The team at Morphisec discovered the ransomware attack and iTunes zero day after someone in the automotive industry was affected by BitPaymer back in August. Through further investigation it was found that the flaw was within the Bonjour component that ships with both iTunes for Windows and iCloud for Windows. The bug is an unquoted service path vulnerability that affects the binary of the Bonjour update, which allows perpetrators to launch the Binary component and redirect its execution path toward BitPaymer. Admin rights were not granted by taking advantage of the zero day but it was enough to trick the locally-installed antivirus solution. After it was reported to Apple, they patched the zero day earlier this week, but people who used iTunes for Windows and iCloud for Windows are still vulnerable–this is because the Bonjour component stays on Windows systems even after the apps are uninstalled.
Analyst Notes
To stay safe, workstations must be scanned in order to locate the Bonjour component and remove it by hand. The newest versions of iTunes for Windows can also be downloaded to ensure that the Bonjour component is updated.
