Zero-day exploits are techniques used by malicious actors to attack a system that has a vulnerability, while the users and developers of the system are still unaware of the vulnerability.
The term “ zero day attack ” refers to the fact that the vulnerability is new and has been known for zero days, or in other words, unknown. Malicious actors, or other parties, might discover a vulnerability and wait to use it strategically, or sell it to others who have the ability to exploit it. Zero day vulnerabilities are extremely dangerous because, by definition, no measures have been taken to remediate or protect against the vulnerability.
In this article:
A zero-day exploit is a technique cyber criminals use to attack systems containing a zero-day vulnerability. There are many exploit methods for launching and carrying out a zero-day attack. The malicious payload might perform code execution, credential theft, ransomware, denial-of-service (DoS), and more.
Zero-day vulnerabilities can remain undetected for extended periods
Because zero-day vulnerabilities are unknown, potential vulnerabilities typically remain undiscovered. A zero-day vulnerability can be used to compromise organizations for months before the organization detects and mitigates the vulnerability.
The longer a vulnerability remains undetected, the longer a cybercriminal can exploit it. A cybercriminal can use unknown zero-day vulnerabilities to exfiltrate large volumes of data. Typically, they will exfiltrate data slowly to prevent detection. An organization might only identify the compromise once millions of records are lost.
An advanced persistent threat (APT) can use a zero-day exploit
An APT using a zero-day exploit can be a global risk to data and computing systems. APTs are sophisticated threat actors who can do major damage to organizations. Via zero-day exploits, an APT can gain access to a large number of computing systems at high profile organizations.
A prominent example was the SolarWinds supply chain attack, in which an organized cybercrime group exploited a zero-day vulnerability to breach to US government agencies and a majority of the Fortune 500.
Related content: Read our guide to zero day malware
Here are some recent examples of zero-day attacks. All these vulnerabilities have since been patched, but at the time they were discovered, they impacted millions of organizations and billions of users around the world.
Microsoft provided a security update on August 11, 2021. This update included a patch for a vulnerability in the Netlogon protocol (CVE-2020-1472), identified by researchers at Secura. Initially, they did not publish any technical details, so the CVE in the security update did not receive due attention, but later it was given a maximum Common Vulnerability Scoring System (CVSS) score of 10, the highest possible.
This vulnerability permits an unauthenticated attacker with network access to a domain controller to initiate a vulnerable Netlogon session. The attacker can then gain domain administrator privileges. The only condition for an effective exploit is establishing a connection with a domain controller, making this an extremely severe vulnerability.
In April 2020, users reported zero-day attacks regarding the Sophos XG firewall. Cybercriminals were able to exploit a SQL injection vulnerability (CVE-2020-12271), attacking the built-in PostgreSQL database server of the firewall.
If effectively exploited, attackers could use this vulnerability to inject code into the database. Using this code, they could then change firewall settings, allowing the installation of malware or providing access to corporate systems connected to the firewall.
In 2019, Microsoft’s legacy browser, Internet Explorer (IE), experienced a vulnerability due to a flaw in the way the IE scripting engine manages objects in memory (CVE-2020-0674). It affected IE versions 9-11.
Attackers could leverage this vulnerability by prompting users to visit a website created to exploit the weakness. They could achieve this via phishing emails or malicious link redirection.
In March 2020, Microsoft notified users of zero-day attacks exploiting two distinct vulnerabilities. The vulnerabilities impacted all supported versions of Windows, and vendors did not expect a patch for weeks. The attacks targeted remote code execution (RCE) vulnerabilities. These vulnerabilities were in the Adobe Type Manager (ATM) library, built into Windows to manage PostScript Type 1 fonts.
The weaknesses in the Adobe library permitted attackers to remotely run scripts via malicious documents. The attackers transmitted the documents via spam, or users were tricked into downloading them. The scripts would run and infect their devices when users previewed or opened the documents with Windows File Explorer.
Here are a few common ways attackers can deliver a zero-day exploit to a target device possessing a zero-day vulnerability:
Zero-day exploits cannot be identified by traditional signature-based anti-malware systems. However, there are a few ways to identify suspicious behavior that might indicate a zero-day exploit:
Related content: Read our guide to zero-day attack prevention
The Cynet 360 Advanced Threat Detection and Response platform gives protection against threats such as zero-day attacks, advanced persistent threats (APT), advanced malware, and trojans, which may evade traditional signature-based security processes.
Block exploit-like behavior
Cynet monitors endpoint memory to find behavioral patterns that are typical of exploits, including unusual process handle requests. These patterns are features of the vast majority of exploits, whether known or new. Cynet is able to provide effective protection against zero-day exploits and more, by identifying such patterns.
Block exploit-derived malware
Cynet uses multi-layered malware protection that includes process behavior monitoring, ML-based static analysis, and sandboxing. Cynet also provides fuzzy hashing and threat intelligence. This ensures that even if a successful zero-day exploit establishes a connection with the attacker, and downloads additional malware, Cynet will stop this malware from running, thus preventing any damage.
Uncover hidden threats
Cynet uses an adversary-centric methodology to accurately identify threats throughout the attack chain. Cynet thinks like an adversary, detecting indicators and behaviors across users, endpoints, files, and networks. They supply a holistic account of the workings of an attack, irrespective of where the attack may attempt to penetrate.
Accurate and precise
Cynet uses a powerful correlation engine, and produces its attack findings free from excessive noise and with near-zero false positives. This simplifies the response for security teams so they can attend to key incidents.
You can carry out manual, or automatic remediation, so your security teams have a highly effective yet straight-forward way to disrupt, detect, and respond to advanced threats before they do harm.