Apple iTunes, iCloud Zero-Day Exploited to Inject BitPaymer Ransomware in Windows PCs

A zero-day vulnerability found in Apple iTunes and iCloud was exploited by cybercriminals to infect Windows computers of an automotive company with the BitPaymer ransomware. The attack was reportedly not detected by antivirus solutions. According to Morphisec security researchers, the exploited vulnerability was found in the Bonjour component that iTunes and iCloud programs for Windows use to deliver software updates.

[READ: Security 101: Zero-Day Vulnerabilities and Exploits]

The unquoted service path vulnerability found in Bonjour, which occurs when a file path is left without quote marks, can allow cybercriminals to execute arbitrary code without tipping off antivirus solutions because it resides within a trusted program. 

Because Bonjour is a signed program, cybercriminals took advantage of the unquoted service path vulnerability to run the BitPaymer ransomware that they named “Program.” Normally, the Bonjour component runs from the “Program Files” folder. BitPaymer also managed to evade cybersecurity detection because it did not have the .exe extension.

[READ: Account With Admin Privileges Abused to Install BitPaymer Ransomware via PsExec]

It should be noted that this vulnerability only affects users of iTunes and iCloud on the Windows platform, as iTunes no longer exists for Mac users with the emergence of macOS Catalina. This Windows vulnerability has been patched by Apple earlier this week.

How can users and businesses defend against zero-day attacks?

Given their nature, zero-day attacks are inherently unpredictable and difficult to prepare for and defend against. This is especially true for organizations whose security measures are developed around known and already patched flaws. A proactive, defense-in-depth approach, however, can help mitigate them.

Here are some of the other countermeasures that organizations can adopt to defend against zero-day attacks:

• Regularly update IT infrastructure. While this may seem like a reactive strategy, applying patches to systems, servers, and networks as soon as they’re available lowers the number of exploits that target them. Accordingly, organizations should also factor zero-days in their patch management policies as well as incident response and remediation strategies.
• Secure email gateways, servers, and networks. Zero-day attacks can take the form of threats that may target different parts of an organization’s online infrastructure — either to facilitate the execution of malware, deliver payloads, or perform lateral movement — which is why it’s important to secure them equally.
• Enforce the principle of least privilege. Many threats abuse legitimate and open-source penetration testing and system administration tools to exploit a vulnerability successfully. Restricting and securing their use helps reduce the risks of attackers gaining access to the entire network or system.
• Nurture and practice cybersecurity hygiene. Fostering a culture of cybersecurity, which includes increasing user awareness on phishing attacks, helps just as much as the security solutions that are deployed by the organization.
• Employ multilayered security defenses. Additional layers of security reduce an organization’s attack surface. Firewalls and intrusion detection and prevention systems, for instance, help filter malicious traffic and network activities. Application control and behavior monitoring prevents dubious executables and malware-related routines from running, while sandboxes quarantine suspicious and malicious files.

Trend Micro solutions

The Trend Micro^™ Apex One^™ security solution’s virtual patching delivers the timeliest vulnerability protection across a variety of endpoints, including point-of-sale (PoS), internet of things (IoT) devices, and systems with end-of-support (EoS) operating systems. 

The Trend Micro^™ TippingPoint^® Threat Protection System provides virtual patching and extensive zero-day protection against network-exploitable vulnerabilities via Digital Vaccine® filters.

The Trend Micro^™ Deep Discovery^™ solution provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, customized sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats even without any engine or pattern update.