InfoSecBulletin Cybersecurity for mankind
Threat actors are exploiting a component of CheckPoint’s ZoneAlarm antivirus to bypass Windows security measures. Nima Bagheri, a security researcher in Austin and founder of Venak Security, announced a new Bring Your Own Vulnerable Driver (BYOVD) attack in a report on March 20.
Threat actors exploited vulnerabilities in vsdatant.sys, a system file from ZoneAlarm software by CheckPoint Software Technologies.
Russia detects first SuperCard malware attacks via NFC
Income Property Investments exposes 170,000+ Individuals record
ALERT (CVE: 2023-28771)
Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs
CISA Flags Active Exploits in Apple iOS and TP-Link Routers
10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online
Canada 2nd largest airlines “WestJet” investigates cyberattack disrupting internal systems
Paraguay 7.4 Million Citizen Records Leaked on Dark Web
High-Severity Flaw in HashiCorp Nomad Allows Privilege Escalation
SoftBank: Over 137,000 personal info leaked
Alert
Trend Micro Apex One Flaw Allow Attackers to Inject Malicious Code
Conditions for BYOVD Attack:
Like many endpoint security solutions, vsdatant.sys has high-level access, allowing it to reach and change important system parts, intercept system actions, and possibly avoid security measures, giving it a high level of control over an operating system.
The driver is legitimate and has a valid signature, so antivirus and EDR solutions usually consider its activity safe.
These two conditions are the building blocks of a successful BYOVD attack.
Bypassing Windows Memory Integrity Security Protection:
Bagheri’s report indicated that vsdatant.sys version 14.1.32.0, released in 2016, has multiple vulnerabilities, though he did not specify what they are.
Threat actors exploited vulnerabilities to bypass Windows Memory Integrity, a feature that protects critical system processes by isolating them in a virtual environment, making it difficult for attackers to inject malicious code.
“Once these defenses were bypassed, attackers had full access to the underlying system, the attackers were able to access sensitive information such as user passwords and other stored credentials. This data was then exfiltrated, opening the door for further exploitation,” Bagheri continued.
The attackers set up a Remote Desktop Protocol (RDP) connection to the infected systems, allowing them ongoing access to the compromised machines.
Bagheri stated that the latest version of vsdatant.sys is secure, advising CheckPoint ZoneAlarm customers to update to it if they can.
The security researcher contacted CheckPoint before publishing the report.
Source: venaksecurity
