Tech Risk Reading Picks

1. IoT and OT attacks: Zscaler has released the Zscaler ThreatLabz 2023 Enterprise IoT and OT Threat Report, which highlighted a 400% increase in malware attacks on IoT devices compared to the previous year. This surge in attacks is a significant concern for Operational Technology (OT) security, as malware can potentially move across networks, endangering critical infrastructure. The report attributes this rise to weak security standards for IoT device manufacturers and the prevalence of unmanaged and unpatched devices in enterprises. Mexico and the United States were the most targeted countries, collectively accounting for 69.3% of attacks. [more]

   1. To address these challenges, Zscaler's Global CISO, Deepen Desai, recommends enforcing zero trust principles, emphasizing the need to never trust, always verify, and assume a breach. Continuous discovery and monitoring can help segment and secure IoT and OT devices, reducing lateral movement risks.

2. Opportunities and threats of in post-quantum era: Europol published a report on quantum computing and quantum technologies from law enforcement point of view - “The Second Quantum Revolution: The impact of quantum computing and quantum technologies on law enforcement”. The report provides a forward-looking assessment of the impact of quantum computing and quantum technologies on law enforcement. It also outlines potential applications of these new technologies. [more][more-report]

   1. The report is a joint endeavour between the European Commission’s Joint Research Centre (JRC), Europol’s European Cybercrime Centre (EC3) and Europol’s Innovation Lab. 

3. AI risks:

   1. Google - Demis Hassabis, the CEO of Google's AI unit, is warning that the world needs to treat the risks associated with artificial intelligence (AI) as seriously as the climate crisis. He suggests that oversight of the AI industry could begin with the establishment of a body similar to the Intergovernmental Panel on Climate Change (IPCC). He compared the need for immediate action on AI to the international community's slow response to climate change, stressing that we cannot afford a similar delay in addressing AI-related risks. [more]

   2. OpenAI - OpenAI forms a new team, Preparedness, to tackle severe risks associated with advanced AI, including nuclear threats, autonomous replication, and cybersecurity issues. They aim to understand and mitigate these risks while acknowledging the potential benefits of advanced AI for humanity. [more]

   3. AI risk management readiness: A global survey of 300+ risk and compliance professionals found that 93% of companies acknowledge the risks of using generative AI, but only 9% feel prepared to address these threats. Shockingly, just 17% of leaders in these fields have formally educated their organizations about the risks of generative AI. [more]

4. Most dangerous threat group: Microsoft has been tracking a financially motivated threat group called Octo Tempest, which is a dangerous organization known for using various tactics like social engineering and SIM swapping to compromise organizations worldwide. They've been active since early 2022 and have targeted mobile telecommunications and business process outsourcing companies, primarily to carry out phone number porting (SIM swaps). In 2022, they made money by selling SIM swaps to other criminals and taking over accounts of high-net-worth individuals to steal cryptocurrency. This group is a significant concern for various industries due to their evolving and extensive techniques. [more]

Web3 Cryptospace Spotlight

1. Trading bot refunds users after router exploited: 24 Oct - The Maestro team refunded the users affected by the Maestro Router 2 contract after being exploited. Maestrobots paid a total of 610 ETH in its own revenue to cover all the user losses, worth more than $1 million. The refunds came shortly after Maestro reported that the MaestroRouter on ETH mainnet was compromised with approximately 280 ETH drained by attackers. The Maestro team indicated that it identified the attack within 30 minutes after the start and fully removed the exploit. The platform also managed to resume trading quickly after temporarily halting tokens with pools on SushiSwap, ShibaSwap and ETH PancakeSwap. Maestro highlighted that the “wallets were not compromised at all during this attack”. [more]

2. The malicious DAO proposal: 25 Oct - An attacker exploited Synthetify, a Solana-native DEX, governance system and stole around $230,000 worth of cryptocurrency. They did this by creating and voting on proposals within the decentralized autonomous organization (DAO). When the community noticed, the funds had already been sent to Tornado Cash.[more]

   1. Taking advantage of the DAO’s inactivity, the attacker created ten identical-looking proposals and used their own tokens to reach the voting quorum. The malicious proposal contained code that sent around $230,000 in USDC, mSOL and stSOL to the attacker’s address. [more]

3. Unlocking $235M Bitcoin treasure trove: Swiss crypto entrepreneur Stefan Thomas has an locked USB drive from 2011 that holds the keys to 7,002 bitcoins, worth close to $235 million. Unfortunately, he has forgotten the password and he is left with two attempts to unlock it before the USB drive self-destruct the content. Recently, a security team from Unciphered uncovered a method to crack the locked USB drive and reached out to Thomas. However, Thomas doesn't seem to want their help. This is because Thomas had already made a “handshake deal” with two other cracking teams a year earlier and he remains committed even though neither of the teams has shown any sign of pulling off the decryption trick that Unciphered has already accomplished. [more]

4. AAVE $1M Bug Bounty: Aave DAO launched a $1 million bug bounty as its total value locked (TVL) across its ecosystem passed $7 billion. [more]