Jun 01 2023
Welcome to Gone Phishing, your daily cybersecurity newsletter that never trusted Phillip #Schofield.
Today’s hottest cyber security stories:
GUIDE: How to hack your smart toothbrush
Guess who’s back? RomCom RAT
Microsoft eats from the Apple of knowledge. Mac hack exposed!
This one’s a bit of a laugh. So, this guy wrote a funny little article about how he managed to hack his smart toothbrush. And we’re going to take you through how he did it. Because it’s fun.
The guy’s name is Cyrill Künzi and he first discovered that his newly purchased Philips Sonicare toothbrush was indeed a smart brush when he noticed that the insertion of a brush head prompted the flashing of a LED light.
After that, a Google search revealed that the brush talks to the handle to determine when it’s time to replace the brush. Clever, huh?
Problem is this neat little bit of functionality left the brush vulnerable to Cyrill’s sleight of hand cyber-tricks.
Just to be clear, this was just for fun but still quite interesting for us normies to observe, step by step, the processes hackers go through when attempting to trick a device.
And what’s more, despite making some progress with his hack, Cyrill hits a brick wall at the end of the article, inviting other brush-heads to come to his aid, via emailed suggestions.
So, once he realises there’s some method communication taking place between the brush and the handle, he flips the head over and sees an antenna and what he reckons to be an IC (integrated circuit).
He checks the manual and reads: “Radio equipment in this product operates at 13.56 MHz.” Hey presto, he’s sussed that he’s dealing with an NFC tag… Hey Siri, what tf is an NFC tag?
Near-field communication (NFC) is a set of communication protocols that enables communication between two electronic devices over a distance of 4 cm (1.57 in) or less. Okay, makes sense.
Now, employing the use of his trusty NFC Tools app, Cyril learns a whole bunch of other juicy secrets about his Philips toothbrush.
And this is where it starts to get a wee bit complicated, to put it mildly. But, even for the layman, it makes for interesting reading if only to marvel at Cyrill’s Sherlock-like skills of deduction.
To finish reading the account, first hand, please click here for Cyrill’s toothbrush takedown.
But be warned, you’d better have had your Weetabix!
Get Bob Geldof on the blower because the Boomtown Rats are back in business. Oh hang on, that’s the RomCom RATs and they’re (marginally) less fun. Sorry Bob; Live Aid was great and all that.
Okay let’s get serious: Since July 2022, the perpetrators responsible for RomCom RAT have been exploiting a network of counterfeit websites that promote unauthorised versions of well-known software in order to infiltrate their targets.
It’s ‘Void’ of all reason
The activity cluster associated with this malicious campaign is being monitored by the cybersecurity company Trend Micro, and it is referred to as Void Rabisu. Additionally, it is also recognized as Tropical Scorpius by Unit 42 and UNC2596 by Mandiant.
Some of the impersonated apps spotted so far include AstraChat, Devolutions' Remote Desktop Manager, Gimp, GoTo Meeting, KeePass, OpenAI ChatGPT, Signal, Veeam Backup & Replication, and WinDirStat.
Let’s check in with the experts:
"These lure sites are most likely only meant for a small number of targets, thus making discovery and analysis more difficult," security researchers Feike Hacquebord, Stephen Hilt, Fernando Merces, and Lord Alfred Remorin said. Oh Lordy!
RomCom Rat-attacks first scurried across the cyber-floor all the way back in August 2022. The well-respected Palo Alto Networks Unit 42 (bit of a mouthful!) first wrote about the group, linking it to a financially motivated group deploying Cuba (no evidence of affiliation with the country) Ransomware (aka COLDDRAW).
Since then, Trend Micro had this to say about the love rats: "RomCom used spear-phishing against a member of a European parliament in March 2022, but targeted a European defence company in October 2022 with a Google Ads advertisement that led to an intermediary landing site that would redirect to a RomCom lure site," Trend Micro said.
Think we’ll stick to Four Weddings and a Funeral, ta!
Ha! Stick that in your weed pipe and smoke it, Apple, you tofu-eating, yoga-doing, California-dwelling bastards! We assume this is how Microsoft delivered the news of a, quote, ‘critical Apple macOS vulnerability allowing SIP protection bypass’.
Just kidding, us proud protectors of the cybersphere have to stick together no matter who threw the first proverbial snarky ad campaign. Who’s the bloody Mac Daddy now?
So, what happened? First thing’s first: it’s been patched! So get updated people. Stop clicking try tonight and letting your poor sick mac fall asleep.
FYI, this vulnerability, proudly exposed by MS, could potentially be exploited by threat actors who possess root access to bypass security measures and carry out unauthorised actions on compromised devices.
Referred to as Migraine and identified as CVE-2023-32369, this flaw specifically enables the circumvention of System Integrity Protection (SIP), also known as "rootless." SIP restricts the range of actions that the root user can execute on safeguarded files and directories
"The most straight-forward implication of a SIP bypass is that […] an attacker can create files that are protected by SIP and therefore undeletable by ordinary means," Microsoft researchers Jonathan Bar Or, Michael Pearse, and Anurag Bohra said.
Alright lads, quit your gloating 😂 That’s all, folks! Hope you enjoyed our take on today’s cyber-events. See you on the flipside, homies.
So long and thanks for reading all the phish!