See Cynet 360 AutoXDR™ in Action

Prefer a one-on-one demo? Click here

By clicking next I consent to the use of my personal data by Cynet in accordance with Cynet's Privacy Policy and by its partners

Request a Demo

Zero-Day Exploit: Recent Examples and Four Detection Strategies

What is a Zero-Day Exploit?

Zero-day exploits are techniques used by malicious actors to attack a system that has a vulnerability, while the users and developers of the system are still unaware of the vulnerability.

The term “ zero day attack ” refers to the fact that the vulnerability is new and has been known for zero days, or in other words, unknown. Malicious actors, or other parties, might discover a vulnerability and wait to use it strategically, or sell it to others who have the ability to exploit it. Zero day vulnerabilities are extremely dangerous because, by definition, no measures have been taken to remediate or protect against the vulnerability.

In this article:

Why are Zero-Day Exploits Dangerous?

A zero-day exploit is a technique cyber criminals use to attack systems containing a zero-day vulnerability. There are many exploit methods for launching and carrying out a zero-day attack. The malicious payload might perform code execution, credential theft, ransomware, denial-of-service (DoS), and more.

Zero-day vulnerabilities can remain undetected for extended periods

Because zero-day vulnerabilities are unknown, potential vulnerabilities typically remain undiscovered. A zero-day vulnerability can be used to compromise organizations for months before the organization detects and mitigates the vulnerability.

The longer a vulnerability remains undetected, the longer a cybercriminal can exploit it. A cybercriminal can use unknown zero-day vulnerabilities to exfiltrate large volumes of data. Typically, they will exfiltrate data slowly to prevent detection. An organization might only identify the compromise once millions of records are lost.

An advanced persistent threat (APT) can use a zero-day exploit

An APT using a zero-day exploit can be a global risk to data and computing systems. APTs are sophisticated threat actors who can do major damage to organizations. Via zero-day exploits, an APT can gain access to a large number of computing systems at high profile organizations.

A prominent example was the SolarWinds supply chain attack, in which an organized cybercrime group exploited a zero-day vulnerability to breach to US government agencies and a majority of the Fortune 500.

Related content: Read our guide to zero day malware

Recent Examples of Zero-Day Exploits

Here are some recent examples of zero-day attacks. All these vulnerabilities have since been patched, but at the time they were discovered, they impacted millions of organizations and billions of users around the world.

Zerologon

Microsoft provided a security update on August 11, 2021. This update included a patch for a vulnerability in the Netlogon protocol (CVE-2020-1472), identified by researchers at Secura. Initially, they did not publish any technical details, so the CVE in the security update did not receive due attention, but later it was given a maximum Common Vulnerability Scoring System (CVSS) score of 10, the highest possible.

This vulnerability permits an unauthenticated attacker with network access to a domain controller to initiate a vulnerable Netlogon session. The attacker can then gain domain administrator privileges. The only condition for an effective exploit is establishing a connection with a domain controller, making this an extremely severe vulnerability.

Sophos

In April 2020, users reported zero-day attacks regarding the Sophos XG firewall. Cybercriminals were able to exploit a SQL injection vulnerability (CVE-2020-12271), attacking the built-in PostgreSQL database server of the firewall.

If effectively exploited, attackers could use this vulnerability to inject code into the database. Using this code, they could then change firewall settings, allowing the installation of malware or providing access to corporate systems connected to the firewall.

Internet Explorer

In 2019, Microsoft’s legacy browser, Internet Explorer (IE), experienced a vulnerability due to a flaw in the way the IE scripting engine manages objects in memory (CVE-2020-0674). It affected IE versions 9-11.

Attackers could leverage this vulnerability by prompting users to visit a website created to exploit the weakness. They could achieve this via phishing emails or malicious link redirection.

Microsoft RCE

In March 2020, Microsoft notified users of zero-day attacks exploiting two distinct vulnerabilities. The vulnerabilities impacted all supported versions of Windows, and vendors did not expect a patch for weeks. The attacks targeted remote code execution (RCE) vulnerabilities. These vulnerabilities were in the Adobe Type Manager (ATM) library, built into Windows to manage PostScript Type 1 fonts.

