Tech Risk Reading Picks

1. ASEAN AI Guide: ASEAN published a practical guide for organizations in the ASEAN region interested in developing and deploying traditional AI technologies for commercial and non-military purposes. It emphasizes alignment within ASEAN and interoperability of AI frameworks across jurisdictions. Additionally, it offers recommendations for both national and regional initiatives that governments in the region can adopt to ensure responsible design, development, and deployment of AI systems. [more]

2. AI Privacy Advisory: Singapore PDPA released a publication on “Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems". [more]

3. AI erodes skills: Study warns that outsourcing AI carries the risk of diminishing personal skills. [more]

4. Trojans on Cloud: Security experts are warning of hackers exploiting Google Cloud Run to distribute banking trojans like Astaroth, Mekotio, and Ousaban. Google Cloud Run allows easy deployment of services without managing infrastructure. Since September 2023, there's been a surge in malware misuse, especially by Brazilian actors, who use MSI installer files via phishing emails. Attackers exploit Cloud Run's cost efficiency and ability to bypass security measures. Phishing emails, often in Spanish or Italian, lead victims to malicious websites hosted on Cloud Run. [more]

5. Dormant accounts targeted: Cybersecurity and law enforcement agencies from the US, Canada, UK, Australia, and New Zealand issued a warning about APT29/Cozy Bear/Midnight Blizzard, a hacking group tied to Russia’s SVR intelligence. Instead of exploiting software flaws, they're using brute-force attacks and targeting dormant accounts of ex-employees. They're also bypassing multi-factor authentication using 'MFA bombing'. After gaining access, they register their devices on victim networks and use residential proxies to hide their activity. To defend against this, organizations should implement MFA, strong passwords, least privilege, monitor service accounts, limit session lifetimes, authorize devices, and use logs to detect suspicious behavior. [more]

6. Web3 Cryptospace Spotlight

   1. Hacker accept 20% bounty: A hacker exploited a vulnerability in the Seneca stablecoin protocol, taking around $6.4 million in ETH. They returned over $5 million after accepting a 20% bounty. Blockchain security firms flagged the exploit on Feb. 28, urging users to revoke approvals. The vulnerability allowed the attacker to make external calls to transfer assets from vulnerable contracts. Security analysts highlight the importance of paying attention to external calls, especially during contract upgrades. [more]

   2. Impact from LastPass hack: Hackers swiped $6.2 million worth of digital assets from 22 LastPass users on Feb. 19-20. ZachXBT and Taylor Monahan detailed the theft on X, tracing funds from 41 hacked wallets, involving 21 Bitcoin and 20 Ethereum addresses. [more]

   3. Sky Mavis co-founder lost almost $10M: Jeffrey Zirlin, co-founder of Sky Mavis, the company behind Axie Infinity, reported that two of his personal wallets were hacked, but the Ronin blockchain was unaffected. About $9.7 million worth of Ether was withdrawn from the Ronin Bridge to a crypto mixer called Tornado Cash. Zirlin clarified that the attack only targeted his personal accounts and didn't impact the validation or operations of the Ronin chain, and the leaked keys were unrelated to Sky Mavis operations. [more]