The team at Morphisec discovered the ransomware attack and iTunes zero day after someone in the automotive industry was affected by BitPaymer back in August. Through further investigation it was found that the flaw was within the Bonjour component that ships with both iTunes for Windows and iCloud for Windows. The bug is an unquoted service path vulnerability that affects the binary of the Bonjour update, which allows perpetrators to launch the Binary component and redirect its execution path toward BitPaymer. Admin rights were not granted by taking advantage of the zero day but it was enough to trick the locally-installed antivirus solution. After it was reported to Apple, they patched the zero day earlier this week, but people who used iTunes for Windows and iCloud for Windows are still vulnerable–this is because the Bonjour component stays on Windows systems even after the apps are uninstalled.
Note: this post was originally shared on https://squiblydoo.blog/ by a member of the Binary Defense Team. In