The weaknesses in the Adobe library permitted attackers to remotely run scripts via malicious documents. The attackers transmitted the documents via spam, or users were tricked into downloading them. The scripts would run and infect their devices when users previewed or opened the documents with Windows File Explorer.

How are Zero-Day Exploits Delivered to Target Devices?

Here are a few common ways attackers can deliver a zero-day exploit to a target device possessing a zero-day vulnerability:

  • Spear phishing—sophisticated threat actors can carefully design a phishing attack against a privileged individual in the targeted organization. By compromising a privileged account, they can deliver zero-day exploits to high-value systems in an organization.
  • Spam and phishing—an attacker can send a message to many recipients in different organizations. Even if only a small percentage responds to the phishing message and clicks a malicious link or opens an attachment, the attacker can deploy the zero-day exploit to their local device. The exploit will often attempt to infect other machines in the network or spread itself via the victim’s contact list.
  • Malvertising and malicious sites—an attacker can compromise a website and inject a zero-day exploit via a script. When a user visits the website, the script runs in their browser and deploys the zero-day exploit.
  • Unauthorized access—attackers can attempt brute force attacks or exploit other, known vulnerabilities to compromise a system, network, or server. After penetrating the system, they can deploy the zero-day vulnerability.

4 Strategies for Detecting Zero-Day Exploits

Zero-day exploits cannot be identified by traditional signature-based anti-malware systems. However, there are a few ways to identify suspicious behavior that might indicate a zero-day exploit:

  1. Statistics-based monitoring—anti-malware vendors provide statistics on exploits they previously detected. Organizations can feed these data points into a machine learning system to identify current attacks. This type of detection has limitations when discovering new threats as it can be predisposed to false negatives and false positives.
  2. Signature-based variant detection—all exploits have a digital signature. Organizations can feed digital signatures into machine learning algorithms and artificial intelligence systems to identify variants of prior attacks.
  3. Behavior-based monitoring—malicious software uses procedures to probe a system. Behavior-based detection creates alerts when it identifies suspicious scanning and traffic on the network. Rather than analyzing in-memory or signatures activity, behavior-based detection discovers malware by looking at how it interacts with devices.
  4. Hybrid detection—a hybrid detection approach uses all three methods mentioned above. It can use all three monitoring and identification approaches to be more efficient at discovering zero-day malware.

Related content: Read our guide to zero-day attack prevention

Zero-Day Attack Protection with Cynet

The Cynet 360 Advanced Threat Detection and Response platform gives protection against threats such as zero-day attacks, advanced persistent threats (APT), advanced malware, and trojans, which may evade traditional signature-based security processes.

Block exploit-like behavior

Cynet monitors endpoint memory to find behavioral patterns that are typical of exploits, including unusual process handle requests. These patterns are features of the vast majority of exploits, whether known or new. Cynet is able to provide effective protection against zero-day exploits and more, by identifying such patterns.

Block exploit-derived malware

Cynet uses multi-layered malware protection that includes process behavior monitoring, ML-based static analysis, and sandboxing. Cynet also provides fuzzy hashing and threat intelligence. This ensures that even if a successful zero-day exploit establishes a connection with the attacker, and downloads additional malware, Cynet will stop this malware from running, thus preventing any damage.

Uncover hidden threats

Cynet uses an adversary-centric methodology to accurately identify threats throughout the attack chain. Cynet thinks like an adversary, detecting indicators and behaviors across users, endpoints, files, and networks. They supply a holistic account of the workings of an attack, irrespective of where the attack may attempt to penetrate.

Accurate and precise

Cynet uses a powerful correlation engine, and produces its attack findings free from excessive noise and with near-zero false positives. This simplifies the response for security teams so they can attend to key incidents.

You can carry out manual, or automatic remediation, so your security teams have a highly effective yet straight-forward way to disrupt, detect, and respond to advanced threats before they do harm.

Learn more about Cynet 360 Autonomous Breach Protection

Let’s Get Started

Ready to extend visibility, threat detection and response?

Request a Demo