Latest News Latest News

New Android Malware Steals Banking Passwords, Private Data and Keystrokes

NA new type of mobile banking malware has been discovered abusing Android's accessibility features to exfiltrate sensitive data from financial applications, read user SMS messages, and hijack SMS-based two-factor authentication codes.

Read More...

Microsoft Issues Patches for 4 Bugs Exploited as Zero-Day in the Wild

It's April 2020 Patch Tuesday, and during these challenging times of coronavirus pandemic, this month's patch management process would not go easy for many organizations where most of the resources are working remotely.

Read More...

New Zoom Hack Lets Hackers Compromise Windows and Its Login Password

Zoom has been there for nine years, but the immediate requirement of an easy-to-use video conferencing app during the coronavirus pandemic overnight made it one of the most favorite communication tool for millions of people around the globe.

Read More...

Warning — Two Unpatched Critical 0-Day RCE Flaws Affect All Windows Versions

Microsoft today issued a new security advisory warning billions of Windows users of two new critical, unpatched zero-day vulnerabilities that could let hackers remotely take complete control over targeted computers.

Read More...

New Android Cookie-Stealing Malware Found Hijacking Facebook Accounts

A new simple but dangerous strain of Android malware has been found in the wild that steals users' authentication cookies from the web browsing and other apps, including Chrome and Facebook, installed on the compromised devices.

Read More...

Warning — Unpatched Critical 'Wormable' Windows SMBv3 Flaw Disclosed

Shortly after releasing its monthly batch of security updates, Microsoft late yesterday separately issued an advisory warning billions of its Windows users of a new critical, unpatched, and wormable vulnerability affecting Server Message Block 3.0 (SMBv3) network communication protocol.

Read More...

Microsoft Issues March 2020 Updates to Patch 115 Security Flaws

Microsoft today released security updates to fix a total of 115 new security vulnerabilities in various versions of its Windows operating system and related software—making March 2020 edition the biggest ever Patch Tuesday in the company's history.

Read More...

Critical PPP Daemon Flaw Opens Most Linux Systems to Remote Hackers

The US-CERT today issued advisory warning users of a new dangerous 17-year-old remote code execution vulnerability affecting the PPP daemon (pppd) software that comes installed on almost all Linux based operating systems, as well as powers the firmware of many other networking devices.

Read More...

GhostCat: New High-Risk Vulnerability Affects Servers Running Apache Tomcat

If your web server is running on Apache Tomcat, you should immediately install the latest available version of the server application to prevent hackers from taking unauthorized control over it.

Read More...

New Wi-Fi Encryption Vulnerability Affects Over A Billion Devices

Cyber security researchers today uncovered a new high-severity hardware vulnerability residing in the widely-used Wi-Fi chips manufactured by Broadcom and Cypress—apparently powering over a billion devices, including smartphones, tablets, laptops, routers, and IoT gadgets.

Read More...

Most Viewed News Most Viewed News

Back

Apple iTunes and iCloud for Windows 0-Day Exploited in Ransomware Attacks

Watch out Windows users!

The cybercriminal group behind BitPaymer and iEncrypt ransomware attacks has been found exploiting a zero-day vulnerability affecting a little-known component that comes bundled with Apple's iTunes and iCloud software for Windows to evade antivirus detection.

The vulnerable component in question is the Bonjour updater, a zero-configuration implementation of network communication protocol that works silently in the background and automates various low-level network tasks, including automatically download the future updates for Apple software.

To be noted, since the Bonjour updater gets installed as a separate program on the system, uninstalling iTunes and iCloud doesn't remove Bonjour, which is why it eventually left installed on many Windows computers — un-updated and silently running in the background.

Cybersecurity researchers from Morphisec Labs discovered the exploitation of the Bonjour zero-day vulnerability in August when the attackers targeted an unnamed enterprise in the automotive industry the BitPaymer ransomware.

Unquoted Service Path Vulnerability in Apple's Bonjour Service

The Bonjour component was found vulnerable to the unquoted service path vulnerability, a common software security flaw that occurs when the path of an executable contains spaces in the filename and is not enclosed in quote tags ("").

The unquoted service path vulnerability can be exploited by planting a malicious executable file to the parent path, tricking legitimate and trusted applications into executing malicious programs to maintain persistence and evade detection.

"In this scenario, Bonjour was trying to run from the Program Files folder, but because of the unquoted path, it instead ran the BitPaymer ransomware since it was named Program," the researchers said.

"As many detection solutions are based on behavior monitoring, the chain of process execution (parent-child) plays a major role in alert fidelity. If a legitimate process signed by a known vendor executes a new malicious child process, an associated alert will have a lower confidence score than it would if the parent was not signed by a known vendor."

"Since Bonjour is signed and known, the adversary uses this to their advantage."

Besides escaping from the detection, in some cases, the unquoted service path vulnerability could also be abused to escalate privileges when the vulnerable program has the rights to run under higher privileges.

However, in this particular case, the Bonjour zero-day didn't allow the BitPaymer ransomware to gain SYSTEM rights on the infected computers. But it did allow the malware to evade common detection solutions that are based on behavior monitoring because the Bonjour component appears like a legitimate process.

Security Patches Released (iTunes / iCloud for Windows)

Immediately after discovering the attack, researchers at Morphisec Labs responsibly shared the details of the attack with Apple, who just yesterday released iCloud for Windows 10.7, iCloud for Windows 7.14, and iTunes 12.10.1 for Windows to address the vulnerability.

Windows users who have iTunes or/and iCloud installed on their system are highly recommended to update their software to the latest versions.

In case you ever had installed one of these Apple software on your Windows computer and then uninstalled it, you should check the list of installed applications on your system for the Bonjour updater and uninstall it manually.


Contact Us Contact Us

Free Call[OH]: 933

Phone Number: +251-900-89-64-48,

                            +251-944-33-68-02

E-mail: ethiocert@insa.gov.et

P.O.Box: 124498

Download PGP Keys


Report an Incident

Values Values

  • Trustworthiness
  • Innovation
  • Scientific
  • Democracy
  • Synergy
  • Saving