A recent report by Nima Bagheri, an Austin-based security researcher and founder of Venak Security, has shed light on a concerning trend in cybersecurity involving CheckPoint’s ZoneAlarm antivirus software. Threat actors are reportedly exploiting a component of this software to execute malicious campaigns that circumvent Windows security measures.
Conditions for BYOVD Attack
The attack in question utilizes a method known as Bring Your Own Vulnerable Driver (BYOVD), specifically targeting vulnerabilities in vsdatant.sys, a system file integral to ZoneAlarm. This driver, like many endpoint security solutions, operates with high-level kernel privileges, allowing it to access and modify sensitive system components, intercept system calls, and potentially bypass established security protocols. Such capabilities grant it significant control over the operating system.
Moreover, because vsdatant.sys is a legitimate driver with a valid signature, traditional antivirus and endpoint detection and response (EDR) solutions often categorize any activity stemming from it as safe. This duality of legitimacy and privilege creates a fertile ground for successful BYOVD attacks.
Bypassing Windows Memory Integrity Security Protection
In his findings, Bagheri highlighted that version 14.1.32.0 of vsdatant.sys, released in 2016, contains several vulnerabilities, although he refrained from detailing them. The exploitation of these weaknesses allows attackers to bypass the Windows Memory Integrity feature, which is designed to safeguard critical system processes by isolating them in a virtualized environment. This isolation complicates efforts by attackers to tamper with or inject malicious code.
“Once these defenses were bypassed, attackers had full access to the underlying system,” Bagheri explained. “They were able to access sensitive information such as user passwords and other stored credentials, which were subsequently exfiltrated, paving the way for further exploitation.” Additionally, the attackers established a Remote Desktop Protocol (RDP) connection to the compromised systems, thereby ensuring persistent access.
Bagheri also noted that the latest iteration of vsdatant.sys is not vulnerable, advising CheckPoint ZoneAlarm customers to update to this version whenever possible. Prior to publishing his report, he reached out to CheckPoint for comment.
A spokesperson for CheckPoint responded to Bagheri’s findings, stating, “The vulnerable driver referenced by Venak Security is outdated and no longer in use in current versions of our products. Users running the latest versions of ZoneAlarm or Harmony Endpoint are not affected, as these include updated drivers that address this issue.”
They further emphasized, “After a thorough review, we can confirm that versions released in the past eight years are not vulnerable to this issue. For full protection, we recommend users ensure they are running the most recent version of Check Point ZoneAlarm or Check Point Harmony Endpoint, which includes enhanced safeguards against BYOVD-style attacks.”
