A couple of months ago, a team of digtial forensics specialists from security firm Morphisec discovered a malicious campaign that used a new form of detection evasion targeting a major automotive company.
Now, specialists from the same company have
revealed the active exploitation of a zero-day vulnerability in Bonjour,
Apple’s updater tool included in iTunes for the Windows operating system.
To add some context, Apple has decided to retire iTunes for Mac, a measure effective since the release of macOS Catalina, scheduled for later this week. On the other hand, Windows users will still have iTunes, at least until next year.
According to digital forensics specialists,
threat actors have found a way to abuse an unquoted route to maintain
persistence in a system while avoiding detection. The vulnerability was
reported to Apple according to established time and discretion parameters.
In their report, the experts describe the
method of exploiting this flaw. “It is not very common to find these kinds
of exploited vulnerabilities in the wild; however, this is a bug that had
already been identified by other companies before.” In fact, this is a
known vulnerability for at least 15 years.
Some experts mention that these kinds of flaws
can be considered as privilege escalation vulnerabilities, as they reside in a
service or process that requires administrator rights. “So much has been
said about this kind of flaws that it is normal to think that programmers would
know this security risk, although we have already seen that it is not actually
like that,” the experts mention.
“Developers are increasingly focused on
object-oriented programming; when you assign variables with a route, they
consider that using the string type is sufficient, even if it is necessary to
quote the path”, the digital forensics experts add.
Regarding Bonjour, the tool where the flaw
resides, it’s an Apple mechanism to deliver future updates that includes one of
these unquoted routes. Bonjour has its own installation entry in the installed
software section and a task scheduled to run the process. People are unaware
that it is necessary to uninstall the Bonjour component separately when
uninstalling iTunes. Because of this, the machines are left with the update
task installed and running.
“Simply put, many users uninstalled iTunes
years ago, however, Bonjour remains active in the background, functioning as an
attack surface,” the experts mention.
If a legitimate process signed by a known vendor
executes a malicious secondary process, an associated alert will have a lower
confidence score than a process signed by a known provider. Hackers take
advantage of the bonjour being a signed process from a known vendor for
exploitation.
Digital forensics specialists from the
International Institute of Cyber Security (IICS) believe that the hacker group
responsible for both campaigns must have conducted thorough research to
anticipate the next steps software developers, indicating a wide availability
of resources and great planning capacity.
