October 14, 2019 By David Bisson 2 min read

Researchers detected a new BitPaymer ransomware campaign that exploited an Apple zero-day vulnerability to target Windows users.

In August 2019, according to Morphisec, threat actors began using a new evasion technique to target an automotive organization with BitPaymer ransomware. This tactic consisted of exploiting a zero-day vulnerability in the Apple Software Update utility that’s packaged together with iTunes on Windows computers.

Specifically, they abused an unquoted path vulnerability that other vendors have identified over the past 15 years. Security researchers have typically spoken of this flaw in terms of privilege escalation, since it usually exists within a service like the Apple Software Update utility that has administrative execution rights.

By exploiting this vulnerability, the attackers helped their campaign evade detection in two important ways. First, they leveraged a signed and known program to execute a malicious child process, meaning that any security alert would have lower confidence than if they had leveraged Apple Software Update. The malicious “Program” file also didn’t come with an extension like .EXE, which means antivirus companies won’t generally scan those files.

BitPaymer’s Recent Attack Activity

In April 2019, Trend Micro observed an attack that leveraged an account with administrative privileges to target a U.S. manufacturing company with BitPaymer via PSExec.

Then, in July, Morphisec revealed that the ransomware had begun leveraging a new custom packer framework to target at least 15 U.S. organizations in both the public and private sectors.

Just a few days later, CrowdStrike identified an apparent fork in the ransomware family’s development when researchers found a new ransomware called DoppelPaymer using most of BitPaymer’s source code.

Secure Your Environment Against a Zero-Day Vulnerability

Security professionals can help defend against a zero-day vulnerability by adopting a vulnerability management program that combines strong perimeter protection and system hardening. Organizations should also consider investing in a comprehensive vulnerability management solution that integrates with their security information and event management (SIEM), network monitoring and other solutions.

More from

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Cybersecurity Awareness Month: 5 new AI skills cyber pros need

4 min read - The rapid integration of artificial intelligence (AI) across industries, including cybersecurity, has sparked a sense of urgency among professionals. As organizations increasingly adopt AI tools to bolster security defenses, cyber professionals now face a pivotal question: What new skills do I need to stay relevant?October is Cybersecurity Awareness Month, which makes it the perfect time to address this pressing issue. With AI transforming threat detection, prevention and response, what better moment to explore the essential skills professionals might require?Whether you're…

Why safeguarding sensitive data is so crucial

4 min read - A data breach at virtual medical provider Confidant Health lays bare the vast difference between personally identifiable information (PII) on the one hand and sensitive data on the other.The story began when security researcher Jeremiah Fowler discovered an unsecured database containing 5.3 terabytes of exposed data linked to Confidant Health. The company provides addiction recovery help and mental health treatment in Connecticut, Florida, Texas and other states.The breach, first reported by WIRED, involved PII, such as patient names and addresses,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today