October 14, 2019 By David Bisson 2 min read

Researchers detected a new BitPaymer ransomware campaign that exploited an Apple zero-day vulnerability to target Windows users.

In August 2019, according to Morphisec, threat actors began using a new evasion technique to target an automotive organization with BitPaymer ransomware. This tactic consisted of exploiting a zero-day vulnerability in the Apple Software Update utility that’s packaged together with iTunes on Windows computers.

Specifically, they abused an unquoted path vulnerability that other vendors have identified over the past 15 years. Security researchers have typically spoken of this flaw in terms of privilege escalation, since it usually exists within a service like the Apple Software Update utility that has administrative execution rights.

By exploiting this vulnerability, the attackers helped their campaign evade detection in two important ways. First, they leveraged a signed and known program to execute a malicious child process, meaning that any security alert would have lower confidence than if they had leveraged Apple Software Update. The malicious “Program” file also didn’t come with an extension like .EXE, which means antivirus companies won’t generally scan those files.

BitPaymer’s Recent Attack Activity

In April 2019, Trend Micro observed an attack that leveraged an account with administrative privileges to target a U.S. manufacturing company with BitPaymer via PSExec.

Then, in July, Morphisec revealed that the ransomware had begun leveraging a new custom packer framework to target at least 15 U.S. organizations in both the public and private sectors.

Just a few days later, CrowdStrike identified an apparent fork in the ransomware family’s development when researchers found a new ransomware called DoppelPaymer using most of BitPaymer’s source code.

Secure Your Environment Against a Zero-Day Vulnerability

Security professionals can help defend against a zero-day vulnerability by adopting a vulnerability management program that combines strong perimeter protection and system hardening. Organizations should also consider investing in a comprehensive vulnerability management solution that integrates with their security information and event management (SIEM), network monitoring and other solutions.

More from

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally.The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets.Who is exploiting the NGFW zero-day?As of now, little is known about the actors behind the…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today