Ethical Hacking News
Ransomware gangs are exploiting a previously unknown vulnerability in Paragon Partition Manager to gain SYSTEM privileges on Windows devices. This bug, known as CVE-2025-0289, has been patched by Microsoft, but its zero-day nature remains a significant threat. To protect against this vulnerability, users should ensure that their Windows systems are up-to-date with the latest patches and that they have enabled the "Vulnerable Driver Blocklist" feature.
Ransomware gangs have exploited a previously unknown vulnerability in the BioNTdrv.sys driver of Paragon Partition Manager to gain SYSTEM privileges on Windows devices. The exploitation allows attackers to bypass protections and security software, execute commands with elevated privileges, and gain SYSTEM-level access. Microsoft researchers discovered five vulnerabilities in the BioNTdrv.sys driver, all of which have been patched by Microsoft. A "Bring Your Own Vulnerable Driver" (BYOVD) attack allows threat actors to include their own tools with the vulnerable driver and load it into Windows, escalating privileges. Users must verify that the "Vulnerable Driver Blocklist" feature is enabled to block the driver from loading in Windows. Zero-day attacks and BYOVD techniques have become increasingly popular among cybercriminals; users should ensure their systems are up-to-date with latest patches.
Ransomware gangs have been exploiting a previously unknown vulnerability in the BioNTdrv.sys driver of Paragon Partition Manager to gain SYSTEM privileges on Windows devices. This bug, known as CVE-2025-0289, was discovered by Microsoft researchers and has been patched, but it remains a significant threat due to its zero-day nature.
The exploitation of this vulnerability allows attackers to bypass protections and security software, execute commands with the same privileges as the driver, and gain SYSTEM-level access. This is particularly concerning since Paragon Partition Manager is a widely used tool for managing disk partitions in Windows systems.
Microsoft researchers discovered five vulnerabilities in the BioNTdrv.sys driver, all of which have been patched by Microsoft. However, due to their zero-day nature, these vulnerabilities remain a risk for attackers who can exploit them before a patch becomes available.
One of the most concerning aspects of this vulnerability is that it allows for "Bring Your Own Vulnerable Driver" (BYOVD) attacks. In these types of attacks, threat actors include the vulnerable driver with their own tools and load it into Windows, allowing them to escalate privileges and execute malicious code.
Microsoft has updated its "Vulnerable Driver Blocklist" to block the driver from loading in Windows, but users must verify that this setting is enabled. Users who do not have Paragon Partition Manager installed are still at risk due to BYOVD tactics, which do not rely on the software being present on the target's machine.
The use of zero-day attacks and BYOVD techniques has become increasingly popular among cybercriminals in recent years. Threat actors known to be utilizing these tactics include Scattered Spider, Lazarus, BlackByte ransomware, LockBit ransomware, and many more.
To protect against this vulnerability, users should ensure that their Windows systems are up-to-date with the latest patches and that they have enabled the "Vulnerable Driver Blocklist" feature. Additionally, users who do not need Paragon Partition Manager installed on their system can simply uninstall it to avoid the risk of BYOVD attacks.
Overall, the exploitation of this vulnerability highlights the ongoing threat posed by zero-day attacks and the importance of keeping software up-to-date with the latest security patches.
Related Information:
https://www.ethicalhackingnews.com/articles/Ransomware-Gangs-Leverage-Paragon-Partition-Manager-Bug-in-Zero-Day-Attacks-ehn.shtml
https://www.bleepingcomputer.com/news/security/ransomware-gangs-exploit-paragon-partition-manager-bug-in-byovd-attacks/
https://cyberinsider.com/paragon-partition-manager-flaws-leveraged-in-ransomware-attacks/
https://nvd.nist.gov/vuln/detail/CVE-2025-0289
https://www.cvedetails.com/cve/CVE-2025-0289/
https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/
https://unit42.paloaltonetworks.com/blackbyte-ransomware/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a
https://en.wikipedia.org/wiki/Lockbit
Published: Sat Mar 1 15:22:43 2025 by llama3.2 3B Q4_K_M
