close
Written by Anthony Carballo
on October 17, 2019

Another day another vulnerability, this time it's again for Apple, but indirectly, as it is affecting Windows systems that are running the iTunes app on it. Researchers from Morphisec Labs in August identified the abuse of the flaw, which exists in the Bonjour updater that comes packaged with iTunes for Windows, to deliver ransomware in an attack on an unidentified enterprise in the automotive industry.

The Cybercrime group behind ‘BitPaymer' and ‘iEncrypt' ransomware attacks has been found exploiting this zero-day vulnerability affecting the updater that comes bundled with Apple's iTunes and iCloud software for Windows (Bonjour) to evade antivirus detection.

 

TTPs

The Bonjour component was found vulnerable to the unquoted service path vulnerability, a standard software security flaw that occurs when the path of an executable contains spaces in the filename and is not enclosed in quote tags ("").

The unquoted service path vulnerability can be exploited by planting a malicious executable file to the parent path, tricking legitimate and trusted applications into executing malicious programs to maintain persistence and evade detection (signature-based detection doesn't work as perfect as you think).

Besides escaping from the detection, in some cases, the unquoted service path vulnerability could also be abused to escalate privileges when the vulnerable program has the rights to run under higher privileges.

 

CVEs

There is not a CVE ID assigned yet; Apple security documents reference vulnerabilities by CVE-ID when possible.

 

Conclusions

Bonjour is used to run Apple's apps in Windows, such as iTunes and Safari. This program could have been installed on your computer, and you didn't notice it, also, if you search it as an app with an icon, it does not exist in that way.

In case you ever had installed any Apple Software Products on your Windows computer and then uninstalled it, you should check the list of installed applications on your system for the Bonjour updater and uninstall it manually.

Apple has fixed this vulnerability with the release of security updates for iCloud and iTunes for Windows last week. Bear in mind that uninstalling the iTunes program does not fix the problem, Apple Software Update continues to run on the installed machine and requires a separate procedure to remove it.

This criminal group shows an advanced and innovative effort, in this case, trying to evade EDRs and, almost certainly, evading antivirus, using the unquoted path in the Apple Bonjour Update service to be able to run Malware, Ransomware in this case.

 

Advice

Even if you don't have it, we suggest checking for this program manually in programs installed, as sometimes it only requires that you plug in an iPhone or iPod for Bonjour to be installed on your Windows machine, even if you've only used the USB port to charge the device.

After discovering the exploit in this vulnerability, the researchers informed and shared the details of it with Apple, to let them fix the issue before more groups could exploit it, as consequence Apple had the time to fix it and have released security updates for these programs, you can check these updates here.

Let Us Know What You Thought about this Post.

Put your Comment Below.

You may also like:

Cybersecurity Awareness Vulnerability Threat Hunting PowerShell

Analísis de la necesidad de registrar eventos de PowerShell.

Amedida que continuamos desarrollando CyberEasy, nuestro equipo de ingeniería agregó muchas características para habilit...

Cybersecurity Awareness Vulnerability Threat Hunting PowerShell

The need for PowerShell logging and further analysis.

As we continue to develop CyberEasy, our engineering team added a lot of features for enabling, collecting and analyzing...

Phishing Vulnerability

COVID-19 y estafas

COVID-19 es uno de los temas más importantes en todo el mundo en este momento, y los ciberdelincuentes se están aprovech...