Apple's Bonjour Zero-Day Exploited by Ransomware
The cybercriminal group behind BitPaymer and iEncrypt ransomware has been found exploiting a zero-day vulnerability in Apple's Bonjour updater service on Windows to evade antivirus detection.
The Bonjour service, often bundled with iTunes and iCloud, may remain on systems even after the main software is uninstalled. Researchers discovered its exploitation in an attack against an enterprise in the automotive industry.
Unquoted Service Path Vulnerability
The component was vulnerable to an "unquoted service path" flaw. This occurs when a file path contains spaces and is not enclosed in quotes, allowing an attacker to place a malicious executable in a parent path (e.g., naming a virus "Program.exe" in the C:\ directory).
In this scenario, Bonjour was trying to run from the Program Files folder, but because of the unquoted path, it instead ran the BitPaymer ransomware since it was named "Program."
Since Bonjour is a trusted, signed process, this technique allowed the ransomware to execute in a way that lowered the suspicion score of behavior-monitoring security tools, helping it evade detection.
Security Patches Released
Apple addressed the vulnerability in October 2019 by releasing iCloud for Windows 10.7, iCloud for Windows 7.14, and iTunes 12.10.1 for Windows. Users are advised to update their software or manually uninstall the Bonjour service if it is no longer needed.
