TechRisk Reading Picks

1. Keep AI safe: An additional eight companies on Tuesday announced their voluntary commitment to the White House to support safe, secure, and trustworthy development of artificial intelligence. These companieswere Adobe, Cohere, IBM, Nvidia, Palantir, Salesforce, Scale AI, and Stability. [more]

2. AI risk discussion with US lawmarkers: Tech leaders, including Meta CEO Mark Zuckerberg, Tesla CEO Elon Musk, and former Microsoft CEO Bill Gates, had a closed-door meeting with lawmakers to discuss AI regulation. They proposed broad regulatory frameworks for AI and expressed concerns about the risks associated with uncontrolled AI advancements. Senator Elizabeth Warren criticized the closed-door nature of the meeting, while Senator Josh Hawley, who didn't attend, criticized the tech executives for their interests in AI development. [more]

3. Raise in OT risk in India: India faces substantial risk of cyberattacks targeting its critical infrastructure, public sector, and essential services, a report by Palo Alto Networks revealed. As per the report, 67 per cent of Indian government and essential service entities reported encountering a surge of over 50 per cent in disruptive attacks. [more]

4. Cloud adversaries go for privileged credentials: Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. In the recent X-Force released 2023 Cloud Threat Landscape Report, it detailed common trends and top threats observed against cloud environments over the past year. Improper use of credentials made up the top cause of cloud compromises that X-Force responded to in the past year, reaffirming the need for businesses to double down on hardening their credential management practices. [more]

5. Protecting yourself from Web3 fraudsters: Safety guidelines for navigating the evolving decentralized technology landscape, including Exercise Caution with Wallets and Private Keys, Stay Skeptical of Airdrops and Giveaways, Regularly Update and Secure Devices. [more]

Web3 Cryptospace Spotlight

1. CoinEx has suffered a security breach, lost over $50M, linked to Lazarus Group: 12 Sep - Crypto exchange CoinEx said that it detected a security incident that involved unusual withdrawals from the hot wallets in which it stores exchange funds. Web3 security company Cyvers suggested that the exchange may have accidentally leaked address private keys or allowed for access control violations. [more][more-2][more-3]

   1. On-chain sleuth ZachXBT posted that the Lazarus group accidentally connected their address to the $41 million Stake hack on Optimism and Polygon. Similarly, SlowMist explained how it arrived to Lazarus Group, based on the addresses involved in the previous Stake and Aplhapo exploit.

   2. FBI earlier noted that “in 2023 alone, DPRK cyber actors have stolen more than $200 million”.

2. Remitano’s hot wallet sent out $2.7M: 14 Sep - Remitano, a cryptocurrency exchange, encountered substantial withdrawals under dubious circumstances. This led to some blockchain experts suspecting that it was hacked. Approximately $2.7 million worth of cryptocurrency was withdrawn through these suspicious transactions. Tether took action by freezing one of the addresses, potentially safeguarding $1.4 million worth of digital assets. [more]

   1. At approximately 12:45 pm, a known Remitano hot wallet began sending funds to an address with no prior history. Approximately $1.4 million worth of Tether, $208,000 worth of USD Coin USDC and 104,000 Ankr tokens (worth $2,000 at the time) were moved to the new address.

3. Vitalik’s X account hacked: 9 Sep - Ethereum co-founder Vitalik Buterin’s X (formerly Twitter) account was hacked, and victims allegedly suffered losses over $691,000 after connecting their wallet to a malicious link falsely promoting a free NFT. [more]

4. Fortress drained due to third party: Fortress Trust, a crypto company, initially reported a security issue involving a third-party tool but no fund loss on Sept 7. On Sept 13, they revealed losing $12-15 million in a hack, mostly in Bitcoin and some stablecoins. Only 4 out of 225,000 customers were affected. The breach was attributed to the third-party provider Retool, which fell victim to a phishing attack. Fortress Trust and its custodian partners, i.e. Fireblocks or BitGo, were not responsible for the breach. [more][more-2][more-Fortress][more-retool]

   1. Retool separately blamed the recent change in Google Authenticator led to the weakening of intended MFA. It had reached out to Google separately.

5. Paxos (Paypal’s crypto infrastructure partner) overpaying BTC transaction fee: According to blockchain data, a sender paid fees of approximately 20 BTC (over $515,000 worth at the time) to send just 0.07 BTC (worth less than $2,000 at the time). [more]

   1. At the time, Casa wallet co-founder Jameson Lopp declared that the sending account “looks like an exchange or payment processor with buggy software,” as it had made over 60,000 transactions from the same address.

   2. Paxos later issued its statement confirming that the mistake had been its own, not PayPal’s. The company also claimed that it had contacted the mining company that confirmed the transaction and is attempting to recover the lost funds.

6. Lido Finance, an Ethereum staking protocol, has responded to safety concerns raised by SlowMist, a blockchain security firm, regarding their Lido DAO (LDO) and staked-Ether (stETH) tokens. While Lido Finance did not confirm any specific exploits, it has taken proactive measures to reassure users about the security of their assets. [more]

7. Bug missed by auditors, spotted by ChatGPT: The BANANA token by Telegram bot Banana Gun fell over 99% in just three hours due to a contract bug, causing prices to crash from $8.70 to $0.02. Many users labeled it a scam, and the team blamed the bug, which went unnoticed after two audits. While the team said they couldn't find it, a developer on Twitter (@Mister_Ch0k) used OpenAI's ChatGPT to spot the bug in seconds. [more]