InfoSecBulletin Cybersecurity for mankind
Threat actors are exploiting a component of CheckPoint’s ZoneAlarm antivirus to bypass Windows security measures. Nima Bagheri, a security researcher in Austin and founder of Venak Security, announced a new Bring Your Own Vulnerable Driver (BYOVD) attack in a report on March 20.
Threat actors exploited vulnerabilities in vsdatant.sys, a system file from ZoneAlarm software by CheckPoint Software Technologies.
Oracle Released Patched for 378 flaws for April 2025
CVE-2025-24054
Hackers Exploiting NTLM Spoofing Windows Vuln the in Wild
Bengaluru firm got ransomware attack, Hacker demanded $70,000
MITRE warns: U.S. Govt. Funding for MITRE’s CVE Ends Today
PwC exits more than a dozen countries in push to avoid scandals: FT reports
Australian Cyber Security Centre Alert for Fortinet Products
Top 10 Malware Threats of the Week: Reports ANY.RUN
Hackers Exploit Ivanti VPN Vulns 12 Countries to Infiltrate Multiple Orgs
Hackers Allegedly Advertise To Sell FortiGate Firewall 0-Day Exploit
New Security Companies Who Are Exploring the Bangladeshi Market
Conditions for BYOVD Attack:
Like many endpoint security solutions, vsdatant.sys has high-level access, allowing it to reach and change important system parts, intercept system actions, and possibly avoid security measures, giving it a high level of control over an operating system.
The driver is legitimate and has a valid signature, so antivirus and EDR solutions usually consider its activity safe.
These two conditions are the building blocks of a successful BYOVD attack.
Bypassing Windows Memory Integrity Security Protection:
Bagheri’s report indicated that vsdatant.sys version 14.1.32.0, released in 2016, has multiple vulnerabilities, though he did not specify what they are.
Threat actors exploited vulnerabilities to bypass Windows Memory Integrity, a feature that protects critical system processes by isolating them in a virtual environment, making it difficult for attackers to inject malicious code.
“Once these defenses were bypassed, attackers had full access to the underlying system, the attackers were able to access sensitive information such as user passwords and other stored credentials. This data was then exfiltrated, opening the door for further exploitation,” Bagheri continued.
The attackers set up a Remote Desktop Protocol (RDP) connection to the infected systems, allowing them ongoing access to the compromised machines.
Bagheri stated that the latest version of vsdatant.sys is secure, advising CheckPoint ZoneAlarm customers to update to it if they can.
The security researcher contacted CheckPoint before publishing the report.
Source: venaksecurity
