A couple of months ago, a team of digtial forensics specialists from security firm Morphisec discovered a malicious campaign that used a new form of detection evasion targeting a major automotive company.
Now, specialists from the same company have revealed the active exploitation of a zero-day vulnerability in Bonjour, Apple’s updater tool included in iTunes for the Windows operating system.
To add some context, Apple has decided to retire iTunes for Mac, a measure effective since the release of macOS Catalina, scheduled for later this week. On the other hand, Windows users will still have iTunes, at least until next year.
According to digital forensics specialists, threat actors have found a way to abuse an unquoted route to maintain persistence in a system while avoiding detection. The vulnerability was reported to Apple according to established time and discretion parameters.
In their report, the experts describe the method of exploiting this flaw. “It is not very common to find these kinds of exploited vulnerabilities in the wild; however, this is a bug that had already been identified by other companies before.” In fact, this is a known vulnerability for at least 15 years.
Some experts mention that these kinds of flaws can be considered as privilege escalation vulnerabilities, as they reside in a service or process that requires administrator rights. “So much has been said about this kind of flaws that it is normal to think that programmers would know this security risk, although we have already seen that it is not actually like that,” the experts mention.
“Developers are increasingly focused on object-oriented programming; when you assign variables with a route, they consider that using the string type is sufficient, even if it is necessary to quote the path”, the digital forensics experts add.
Regarding Bonjour, the tool where the flaw resides, it’s an Apple mechanism to deliver future updates that includes one of these unquoted routes. Bonjour has its own installation entry in the installed software section and a task scheduled to run the process. People are unaware that it is necessary to uninstall the Bonjour component separately when uninstalling iTunes. Because of this, the machines are left with the update task installed and running.
“Simply put, many users uninstalled iTunes years ago, however, Bonjour remains active in the background, functioning as an attack surface,” the experts mention.
If a legitimate process signed by a known vendor executes a malicious secondary process, an associated alert will have a lower confidence score than a process signed by a known provider. Hackers take advantage of the bonjour being a signed process from a known vendor for exploitation.
Digital forensics specialists from the International Institute of Cyber Security (IICS) believe that the hacker group responsible for both campaigns must have conducted thorough research to anticipate the next steps software developers, indicating a wide availability of resources and great planning capacity.