A zero-day exploit refers to cyber attacks that target a software vulnerability unknown to the software vendor or the antivirus software assigned to protect the system. Attackers can identify such zero-day vulnerabilities, design an exploit, and use it to launch an attack. Zero-day attacks are very likely to penetrate the target network since there are no defenses against the new threat (because “zero days” have passed since security parties detected the vulnerability).
Typically, zero-day attacks rely on web browsers and email attachments to exploit vulnerabilities in the specific application that opens the attachment or in specific file types: Word, PDF, Excel, Flash, etc. Once zero-day malware enters the system, it can quickly spread throughout all targeted areas.
Zero-day vulnerabilities come in many forms. Attackers can leverage broken algorithms, poor password security, a faulty web application firewall, lack of authorizations, unprotected open-source components, and more to launch a SQL injection attack. If the attack is successful, it can compromise more software on the target network, steal sensitive information, retain data in exchange for large sums, attempt identity theft, corrupt the company’s operating system, and more.
Typical objectives for zero-day exploits
Zero-day vulnerabilities are valuable to multiple parties. That is why there is a market where organizations hire researchers to discover vulnerabilities. In addition to this “white market”, there are black and gray markets, where malicious parties can exchange zero-day vulnerability details without public disclosure.
Typical targets of zero-day exploits are large organizations, government agencies, people with access to critical files (such as intellectual property), hardware devices, Internet of Things (IoT) ), firmware, home users running a vulnerable system (if infected, they can become cogs in a botnet), and more. Government agencies sometimes use zero-day exploits to attack countries, organizations, or individuals that threaten national security.
What are zero-day vulnerabilities?
Typically, when an individual (or a security team) detects software with potential security vulnerabilities, they will alert software vendors so that a patch can be issued to address the vulnerability.
Given enough time, software developers can fix the problem and distribute patches (or software updates) so that all software users can apply them as soon as possible. If malicious actors learn of the vulnerability, designing an exploit and launching an attack may take some time. In the meantime, hopefully, the patch will now be available and deployed.
How do zero-day attacks work?
Hackers may be the first to discover a weak link in a software program. Since vendors and security teams are not yet aware of the vulnerability, they have virtually zero days to build a defense against a targeted attack. Companies vulnerable to such exploits can initiate early detection procedures to safeguard their networks.
Dedicated security researchers often try to cooperate with software vendors and usually agree to retain zero-day vulnerability details for an extended period before publishing them.
Once a zero-day vulnerability becomes public, it is called an “n-day” or “one-day” vulnerability.
Examples of zero-day attacks
Below are several examples of zero-day attacks in recent years.
- · Stuxnet
A malicious computer worm attacked zero-day vulnerabilities in supervisory and data acquisition (SCADA) systems by first infiltrating Windows operating systems. Stuxnet exploited four Windows zero-day vulnerabilities to spread via corrupted USB drives. In this way, the worm infected both Windows and SCADA systems without launching a network attack.
Stuxnet affected computers used to manage manufacturing in Iran, India, and Indonesia. It is assumed that the main target was the uranium enrichment plants in Iran. A blow to those was intended to disrupt the country’s nuclear program. Once infected, programmable logic controllers (PLCs) on the target computers carried out unexpected commands on assembly line machinery, causing centrifuges used to produce nuclear material to malfunction.
- · Sony zero-day attack
Sony Pictures was the victim of a zero-day exploit in late 2014. The exploit affected Sony’s network, leading to a corporate data breach on file-sharing websites.
The leaked information included details of upcoming films, business strategies, and personal email addresses of senior Sony executives.
- · Zero-day attacks on Adobe Flash Player
In 2016, a zero-day attack exploited a previously undiscovered vulnerability (CVE-2016-4117) in Adobe Flash Player. Additionally, in 2016, more than 100 organizations were also affected by a zero-day exploit (CVE-2016-0167) that enabled escalated privilege attacks targeting Microsoft Windows.
In 2011, malicious actors used an unpatched vulnerability in Adobe Flash Player to gain access to security company RSA’s network. The threat actors sent email attachments in Excel spreadsheets to several RSA employees. The Excel documents contained an embedded Flash file to exploit the zero-day vulnerability.
