UK nuclear site attacked by state-linked attackers
The Guardian reports that threat actors linked to Russia and China breached the UK’a Sellafield nuclear site. Sellafield holds the largest store of plutonium on Earth and serves as a large-scale disposal site for nuclear waste. Sources say authorities do not have an exact date of compromise, but initially detected breaches back in 2015. No word if malware still remains on the site’s systems, but sources say it’s likely the attackers already accessed its most sensitive data. The Guardian learned the UK’s Office for Nuclear Regulation, or ONR placed the site under “special measures”’ last year for cybersecurity failings. The regulator only learned of issues after staff at an external site reported they could access Sellafield servers.
US confirms Iranian actors behind water breaches
In a join advisory, CISA, the FBI, NSA, EPA and Israel National Cyber Directorate confirmed that a hacking persona of Iran’s Islamic Revolutionary Guard Corps known as CyberAve3ngers orchestrated attacks on Unitronics programmable logic controllers used at water utilities and other infrastructure. The attacks targeted these devices with default credentials starting on November 22nd. We previously reported on attacks by the group on water utilities in Pennsylvania. The UK’s National Cyber Security Centre said some of its domestic infrastructure may be at risk of similar attacks, but characterized the impact as minimal.
The infinite regress of ChatGPT data exfiltration
Researchers at DeepMind published a paper detailing that asking ChatGPT to repeat a specific word “forever” can cause it to reveal training set data. The researchers found when making this query to ChatGPT 3.5, it would start repeating the word, before hitting some sort of limit and then outputting other data. The researchers extracted several megabytes worth of data, including PII. Jason Koebler of 404 Media notes that now similar requests warn that it may violate OpenAI’s content policy or terms of use. OpenAI did not comment on the findings.
Military cyber advocacy group names its first president
The Military Cyber Professionals Association, or MCPA, named Chris Cleary into the role. The MCPA began operations in 2013. Until now a board of advisors ran the organization. Cleary previously served as the Navy’s first principal cyber advisor. Cleary hopes to build up the collective memory within the military cyber world, identifying it as a unique space in warfighting domains for a lack of long-term institutional knowledge. Cleary also sees the group calling for more cyber advocacy on Capitol Hill.
And now a word from our sponsor, Barricade Cyber Solutions
EU agreement on Cyber Resilience Act
On December 3rd, the European Parliament and EU Council reached an agreement on the Cyber Resilience Act. The EU Commission first proposed the CRA in SEptember 2022. The law impacts connected devices across sectors, requiring mandatory security issue reporting and at least five years of security updates. While still requiring a formal approval process, the CRA is now set to come into law. Once entered into the EU’s Official Journal, manufacturers will need to meet requirements within 36 months.
23andMe data leak expands
Back in October, the genetic testing company announced it experienced a data breach. Late last week it said threat actors accessed personal data on 0.1% of users, about 14,000 individuals. This disclosure also mentioned that accessing those accounts exposed “a significant number” of profile data with other users’ ancestry. Now the company said that exposure impacted 6.9 million people. This included 5.5 million who opted into the company’s DNA Relatives feature, exposing names, relationships, DNA percentage shared, and ancestry reports. An additional 1.4 million people had Family Tree information accessed.
UEFI flaw opens the door to bootkits
Security researchers at Binarly detailed LogoFAIL, a vulnerability in UEFI firmware that allows for hijacking image libraries to bypass boot validation systems. This impacts image parsing libraries across firmware from AMI, Insyde, Phoenix, Intel, Acer, and Lenovo,, allowing malicious image files to load at boot. This process doesn’t modify the bootloader or firmware components, making it harder to identify than the BlackLotus bootkit disclosed earlier this year. The researchers plan to release full technical findings at Black Hat Europe on December 6th.
Phony WordPress advisory includes backdoor
If you’re a website admin, it’s usually a good idea to keep up on security advisories. However researchers at Wordfence and PatchStack published a report on a new threat campaign looking to take advantage of that behavior. Threat actors began sending a fake security advisory to WordPress admins, claiming to offer data on CVE-2023-45123 and urging them to install a plugin to remediate the issue. Instead, this plugin creates a hidden admin user, sends site info to a C2 server, and then installs a backdoor payload.