A recent investigation by the vulnerability testing expert team from security firm Safe Breach led to the discovery of a security flaw in earlier versions of Intel Rapid Storage Technology (RST) software that allows hijacking of Dynamic Link Libraries (DLLs), so a malicious program could bypass antivirus detection and compromise the targeted system.
It is important to note that exploiting the
vulnerability requires the attacker to obtain administrator privileges on the
target system. However, as this is a flaw on Windows 10 systems, the complexity
of the operation is greatly reduced, as these systems run with administrative
privileges enabled by default, which lightens the workload of threat actors.
The team of vulnerability testing experts
discovered the flaw while collecting information about how Windows services are
included on various devices, which are highly trusted during security scans. Malware
developers also perform this type of analysis frequently, as they discover what
features functional malware should have.
RST is included on many devices running
Windows, and it has extensive privileges on the operating system, although it
does not have network access by default. Apparently, the vulnerability exists
because the developers forgot to remove some RST commands that are no longer
functional for the proper functioning of the software, for example, to load
four DLLs that no longer exist.
According to vulnerability testing experts, a
hacker can take advantage of this omission by creating a malicious DLL using
one of the legitimate DLL names. To make matters worse, Intel seems to have
made everything available to hackers, because when RST can’t find the missing
DLL in the folder where it’s supposed to be, it automatically starts searching
for it in other folders, so threat actors can load malware from any location on
On top of that, the malware gains persistence
because Intel RST will continue to load the malicious DLL every time the system
restarts. Finally, because, in theory, DLLs should be used by reliable Intel
RST software, antivirus solutions will not identify it as malicious
The vulnerability was reported by Safe Breach
on July 22. In response to this report, Intel released various security patches
for RST software, including versions 15.x, 16.x, and 17.x. To be exact, system
administrators should upgrade to versions v15.9.8.x, v16.8.3.x, or v17.5.1.x,
mention the International Institute of Cyber Security (IICS) vulnerability testing
All patches have already been released, so the
vulnerabilities have finally been publicly disclosed. Although Intel had
requested a time extension to release the updates next January, a disclosure
agreement was finally reached with Safe Breach researchers.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.