A sophisticated attack where threat actors exploited vulnerabilities in vsdatant.sys, a kernel-level driver used by Checkpoint’s ZoneAlarm antivirus software.
Originally released in 2016, this driver became the target of a Bring Your Own Vulnerable Driver (BYOVD) attack, allowing attackers to elevate privileges and bypass critical Windows security features such as Memory Integrity and extract sensitive data from compromised systems, Venak Security said in a new report shared with Cyber security News.
The vsdatant.sys driver, which operates with high-level kernel privileges, contains multiple insufficient argument validation vulnerabilities that have been documented since at least 2007.
.png
)
These vulnerabilities allow local users to gain elevated privileges via crafted Interrupt Request Packets (IRPs) and potentially execute arbitrary code.
Specifically, the driver does not properly validate arguments before passing them to hooked System Service Descriptor Table (SSDT) function handlers.
Understanding BYOVD Attacks
The “Bring Your Own Vulnerable Driver” (BYOVD) technique has become increasingly popular among cybercriminal groups.
This attack method involves loading legitimate but vulnerable drivers into targeted systems and then exploiting them to perform malicious actions.
“Hackers abuse digitally signed but vulnerable drivers by bringing them onto the systems and using them to terminate critical AV or EDR processes, enabling them to operate undetected in the compromised environment.”
These drivers operate at Ring 0, the most privileged operating system level, granting them direct access to critical memory, CPU operations, and other fundamental resources.
Since security software trusts these legitimately signed drivers, they are neither flagged nor blocked, allowing attackers to operate with minimal detection.
Bypassing Memory Integrity Protection
Windows’ Memory Integrity feature (part of Core Isolation) is designed to protect critical system processes by isolating them in a virtualized environment, making it harder for attackers to tamper with or inject malicious code.
However, the attack observed by Venak Security showed that vulnerable drivers like vsdatant.sys could effectively bypass this defense.
By exploiting flaws in vsdatant.sys, attackers were able to gain elevated privileges within the system’s kernel, effectively disabling Memory Integrity.
Once these defenses were bypassed, attackers had full access to the underlying system and could access sensitive information such as user passwords and stored credentials.
The attackers leveraged specific vulnerabilities in vsdatant.sys related to IOCTLs 0x8400000F and 0x84000013, which can be used to overwrite arbitrary memory locations.
It exploits vulnerable functions, including NtCreateKey and NtDeleteFile, that don’t properly validate arguments.
During the investigation, researchers noted that since the device driver had a valid digital signature, many endpoint detection and response (EDR) solutions ignored this attack and flagged it as safe.
This allowed attackers to establish Remote Desktop Protocol (RDP) connections to infected systems, maintaining persistent access to compromised machines.
- Name: Vsdatant.sys
- Version: 14.1.32.0
- MD5 Hash: 190fe0ce4d43ad8eed97aaa68827e2c6
The vulnerabilities affect ZoneAlarm versions prior to 7.0.362, particularly in products that include ‘vsdatant.sys’ version 6.5.737.0. The latest version of vsdatant.sys is reportedly not vulnerable.
Mitigation Measures
Organizations are advised to implement driver blocklisting, enable Memory Integrity where possible, and ensure all security products are updated to the latest versions.
Microsoft has implemented various protections against BYOVD attacks, but threat actors continue to find creative ways to circumvent these controls.
The vendor has already issued advisories regarding this issue, and users are strongly encouraged to update their ZoneAlarm installations immediately.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
