TRG Reading Picks

1. Post-quantum challenge: The UK's National Cyber Security Centre (NCSC) highlighted the complexity of transitioning to post-quantum cryptography. Efforts are underway to develop post-quantum cryptography standards like Google's Dilithium to mitigate quantum risk, but the transition requires more than just new algorithms. It demands re-engineering protocols and services, especially challenging for critical infrastructure due to resource demands. Major internet services might transition easier, but older systems will be harder to upgrade. [more][more-NCSC-pqc][more-NCSC-pqc-whitepaper]

2. AI risks to the Financial sector: The increasing use of AI in trading by major financial institutions poses concerns about potential rapid and massive capital movements driven by algorithms. This could lead to hidden financial risks and even a crisis. The fear is that the consequences of such AI-driven trading may be poorly understood by both regulators and the people managing these financial entities. [more]

3. Understand Cloud security issues: 12 common Cloud security issues faced by organisations, including data infiltrations, unsecured APIs, vulnerabilities in shared technologies, data depletion risks during disasters or transit mishaps, and inadequate preliminary analysis before transitioning to the cloud, which can result in serious security lapses. [more]

4. CVSS for OT: The Forum of Incident Response and Security Teams (FIRST) published CVSS 4.0 that refined the base metrics and also broaden the coverage to include operational technology (OT), industrial control systems (ICS) and the Internet of Things (IoT). Furthermore, CVSS 4.0 also look into resiliency, which is often omitted in the initial stages of an exploit. [more]

5. Sandworm strikes again - with novel techniques: In late 2022, Mandiant responded to a cyber-physical incident orchestrated by the Russia-linked Sandworm group targeting a Ukrainian critical infrastructure organization. The attack involved a multi-event strategy, using novel techniques to impact industrial control systems (ICS) and operational technology (OT). Sandworm initially employed OT-level living off the land (LotL) techniques to cause an unplanned power outage, coinciding with mass missile strikes in Ukraine. A second disruptive event involved deploying a new variant of CADDYWIPER in the victim's IT environment. This incident reflects the evolving capabilities of Russia's cyber-physical attacks since the invasion of Ukraine, indicating increased maturity in offensive OT strategies. The use of LotL techniques suggests efficiency in executing cyber-physical attacks. Although the initial intrusion point remains unknown, the analysis implies that the OT component may have been developed in as little as two months, indicating the potential for rapid development of similar capabilities against other OT systems globally. [more]

Web3 Cryptospace Spotlight

1. $1.9B saved: 4 Nov - ChainLight, a blockchain security audit firm, discovered a critical vulnerability in the zkSync Era protocol, potentially risking a $1.9 billion loss. The flaw was in zkSync Era's zk-circuits, which verify transaction accuracy without revealing sensitive details. The bug allowed a malicious prover to produce “proofs” for invalidly executed blocks, which the verifier smart contracts on Layer 1 would have accepted. Matter Labs has deployed a fix for the issue and awarded ChainLight a 50K USDC reward for disclosing the issue, the first bounty to be claimed for a ZK-circuit bug in zkSync Era. [more][more-Chainlight]

2. Aave paused: 4 Nov - Aave, a decentralized finance (DeFi) protocol, temporarily paused several markets across different networks due to reports of an issue with a specific feature within the Aave Protocol. The affected networks include Aave v2 on Ethereum, certain assets on Aave v2 on Avalanche, Polygon, Arbitrum, and Optimism. While the exact problem or impacted assets were not disclosed, Aave assured users that no funds were at risk, and the pause was a precautionary measure taken after community developers validated the reported issue. [more]

3. CoinSpot lost $2.4M: 8 Nov - Australian crypto exchange CoinSpot has reportedly fallen victim to an attack resulting in a loss of $2.4 million. Blockchain security firm CertiK suggests that the compromise of a private key on at least one of CoinSpot’s hot wallets is the likely cause of the incident. After draining the wallet through two huge transaction, the attacker attempt to complicate tracing through multiple transactions across different wallets. [more]

4. Low liquidity exploit: 7 Nov - TheStandard.io, a Defi stablecoin protocol, experienced a $264,000 theft through a PAXG liquidity pool exploit on Arbitrum. The hacker used a low liquidity exploit to manipulate PAXG prices, resulting in the theft of 8,500 USDC and 280,000 Euro. The stolen funds were then used to mint an Algebra position NFT worth nearly €223,000. This incident is part of a trend where cybercriminals target small Defi and crypto projects for quick gains. [more]

5. Fake Ledger app: Fake Ledger Live application on Microsoft's app store has resulted in the theft of over $700K digital tokens. The scam, named "Ledger Live Web3," deceives users into downloading what they believe is the legitimate "Ledger Live" interface for storing cryptocurrency offline. The scammer received 16.8 BTC, valued at $588,000, through 38 transactions. Separately, over $180,000 in Ethereum and BNB Smart Chain were also stolen, bringing the total value of lost digital tokens to $767,238. The application was taken down by Microsoft. [more][more-2]