TechRisk Reading Picks

1. Johnson Controls hacked: Johnson Controls International (JCI) suffered a cyberattack that disrupted its internal IT systems. Two of its subsidiaries, Simplex and York, also reported technical outages on customer portals and login pages. A cybergang called Dark Angels claimed responsibility and shared a ransom note on Twitter. They mentioned compromising JCI's network, leaking critical data, encrypting files, and deleting backups. Dark Angels allegedly stole 27TB of data and encrypted the company's VMware ESXi machines in a ransomware attack. The note suggested contacting the gang to resolve the situation to prevent further losses. [more]

2. AI risk on the weakening of human intellect:Recent research, including the study by Wharton Business School and Boston Consulting Group (BCG), underscores the significant productivity benefits of incorporating AI chatbots like ChatGPT into knowledge work. In this context, AI has been found to improve performance across various tasks, bridging skill gaps and enhancing the output of less proficient workers. However, it's essential to consider a notable caveat highlighted by the research: "As AI quality increases, humans have fewer incentives to exert effort and remain attentive, allowing the AI to substitute, rather than augment their performance." This observation suggests a potential pitfall—people might become overly reliant on AI, relinquishing their own judgment and initiative, effectively letting AI take over rather than utilizing it as a supportive tool.[more]

   1. The danger lies in a future where individuals move through their work on autopilot, much like our cars navigate roads with minimal human intervention. This scenario evokes parallels with earlier research on smartphone usage, which demonstrated that the intellect can weaken as the brain becomes dependent on technology. This phenomenon may apply to various forms of information technology where content flows effortlessly, reducing the need for individuals to actively learn or discover information independently. Striking a balance between harnessing the benefits of AI augmentation and preventing overdependence is crucial as organizations integrate AI into knowledge work, ensuring that human judgment and creativity remain integral to the decision-making process.

3. API risk: The rapid adoption of cloud applications has given organizations a wealth of capabilities, but it has also introduced new security risks, particularly those associated with APIs. A recent report by Traceable found that 74% of organizations have experienced at least three API-related data breaches in the past two years. [more]

   1. This is concerning given that 88% of organizations deploy more than 2,500 cloud applications, which broadens the attack surface. The proliferation of APIs is expanding the attack surface for organizations in a number of ways.

   2. First, the sheer volume of APIs makes it difficult to keep track of all of them and ensure that they are properly secured. Second, the diversity of API types, including public, partner, and internal APIs, each presents its own unique set of security challenges. Third, there is a lack of awareness and understanding of API security risks among many organizations.

   3. As a result, many potential API-related threats remain under the radar. Attackers are increasingly exploiting these vulnerabilities to steal data, launch denial-of-service attacks, and disrupt business operations.

4. The European Commission has introduced a recommendation for enhanced risk assessments in artificial intelligence. This recommendation encompasses six AI technology categories, such as data analytics, language learning, and object recognition. The commission aims to collaborate with EU member states to conduct collective risk assessments by year-end. [more]

5. In a recent campaign, attackers tried unsuccessfully to access a Azure cloud environment through an SQL Server instance. They started by exploiting a SQL injection vulnerability, gaining access to a Microsoft SQL Server in Azure VM. Then, they attempted to move to other cloud resources by abusing the server's cloud identity with elevated permissions for potential malicious actions. [more] [more-2]

Web3 Cryptospace Spotlight

1. FTX hacker resurfaced after 10 months: The FTX hacker, who holding more than $300 million of assets, moved the digital asset for the first time in 10 months. The hacker transferred $8 million via RailGun and Thorchain, and made two transactions of 2,500 ETH each worth $4 million. The address continues to hold 12.5K ETH. The hacker's identity and techniques remained unknown. [more]

2. SIM-swap attack: 5 Oct - A single scammer managed to steal approximately $385,000 worth of Ether (ETH) through SIM-swap hacks that seemed to target Friend.tech users. Blockchain sleuth ZachXBT reported that, based on on-chain movement of crypto assets, the scammer had pilfered 234 ETH from four different Friend.tech users within 24 hours. [more]

   1. One of the reported victims of the most recent chain of SIM-swap attacks posted to X (Twitter) following the attack:

      “Got sim swapped. Apparently, dude was able to do it from an Apple store and switched it to an iPhone SE. Don’t buy my keys, that wallet is compromised.”

3. Lazarus new malware: One of the most prominent web3 space attacker, the Lazarus Group, is using a new, more sophisticated malware in their fake job scams, which is harder to detect than their previous one. In these scams, victims are lured with fake employment offers from reputable companies and then tricked into downloading a malicious payload disguised as documents.

   However, cybersecurity company ESET pointed out that the new LightlessCan payload is a significant improvement over its predecessor, BlindingCan. LightlessCan emulates various native Windows commands, allowing for discreet execution within the RAT (Remote Access Trojan) itself, avoiding noisy console executions. This approach provides a substantial advantage in terms of stealthiness, making it difficult to evade real-time monitoring solutions like EDRs and postmortem digital forensic tools. [more][more-2]

4. Smart contracts security: Decentralized Finance (DeFi) is a rapidly growing sector in the blockchain space and relies on smart contracts on public blockchains to function. However, smart contract bugs pose significant risks to DeFi platforms, and ensuring their security is crucial. Here are some best practices for Smart Contract Security. [more]

   1. Trusted Development Frameworks: Use trusted frameworks like OpenZeppelin, which include community-vetted code and built-in security measures to reduce the risk of introducing vulnerabilities in custom code.

   2. Extensive Testing: Conduct thorough testing, including unit, integration, and fuzz testing, to ensure that smart contracts work as intended under various conditions. Aim for 100% test coverage to evaluate all code paths.

   3. Formal Verification: Consider formal verification tools like Certik to provide mathematical proof that contract logic adheres to predefined specifications and contains no flaws.

   4. Rigorous Auditing: Engage reputable security firms for comprehensive code audits both before deployment and after major updates. Independent experts often identify issues that developers might miss.

   5. Access Controls: Implement access controls to restrict critical contract functions to authorized addresses, preventing unintended usage or abuse. Function-level permissions can help limit damage in case of compromised contracts.

   6. Bug Bounty Programs: Encourage ethical hackers through bug bounty programs to identify and responsibly disclose vulnerabilities. Rewarding white hat hackers for finding issues before deployment can help fix problems early.

   7. Modular Architecture: Divide smart contracts into smaller, modular components to minimize the impact of a single contract being compromised. Circuit breakers can halt operations if issues are detected, reducing dependencies and potential damage.

   8. Simplicity in Design: Keep smart contract designs simple and minimalistic. Complex and convoluted contracts are harder to audit, test, and maintain securely. Lean and functional contracts are ideal for security.