Tech Risk Reading Picks

1. “xz” a sophisticated supply chain attack: Researchers investigating an attack on the xz Utils open-source project found evidence suggesting that an individual operating under the pseudonym "Jia Tan" gradually gained trust within the developer community over several years. This person eventually became a maintainer of the project and inserted a hidden backdoor into the code earlier this year. The attacker took steps to conceal their identity and make the backdoor difficult to detect. The motive and identity of the attacker remain unknown. [more]

2. DHS on AI: The Department of Homeland Security (DHS) released its first AI roadmap, outlining current and future AI use. Key points include a forthcoming DHS-wide AI policy, AI security guidance from the Cybersecurity and Infrastructure Security Agency, and a report on AI risks from the Countering Weapons of Mass Destruction Office. DHS plans to use AI for tasks like border security and disaster damage assessment. Secretary Mayorkas highlighted both opportunities and risks in AI development. [more] [more-2]

3. Attack on AI-as-a-service platform: Recent research highlights two critical risks for AI-as-a-service providers like Hugging Face. Threat actors could escalate privileges, access other customers' models, and compromise CI/CD pipelines. Malicious models pose a significant threat, potentially allowing attackers to perform cross-tenant attacks and access private AI models and apps. Shared inference infrastructure and CI/CD takeover are the main vulnerabilities, enabling attackers to run untrusted models and perform supply chain attacks. The study demonstrates the feasibility of breaching the service, uploading rogue models, and compromising the entire infrastructure, granting access to other customers' models. [more]

4. National Vulnerability Database’s backlog: The National Institute of Standards and Technology (NIST) attributes the recent backlog in analyzing vulnerabilities in the National Vulnerability Database (NVD) to increased software volume and changes in interagency support. This has led to delays in processing vulnerabilities, with only about half of the submitted vulnerabilities analyzed so far in 2024. NIST plans to address this by establishing a consortium to improve the NVD, but cybersecurity experts have raised concerns about the impact on critical infrastructure defense and urged Congress to fund and protect the NVD. [more]

5. Web3 Cryptospace Spotlight

   1. Q1 2024: Immunefi's recent report indicates a 23.1% decrease in crypto losses during Q1 2024 compared to Q1 2023, but the industry still lost $336.3 million across 61 incidents. Crypto hacks comprised 95.6% of losses ($321.6 million) across 46 incidents, while fraud accounted for 4.4% ($14.7 million) across 15 incidents, mainly in DeFi. Ethereum and BNB Chain were the most targeted chains. $73.9 million (22% of total losses) was recovered from stolen funds. The Orbit Bridge and Munchables exploits were major contributors to losses, amounting to $81.7 million and $62.8 million, respectively, making up 43% of total losses in the quarter. [more]

   2. Hacked again: FixedFloat, a decentralized cryptocurrency exchange, has been hit by another hack, losing around $2.8 million in Ethereum and other cryptocurrencies. This follows a previous hack in February where $26.1 million was lost. The attacker utilized a smart contract called eXch for the unauthorized transactions. FixedFloat's website is currently down for maintenance, and there have been no public statements from the exchange regarding the incident. [more]

   3. Tokens unaccessible: Users of Lido's SOL staking protocol are facing concerns as a code bug has blocked access to $24 million in deposits. Lido, a leading liquid staking protocol in DeFi with over $31 billion in deposits, decided to discontinue its Solana version in October. However, when they removed the webpage allowing users to exchange stSOL tokens for SOL in February, over 112,000 stSOL tokens worth $24 million were left without an easy withdrawal method. Additionally, a newly-discovered bug in Lido's smart contracts is further preventing users from accessing their funds. As a result, more than 31,000 wallets holding stSOL are currently unable to withdraw their assets, and Lido has not provided any comment on the situation. [more]