- These smart glasses beat the Meta Ray-Bans in key ways, and they're $180 ahead Amazon's Spring Sale
- Amazon's Spring Sale starts soon. Here's everything you need to know: Dates, deals, and more
- Goodbye legacy networks, hello “cafe-like” branch
- I switched to Mac Studio M4 for two weeks - a Windows PC user's buying advice
- This mini PC is a powerful alternative to the Mac Mini - and it's on sale
Cybercriminals Exploit CheckPoint Driver Flaws in Malicious Campaign
A component of CheckPoint’s ZoneAlarm antivirus software is being exploited by threat actors in malicious campaigns to bypass Windows security measures.
Nima Bagheri, an Austin-based security researcher and founder of Venak Security, shared details of a new Bring Your Own Vulnerable Driver (BYOVD) attack in a March 20 report.
In this attack, the threat actors exploited vulnerabilities in vsdatant.sys, a system file that is part of the ZoneAlarm software developed by CheckPoint Software Technologies.
Conditions for BYOVD Attack
Like many endpoint security solutions, vsdatant.sys has high-level kernel privileges, meaning it can access and modify sensitive system components, intercept system calls, and potentially bypass security measures, giving it a high level of control over an operating system.
Read more: CrowdStrike Fault Causes Global IT Outages
Meanwhile, since the driver is legitimate and has a valid signature, antivirus and endpoint detection and response (EDR) solutions will typically flag any activity originating from it as safe.
These two conditions are the building blocks of a successful BYOVD attack.
Bypassing Windows Memory Integrity Security Protection
In the report, Bagheri noted that vsdatant.sys version 14.1.32.0, launched in 2016, has several vulnerabilities, although he didn’t explain what they were.
He explained that threat actors exploited these vulnerabilities to bypass the Windows Memory Integrity feature, designed to protect critical system processes by isolating them in a virtualized environment, making it harder for attackers to tamper with or inject malicious code.
“Once these defenses were bypassed, attackers had full access to the underlying system, the attackers were able to access sensitive information such as user passwords and other stored credentials. This data was then exfiltrated, opening the door for further exploitation,” Bagheri continued.
The attackers also established a Remote Desktop Protocol (RDP) connection to the infected systems, enabling them to maintain persistent access to the compromised machines.
Bagheri noted that the latest version of vsdatant.sys was not vulnerable, suggesting CheckPoint ZoneAlarm customers should update to this version if possible.
The security researcher contacted CheckPoint before publishing the report.
Infosecurity reached out to CheckPoint for comment but no response was received at the time of publication.
