Attackers exploited a 0-day iTunes vulnerability to spread ransomware

MorphiSec specialists found that BitPaymer ransomware operators use the 0-day vulnerability in iTunes for Windows to distribute their malware, which allows them to trick anti-virus solutions on infected hosts.

The problem was discovered after studying the attack on an unnamed automobile industry enterprise that suffered from BitPaymer in August this year.

“We have identified the abuse of an Apple zero-day vulnerability in the Apple Software Update utility that comes packaged with iTunes for Windows. The Windows exploit is important to note given Apple is sunsetting iTunes for Macs with the release of macOS Catalina this week, while Windows users will still need to rely on iTunes for the foreseeable future”, — report MorphiSec experts.

Apple engineers have already fixed the problem by introducing updated versions of iTunes for Windows and iCloud for Windows this week.

The root of the vulnerability was the Bonjour update component, which comes with both products.

The bug allowed cybercriminals to launch Bonjour, and then interfere with its operation, forging the execution path so that it pointed to BitPaymer, instead of the necessary files. Although this vulnerability did not allow obtaining administrator rights, it successfully helped to deceive the installed locally protected software.

“The adversaries abused an unquoted path vulnerability. The unquoted path vulnerability is rarely seen in the wild, yet it is a well-known bug that has previously been identified by other vendors for more than 15 years. It is so thoroughly documented that you would expect programmers to be well aware of the vulnerability. But that is not that case, and this Apple zero-day is evidence”, — write MorphiSec researchers.

Apple Software Update, the mechanism that Apple uses to deliver future updates, includes one of these paths without quotes.

Solution:

At the same time, researchers warn that simply updating iTunes for Windows and iCloud for Windows may not be enough. The fact is that the Bonjour component remains installed on Windows even after iTunes or iCloud for Windows is completely uninstalled.

Read also: Researchers say about growing activity of TFlower, another ransomware that uses RDP

That is, users who previously used these applications, but then deleted them, are still vulnerable to a fresh 0-day vulnerability. To fix the problem, you will have to either remove Bonjour manually, or install the latest, safe version of iTunes for Windows to accurately update the old version of the component.