0-Day Exploited στο Bonjour component της Apple για Windows
Oct 12, 2019
Ενεργή ευπάθεια στο component Bonjour που κάνουν χρήση το iTunes και το iCloud για την λειτουργία τους σε Windows υπολογιστές, επιτρέπει την μόλυνση τους με ransomware, χωρίς να ενεργοποιούνται τυχόν ενεργά antivirus στον υπολογιστή.
Η ευπάθεια, χρησιμοποιείται σε ενεργή καμπάνια επιθέσεων και έκλεισε αυτήν την εβδομάδα από την Apple. Το σημαντικό που εντόπισαν οι ερευνητές, είναι πως το Bonjour service, παραμένει στον υπολογιστή ακόμα και αν απεγκατασταθεί το iTunes ή το iCloud, και συνεχίζει να εκτελεί silent checks για updates και να λειτουργεί στο παρασκήνιο.
As many detection solutions are based on behavior monitoring, the chain of process execution (parent-child) plays a major role in alert fidelity. If a legitimate process signed by a known vendor executes a new malicious child process, an associated alert will have a lower confidence score than it would if the parent was not signed by a known vendor. Since Bonjour is signed and known, the adversary uses this to their advantage. Furthermore, security vendors try to minimize unnecessary conflicts with known software applications, so they will not prevent this behaviorally for fear of disrupting operations.
Additionally, the malicious "Program" file doesn't come with an extension such as ".exe". This means it is likely that AV products will not scan the file since these products tend to scan only specific file extensions to limit the performance impact on the machine. In this scenario, Bonjour was trying to run from the "Program Files" folder, but because of the unquoted path, it instead ran the BitPaymer ransomware since it was named "Program". This is how the zero-day was able to evade detection and bypass AV.
Labels: Apple, Exploits, iCloud, News, Security, Windows
0 Comments:
![[Valid Atom 1.0]](https://1.bp.blogspot.com/-fG8cTvsVKPE/Xh7SQm9ylMI/AAAAAAAATNQ/q9GFKOwU4d4NEVnk3VU6CYlc2574PXfbACLcBGAsYHQ/s1600/4l99vk9.png "Validate my Atom 1.0 feed"){kind=small}
Post a Comment