Researchers detected a new BitPaymer ransomware campaign that exploited an Apple zero-day vulnerability to target Windows users.

In August 2019, according to Morphisec, threat actors began using a new evasion technique to target an automotive organization with BitPaymer ransomware. This tactic consisted of exploiting a zero-day vulnerability in the Apple Software Update utility that’s packaged together with iTunes on Windows computers.

Specifically, they abused an unquoted path vulnerability that other vendors have identified over the past 15 years. Security researchers have typically spoken of this flaw in terms of privilege escalation, since it usually exists within a service like the Apple Software Update utility that has administrative execution rights.

By exploiting this vulnerability, the attackers helped their campaign evade detection in two important ways. First, they leveraged a signed and known program to execute a malicious child process, meaning that any security alert would have lower confidence than if they had leveraged Apple Software Update. The malicious “Program” file also didn’t come with an extension like .EXE, which means antivirus companies won’t generally scan those files.

BitPaymer’s Recent Attack Activity

In April 2019, Trend Micro observed an attack that leveraged an account with administrative privileges to target a U.S. manufacturing company with BitPaymer via PSExec.

Then, in July, Morphisec revealed that the ransomware had begun leveraging a new custom packer framework to target at least 15 U.S. organizations in both the public and private sectors.

Just a few days later, CrowdStrike identified an apparent fork in the ransomware family’s development when researchers found a new ransomware called DoppelPaymer using most of BitPaymer’s source code.

Secure Your Environment Against a Zero-Day Vulnerability

Security professionals can help defend against a zero-day vulnerability by adopting a vulnerability management program that combines strong perimeter protection and system hardening. Organizations should also consider investing in a comprehensive vulnerability management solution that integrates with their security information and event management (SIEM), network monitoring and other solutions.

More from

Vulnerability resolution enhanced by integrations

2 min read - Why speed is of the essence in today's cybersecurity landscape? How are you quickly achieving vulnerability resolution?Identifying vulnerabilities should be part of the daily process within an organization. It's an important piece of maintaining an organization’s security posture. However, the complicated nature of modern technologies — and the pace of change — often make vulnerability management a challenging task.In the past, many organizations had to support manual integration work to get different security systems to ‘talk’ to each other. As…

How I got started: SIEM engineer

2 min read - As careers in cybersecurity become increasingly more specialized, Security Information and Event Management (SIEM) engineers are playing a more prominent role. These professionals are like forensic specialists but are also on the front lines protecting sensitive information from the relentless onslaught of cyber threats. SIEM engineers meticulously monitor, analyze and manage security events and incidents within an organization. They leverage SIEM tools to aggregate and correlate data, enabling them to detect anomalies, identify potential threats and respond swiftly to security…

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America.IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that X-Force…

Cost of a data breach 2023: Geographical breakdowns

4 min read - Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches. To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023…