage of cyberattacks against ICS systems. The report notes manufacturing, water treatment, food and agriculture, and the chemical sectors were most frequently targeted in early 2023. [more]

4. Quantum-safe cryptography: The move to quantum-safe cryptography will take time and involve considerable effort. It’s likely that cryptographic algorithms in use today will be replaced by a broader suite of quantum-safe alternatives. This will help businesses provide protection for their various use cases with best-fit solutions, while also building resilience by having some fallback options. And with the use of new algorithms, a vulnerability may yet be discovered in how they are used. As such, it is likely that legacy and new algorithms will coexist for a while in a hybrid approach until quantum-safe technology matures. [more]

Web3 Cryptospace Spotlight

1. Curve Finance’s vulnerability affected multiple pools, lost ~$70M:

   1. 30 Jul - A malfunctioning ‘reentrancy locks vulnerability’ was found on multiple versions of Vyper, an alternative, third-party smart contract programming language for the Ethereum virtual machine (EVM). The programming language confirmed the incident, revealing that crypto projects running Vyper 0.2.15, 0.2.16, and 0.3.0 could be impacted. Following the news, Curve Finance stated that some of its stable pools running Vyper 0.2.15 had exploited the malfunctioning reentrancy lock vulnerability. While it was unclear how much was stolen from Curve Finance’s stablecoin pools, some estimates suggest that as much as $70 million might have been stolen. [more][more-2][more-3]

   2. Hacked DeFi projects’ pools identified, including PEGD’s pETH/ETH: $11 million; Metronome’s msETH/ETH: $3.4 million; Alchemix’s alETH/ETH: $22.6 million; and Curve DAO: around $24.7 million, according to LlamaRisk’s post-exploit assessment.

   3. 5 Aug - The attacker who targeted Curve Finance has begun returning some of the stolen funds after the hacked DeFi entities offered the attacker to keep 10% bounty reward and drop legal action. The attacker sent 4,821 Ethereum, worth approximately $9 million, in a series of transactions to Alchemix Finance, one of the victims. [more]

2. Smart contract testing tool: Blockchain technology firm ConsenSys publicly released its “Diligence Fuzzing” tool for smart contract testing. The new tool produces “random and invalid data points” to find vulnerabilities in contracts before they are launched. [more]

3. AMD crypto key stealer bug: A new bug called “Zenbleed” affecting specific AMD CPUs has been found that can potentially leak info, such as keys attached to crypto wallets. A malicious hacker can potentially get locked information through the CPU and be able to access the user’s login credentials. This also means that the keys of a crypto wallet, if installed on the same hardware, may no longer be safe. [more]

4. OpenZeppelin security solutions architect Michael Lewellen emphasized the importance of setting a “standard on security” with a “broad agreement” across the auditing firms and developers in the space to protect users.

   Currently, protocols rely on audit reports from blockchain security firms. However, there have been instances in the past where an auditor didn’t find bugs, but the contracts were hacked regardless. [more]

5. The cryptocurrency market is having its worst month of 2023, according to a report from Web3 outlet De.Fi. Losses for July totaled $390 million, more than six times the total from the same period in 2022. [more][more-De.Fi.]