Windows 10 News and info | Forum
November 12, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Apple Software Update Zero-Day Used by BitPaymer Ransomware  (Read 74 times)
javajolt
Administrator
Hero Member
*****
Online Online

Gender: Male
United States United States

Posts: 30684


I Do Windows


WWW Email
« on: October 11, 2019, 12:56:46 PM »
ReplyReply

Several companies from the automotive industry were targeted by BitPaymer ransomware operators during August, in attacks that used an Apple zero-day vulnerability impacting the Apple Software Update service bundled with iTunes and iCloud for Windows.

Apple Software Update is an updater service that gets automatically installed computers when users install iTunes or iCloud for Windows or when using Boot Camp Assistant to install Windows on a Mac.

This service is designed to keep all Apple apps up to date on a Windows device, as well as to deliver software and security updates to Windows installations running on Macs computers.

Unquoted path zero-day vulnerability

BitPaymer's operators found an unquoted path vulnerability within Apple Software Update for Windows which allowed them to launch their ransomware payload on the devices of any target that used iTunes or iCloud, as well as on those where they were previously uninstalled since the updater service is not also removed automatically.

As part of their attacks, the BitPaymer operators executed a previously dropped ransomware payload instead of the Apple Software Update binary by abusing the zero-day.

They did this by taking advantage of the fact that Apple's developers did not surround the service binary's execution path with quotes. This made it possible for them to launch the BitPaymer ransomware dropped in the form of a binary named 'Program' without an extension.

Given that the Apple Software Update binary is signed by Apple, using it to launch the ransomware payload also enabled them to evade detection, fooling the behavioral engine of anti-malware solutions present on the compromised systems.


Apple Software Update unquoted path

"We also note that the malicious file doesn't have to be placed in the C drive and called Program. It can also be called Apple or Apple Software and placed in Program Files," adds Morphisec CTO Michael Gorelik.

"Of course, the adversary would need write-privileges for any of those folders. We haven't observed any possible privilege escalations due to this vulnerability."

Apple patched the zero-day vulnerability disclosed by Morphisec with the release of iTunes 12.10.1 for Windows and iCloud for Windows 7.14/10.7 on October 7.

"Within the disclosure period and while waiting for the official patch, Morphisec has identified and reported on additional vulnerable components that could be similarly misused," added Morphisec.

The Bitmayer ransomware malware utilized in the malicious campaign spotted by Morphisec in August was initially discovered during July 2017 and used to hunt down and infect high-profile targets, allowing its operators to ask for hefty ransoms when compared to other ransomware gangs.

source
« Last Edit: October 11, 2019, 01:04:44 PM by javajolt » Logged


Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page November 05, 2019, 03:53:28 PM