By opening one of the corrupted attachments, an employee unknowingly enabled the installation of the Poison Ivy remote administration tool that took control of the infected computer. Once they infiltrated the RSA network, the hackers searched, copied, and transmitted sensitive information to external servers under their control.
RSA later admitted that among the stolen data was sensitive information about the company’s SecurID two-factor authentication tools used globally to protect critical workloads and devices.
- · Zero-day attacks on Microsoft Office
In 2017, a zero-day vulnerability revealed that Microsoft Office documents in “rich text format” can allow the execution of a visual basic script that carries PowerShell commands when opened (CVE-2017-0199).
Another zero-day exploit from 2017 (CVE-2017-0261) carried encapsulated PostScript to present a platform to launch malware infections.
- · Operation Aurora
In 2009, a zero-day exploit targeted several major companies (Google, Yahoo, Adobe Systems, and Dow Chemical) to find and steal intellectual property (IP). The zero-day vulnerability existed in Internet Explorer and Perforce (Google used the latter to manage its source code).
How to detect a zero-day attack?
A zero-day attack is difficult to detect. Antivirus software, intrusion detection systems (IDS), and intrusion prevention systems (IPS) cannot identify the threat signature as it does not yet exist.
The optimal way to detect zero-day threats is through user behavior analysis. Most entities authorized to interact with your network generally exhibit specific patterns of usage and behavior, which is considered “normal” behavior. Network actions outside the normal range could indicate a zero-day threat.
Companies hit by a zero-day exploit will often detect unexpected traffic or suspicious scanning attempts from a service or client. In addition to behavioral analysis, organizations can also detect a zero-day threat through the following:
- · Existing malware database and malware behavior statistics for reference. However, even if those databases are updated in real-time, zero-day exploits take advantage of attackers’ newly discovered vulnerabilities. Therefore, by definition, an existing database is limited when it comes to detecting unknown threats.
- · Machine learning is increasingly used to detect previously recorded exploitation information to present a baseline for safe system behavior based on past and current system interaction data. As organizations collect more and more data, the approach can detect zero-day threats more reliably.
Since vulnerability exploitation is an ever-evolving field, a hybrid detection approach is recommended to protect organizations and their valuable business data.
How to protect against zero-day vulnerability exploits?
Because zero-day exploits are so difficult to detect, defending against them is challenging. Software vulnerability scanning tools rely on malware signature checkers to compare suspicious code to known malware signatures. When a zero-day attack uses a zero-day exploit that has not been found before, vulnerability scanning will not detect or block the malicious code.
Since zero-day attacks exploit an unknown security flaw, companies cannot know the specific exploit before it occurs. However, there are several methods to reduce risk exposure and protect companies against new threats.
Virtual local area networks (VLANs) can segregate specific network areas or use physical or virtual network segments to isolate essential traffic between company servers.
This way, even if attackers breach the company’s defenses and gain access to the network, they will not be able to steal data from business-critical network areas.
Keep all systems up to date
Proper patch management is crucial for organizations of all sizes.
Software developers will issue security patches as soon as they become aware of a potential exploitation threat. Applying zero-day and n-day patches as soon as possible will not fix unknown software vulnerabilities, but it will make it more difficult for a zero-day attack to succeed.
Implement network traffic encryption
It is impossible to detect all security vulnerabilities before a zero-day exploit occurs. However, enterprises can use an IP security protocol (IPsec) to invoke encryption and authentication to critical network traffic.
On the other hand, a lack of data encryption can make all information on the company’s network vulnerable, cause significant downtime, and severely impact revenue.
Implement IPS or IDS
Signature-based IPS and IDS may not be able to detect and counter an attack on their own. However, they can alert security teams to suspicious incoming files as a side effect of an attack in progress.
Malicious machines can access critical areas of the company’s environment and compromise devices across the network. Network access control (NAC) denies missing authorization, allowing only authorized people to browse those areas.
Carry out regular checks and inform employees
Regular vulnerability scanning across enterprise networks is critical to discovering vulnerabilities and blocking them before attackers can exploit them.
Additionally, many zero-day exploits rely on human error. Educating employees about good cybersecurity hygiene will keep them protected online and prevent accidentally enabled zero-day exploits and other malicious threats.