Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks – BleepingComputer
New Microsoft 365 outage impacts Teams, causes call failuresCISA tags Windows, Cisco vulnerabilities as actively exploitedNearly 12,000 API keys and passwords found in AI training datasetNew ClickFix attack deploys Havoc C2 via Microsoft SharepointGoogle fixes Android zero-day exploited by Serbian authorities Rubrik rotates authentication keys after log server breachDHS says CISA will not stop monitoring Russian cyber threatsNew Microsoft 365 outage impacts Teams, causes call failuresHow to access the Dark Web using the Tor BrowserHow to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11How to use the Windows Registry EditorHow to backup and restore the Windows RegistryHow to start Windows in Safe ModeHow to remove a Trojan, Virus, Worm, or other MalwareHow to show hidden files in Windows 7How to see hidden files in WindowsRemove the Theonlinesearch.com Search RedirectRemove the Smartwebfinder.com Search RedirectHow to remove the PBlock+ adware browser extensionRemove the Toksearches.xyz Search RedirectRemove Security Tool and SecurityTool (Uninstall Guide)How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundoHow to remove Antivirus 2009 (Uninstall Instructions)How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKillerLocky Ransomware Information, Help Guide, and FAQCryptoLocker Ransomware Information Guide and FAQCryptorBit and HowDecrypt Information Guide and FAQCryptoDefense and How_Decrypt Ransomware Information Guide and FAQQualys BrowserCheckSTOPDecrypterAuroraDecrypterFilesLockerDecrypterAdwCleanerComboFixRKillJunkware Removal TooleLearningIT Certification CoursesGear + GadgetsSecurityBest VPNsHow to change IP addressAccess the dark web safelyBest VPN for YouTubeMicrosoft had discovered five Paragon Partition Manager BioNTdrv.sys driver flaws, with one used by ransomware gangs in zero-day attacks to gain SYSTEM privileges in Windows.The vulnerable drivers were exploited in ‘Bring Your Own Vulnerable Driver’ (BYOVD) attacks where threat actors drop the kernel driver on a targeted system to elevate privileges.”An attacker with local access to a device can exploit these vulnerabilities to escalate privileges or cause a denial-of-service (DoS) scenario on the victim’s machine,” explains a warning from CERT/CC.”Additionally, as the attack involves a Microsoft-signed Driver, an attacker can leverage a Bring Your Own Vulnerable Driver (BYOVD) technique to exploit systems even if Paragon Partition Manager is not installed. “As BioNTdrv.sys is a kernel-level driver, threat actors can exploit vulnerabilities to execute commands with the same privileges as the driver, bypassing protections and security software.Microsoft researchers discovered all five flaws, noting that one of them, CVE-2025-0289, is leveraged in attacks by ransomware groups. However, the researchers did not disclose what ransomware gangs were exploiting the flaw as a zero-day.”Microsoft has observed threat actors (TAs) exploiting this weakness in BYOVD ransomware attacks, specifically using CVE-2025-0289 to achieve privilege escalation to SYSTEM level, then execute further malicious code,” reads the CERT/CC bulletin.”These vulnerabilities have been patched by both Paragon Software, and vulnerable BioNTdrv.sys versions blocked by Microsoft’s Vulnerable Driver Blocklist.”The Paragon Partition Manager flaws discovered by Microsoft are:The first four vulnerabilities impact Paragon Partition Manager versions 7.9.1 and previous, while CVE-2025-0298, the actively exploited flaw, impacts version 17 and older.Users of the software are recommended to upgrade to the latest version, which contains BioNTdrv.sys version 2.0.0, which addresses all of the mentioned flaws.However, it’s important to note that even users who don’t have Paragon Partition Manager installed are not safe from attacks. BYOVD tactics don’t rely on the software being present on the target’s machine.Instead, threat actors include the vulnerable driver with their own tools, allowing them to load it into Windows and escalate privileges.Microsoft has updated its ‘Vulnerable Driver Blocklist’ to block the driver from loading in Windows, so users and organizations should verify the protection system is active.You can check if the blocklist is enabled by going to Settings → Privacy & security → Windows Security → Device security → Core isolation → Microsoft Vulnerable Driver Blocklist and making sure the setting is enabled.A warning on Paragon Software’s site also warns that users must upgrade Paragon Hard Disk Manager by today, as it utilizes the same driver, which will be blocked by Microsoft today.While it is unclear what ransomware gangs are exploiting the Paragon flaw, BYOVD attacks have become increasingly popular among cybercriminals as they allow them to easily gain SYSTEM privileges on Windows devices.Threat actors known to be utilizing BYOVD attacks include Scattered Spider, Lazarus, BlackByte ransomware, LockBit ransomware, and many more.For this reason, it is important to enable the Microsoft Vulnerable Driver Blocklist feature to prevent vulnerable drivers from being used on your Windows devices.Google fixes Android kernel zero-day exploited in attacksCISA tags Windows, Cisco vulnerabilities as actively exploitedMicrosoft fixes Power Pages zero-day bug exploited in attacksHackers use Windows RID hijacking to create hidden admin accountQilin ransomware claims attack at Lee Enterprises, leaks stolen dataI can’t register my license for Paragon Hard Disk Manager 25th Anniversary LE to check if there’s a new version to download (the software has no built-in update function), and the separate security patch that you can download and install errors out on my computer. I contacted their support and sent them the log, so hopefully they will fix it.
FYI: Paragon Software’s KB article about this driver vulnerability is at the following URL, and the instructions for installing the security patch without updating Paragon’s software is at the bottom of the article:
https://paragon-software.zendesk.com/hc/en-us/articles/32993902732817-IMPORTANT-Paragon-Driver-Security-Patch-for-All-Products-of-Hard-Disk-Manager-Product-Line-Biontdrv-sysNot a member yet? Register NowMicrosoft links recent Microsoft 365 outage to buggy updateNew Microsoft 365 outage impacts Teams, causes call failuresNearly 12,000 API keys and passwords found in AI training datasetOverdue a password health-check? Audit your Active Directory for freeIntegrating LLMs into security operations using Wazuh. Learn how to get started.Discover full attack chains and identify their root cause. Learn more about Automated Security Validation.5 Browser Security Threats Overlooked by Security Tools. Get the Free ReportRDP Security Simplified – No VPN, No Firewall Exposure. Get a free TruGrid business trial.Terms of Use – Privacy Policy – Ethics Statement – Affiliate DisclosureCopyright @ 2003 – 2025 Bleeping Computer® LLC – All Rights ReservedNot a member yet? Register NowRead our posting guidelinese to learn what content is prohibited.
