The term “zero-day” refers to a cybersecurity threat that is unknown to the makers of a system, its owners, or the general public. It can be a vulnerability, exploit, or attack that poses a real threat by the time it is discovered. Zero-day refers to the number of days the vulnerability has been known and has been open to exploitation by attackers.
These zero-day threats pose a significant risk because they can be used before the vendor has a chance to patch the vulnerability, making them particularly challenging to defend against.
A zero-day exploit is a technique cyber criminals use to attack systems containing a zero-day vulnerability. There are many exploit methods for launching and carrying out a zero-day attack. The malicious payload might perform code execution, credential theft, ransomware, denial-of-service (DoS), and more.
Zero-day vulnerabilities can remain undetected for extended periods
Because zero-day vulnerabilities are unknown, potential vulnerabilities typically remain undiscovered. A zero-day vulnerability can be used to compromise organizations for months before the organization detects and mitigates the vulnerability.
The longer a vulnerability remains undetected, the longer a cybercriminal can exploit it. A cybercriminal can use unknown zero-day vulnerabilities to exfiltrate large volumes of data. Typically, they will exfiltrate data slowly to prevent detection. An organization might only identify the compromise once millions of records are lost.
An advanced persistent threat (APT) can use a zero-day exploit
An APT using a zero-day exploit can be a global risk to data and computing systems. APTs are sophisticated threat actors who can do major damage to organizations. Via zero-day exploits, an APT can gain access to a large number of computing systems at high profile organizations.
A prominent example was the SolarWinds supply chain attack, in which an organized cybercrime group exploited a zero-day vulnerability to breach to US government agencies and a majority of the Fortune 500.
Related content: Read our guide to zero day malware
Zero-day exploits can target individuals, organizations, and governments. Some common targets include:
Anyone using technology or connected to the internet can potentially be a target of zero-day exploits, making it important for individuals and organizations to take steps to protect themselves.
Here are a few common ways attackers can deliver a zero-day exploit to a target device possessing a zero-day vulnerability:
Preventing zero-day exploits requires a multi-layered approach:
Zero-day exploits cannot be identified by traditional signature-based anti-malware systems. However, there are a few ways to identify suspicious behavior that might indicate a zero-day exploit:
Related content: Read our guide to zero-day attack prevention
Here are some recent examples of zero-day attacks. All these vulnerabilities have since been patched, but at the time they were discovered, they impacted millions of organizations and billions of users around the world.
Microsoft provided a security update on August 11, 2021. This update included a patch for a vulnerability in the Netlogon protocol (CVE-2020-1472), identified by researchers at Secura. Initially, they did not publish any technical details, so the CVE in the security update did not receive due attention, but later it was given a maximum Common Vulnerability Scoring System (CVSS) score of 10, the highest possible.
This vulnerability permits an unauthenticated attacker with network access to a domain controller to initiate a vulnerable Netlogon session. The attacker can then gain domain administrator privileges. The only condition for an effective exploit is establishing a connection with a domain controller, making this an extremely severe vulnerability.
In April 2020, users reported zero-day attacks regarding the Sophos XG firewall. Cybercriminals were able to exploit a SQL injection vulnerability (CVE-2020-12271), attacking the built-in PostgreSQL database server of the firewall.
If effectively exploited, attackers could use this vulnerability to inject code into the database. Using this code, they could then change firewall settings, allowing the installation of malware or providing access to corporate systems connected to the firewall.
In 2019, Microsoft’s legacy browser, Internet Explorer (IE), experienced a vulnerability due to a flaw in the way the IE scripting engine manages objects in memory (CVE-2020-0674). It affected IE versions 9-11.
Attackers could leverage this vulnerability by prompting users to visit a website created to exploit the weakness. They could achieve this via phishing emails or malicious link redirection.
In March 2020, Microsoft notified users of zero-day attacks exploiting two distinct vulnerabilities. The vulnerabilities impacted all supported versions of Windows, and vendors did not expect a patch for weeks. The attacks targeted remote code execution (RCE) vulnerabilities. These vulnerabilities were in the Adobe Type Manager (ATM) library, built into Windows to manage PostScript Type 1 fonts.
The weaknesses in the Adobe library permitted attackers to remotely run scripts via malicious documents. The attackers transmitted the documents via spam, or users were tricked into downloading them. The scripts would run and infect their devices when users previewed or opened the documents with Windows File Explorer.
The Cynet 360 Advanced Threat Detection and Response platform gives protection against threats such as zero-day attacks, advanced persistent threats (APT), advanced malware, and trojans, which may evade traditional signature-based security processes.
Block exploit-like behavior
Cynet monitors endpoint memory to find behavioral patterns that are typical of exploits, including unusual process handle requests. These patterns are features of the vast majority of exploits, whether known or new. Cynet is able to provide effective protection against zero-day exploits and more, by identifying such patterns.
Block exploit-derived malware
Cynet uses multi-layered malware protection that includes process behavior monitoring, ML-based static analysis, and sandboxing. Cynet also provides fuzzy hashing and threat intelligence. This ensures that even if a successful zero-day exploit establishes a connection with the attacker, and downloads additional malware, Cynet will stop this malware from running, thus preventing any damage.
Uncover hidden threats
Cynet uses an adversary-centric methodology to accurately identify threats throughout the attack chain. Cynet thinks like an adversary, detecting indicators and behaviors across users, endpoints, files, and networks. They supply a holistic account of the workings of an attack, irrespective of where the attack may attempt to penetrate.
Accurate and precise
Cynet uses a powerful correlation engine, and produces its attack findings free from excessive noise and with near-zero false positives. This simplifies the response for security teams so they can attend to key incidents.
You can carry out manual, or automatic remediation, so your security teams have a highly effective yet straight-forward way to disrupt, detect, and respond to advanced threats before they do harm.
Ready to extend visibility, threat detection and response?