TechRisk Reading Picks

1. Generative AI prompt injection attack: The NCSC (National Cyber Security Centre) noted that Hackers are now poisoning the data that these chatbots access, to create prompts that make LLM-powered chatbots such as ChatGPT, Google Bard and Meta's LLaMA generate malicious output. It warned that these attacks, known as prompt injection attacks, are a significant threat. They are more severe than SQL injection and currently have no foolproof security solutions. They can be extremely challenging to mitigate effectively. [more]

2. AI generated books:

   1. AI generated book content could be harmful - Mushroom pickers urged to avoid foraging books on Amazon after detected likely to be written by AI. Some warned that such content could be dangerous as it really takes an experienced eye and knowledge to discriminate between the edible and inedible mushrooms, and it can “literally mean life or death.” [more]

   2. Amazon.com imposed new rules on AI content - Amazon.com has implemented new rules for authors selling books on its e-book platform, requiring them to disclose if their content is generated by AI. The new policy, outlined in a passage on Amazon’s content guideline page, explicitly defines AI-generated content as “text, images, or translations created by an AI-based tool.” This definition distinguishes between AI-assisted content, where disclosure is not required, and AI-generated material, where authors must explicitly declare the use of AI. [more]

3. OT adversary emulation platform: The Cybersecurity and Infrastructure Security Agency (CISA) is collaborating with MITRE, a nonprofit organization, to create a cyberattack emulation platform for operational technology (OT) networks. This initiative builds upon MITRE's open-source tool called Caldera, which aids cybersecurity teams in simulating cyber threats, assessing platform responses to attacks, and streamlining routine cybersecurity testing. [more]

4. Armis’ research noted that while medical devices are the most susceptible to unpatched CVEs, operational technology (OT) assets are the most attacked. [more][more-2]

Web3 Cryptospace Spotlight

1. Stake suffered $40M loss after an assumed state group attack: 4 Sep - Crypto betting platform Stake lost $40 million after an attack. Although the platform resumed all of its services shortly after, it has not specified the reason behind the hack. CertiK, a blockchain security firm, speculated that a potential private key compromise could have led to the incident. [more][more-2]

   1. Stake was exploited across three different blockchains and the attackers swapped various assets, spread them between addresses, and eventually sent large sums to the Avalanche blockchain via bridges, before converting synthetic BTC on Avalanche to native BTC with attempt to anonymise the transactions. FBI has attributed the attack to the Lazarus Group. [more]

2. FloorDAO lost 40WETH to rebases exploit: 6 Sep - FloorDAO notified users about an attack caused by a user exploiting a backlog of FLOOR rebases. The user stole around 40 WETH (Wrapped ETH) from the FloorDAO’s FLOOR/WETH Protocol Owned Liquidity (POL). 

3. GMBL Computer lost 500 ETH: 5 Sep - Arbitrum-based GMBL Computer reported that an attacker was able to spoof a call to get a signature from its server. It added that the signature was passed to the contract, enabling them to “pull almost 500 ETH worth of GMBL out of the contract.” At current prices, the DeFi exploit would be worth around $800,000. The protocol team stated that it was not a contract vulnerability, and it has identified the root cause, which is off-chain. A couple of hours later, GMBL posted that “we have recovered half the funds stolen from the hacker, to our multisig.” However, there were still accusations of a rug pull flying around. [more]

4. Ironblocks, a Web3 cybersecurity firm, teamed up with Fuse Network, and together they successfully thwarted a critical breach attempt on the Fuse Bridge on August 24, 2023. The hacker tried to exploit the bridge by executing a frontrun transaction, rerouting the Ethereum-Fuse interchange five times, potentially stealing approximately $1.5 million in USDC tokens. Fortunately, Fuse's security measures and Ironblocks' real-time monitoring system detected and prevented these actions, enabling swift corrective action to be taken. [more]

5. Stolen LastPass vault could be cracked: In November 2022, LastPass, a password manager service, reported a breach where hackers stole data from over 25 million users. This included both encrypted and plaintext data. Since then, there have been several cryptocurrency heists involving the digital tokens holders who use LastPass. Some security experts believe that the attackers may have successfully cracked open some of the stolen LastPass vaults, and retrieved the seed phrases stored. [more]

   1. Monahan has been documenting the crypto thefts via Twitter/X since March 2023, frequently expressing frustration in the search for a common cause among the victims. Then on Aug. 28, Monahan said she’d concluded that the common thread among nearly every victim was that they’d previously used LastPass to store their “seed phrase,” the private key needed to unlock access to their cryptocurrency investments.

6. More than 11,000 years jail term for CEX founder: Faruk Fatih Özer, the founder of the collapsed Turkish crypto exchange Thodex, has been sentenced to 11,196 years in prison, with a $5 million fine. Thodex, once a major Turkish cryptocurrency exchange, abruptly went offline in April 2021, leaving over 400,000 users unable to access their $2 billion in crypto deposits, while Özer went missing. He managed to flee to Albania but was arrested in August 2022 following an Interpol red notice. [more]

7. IOSCO’s Policy Recommendations for Decentralized Finance

   (DeFi) Consultation Report: IOSCO released a consultation report on DeFi with nine recommendations that include analyzing the DeFi protocol, identifying responsible persons and mapping functionality to existing regulated activities.[more][more-report]

   1. Tuang Lee Lim, Chair of IOSCO’s Board-Level Fintech Task Force, said that “there is a common misconception that DeFi is truly decentralised and governed by autonomous code or smart contracts. In reality, regardless of the operating model of the DeFi arrangement, ‘responsible persons’ can be identified.” And he pointed out that there is a ”need to identify these persons, whether legal or natural, who should bear responsibility for upholding investor protection and market integrity.”

8. DeFi crypto platform not liable for scam tokens: US District Court for the Southern District of New York dismissed a proposed class action lawsuit against Uniswap Labs and its CEO, foundation, and three venture capital backers brought by plaintiffs who sought damages from alleged exposure to scam tokens that originated with anonymous third-party token issuers on the company’s decentralized cryptocurrency trading protocol. [more]