Software vendors continuously search for overlooked vulnerabilities and upon discovering such, issue a code fix also known as ‘patch’. However, a zero-day vulnerability is a software weakness that is found by attackers before the vendor has discovered the flaw.
In this article, we’ll provide insight into the workings behind zero-day attacks, discuss top zero-day vulnerability trends and see some examples of zero-day attacks.
In this article, you will learn:
From time to time, vulnerabilities are discovered in computing systems. These vulnerabilities represent security holes that allow attackers to gain unauthorized access to, damage or compromise a system. Known vulnerabilities are documented in public repositories such as the National Vulnerability Database (NVD).
Both software vendors and independent security researchers are constantly on the lookout for new vulnerabilities in software products. When a vulnerability is discovered, it is the software vendor’s responsibility to quickly issue a patch that addresses the security issue – users of the software can then install the patch to protect themselves.
A zero-day (or 0-day) attack is a software vulnerability exploited by attackers before the vendor has become aware of it. At that point, no patch exists, so attackers can easily exploit the vulnerability knowing that no defenses are in place. This makes zero-day vulnerabilities a severe security threat.
Once attackers identify a zero day vulnerability, they need a delivery mechanism to reach the vulnerable system. In many cases the delivery mechanism is a socially engineered email – an email or other message that is supposedly from a known or legitimate correspondent, but is actually from an attacker. The message tries to convince a user to perform an action like opening a file or visiting a malicious website, unwittingly activating the exploit.
A zero-day exploit is when an attacker leverages a zero-day vulnerability to attack a system. These exploits are especially dangerous because they are more likely to be successful than attacks against established vulnerabilities. On day zero, when a vulnerability is made public, organizations have not yet had a chance to patch the vulnerability, making the exploit possible.
Something that makes zero-day exploits even more dangerous is that some advanced cybercriminal groups use zero-day exploits strategically. These groups reserve zero-day exploits for use with high-value targets, such as medical or financial institutions, or government organizations. This reduces the chance that a vulnerability is discovered by the victim and can increase the lifespan of the exploit.
Even after a patch is developed, users must still update their systems. If they don’t, attackers can continue to take advantage of a zero-day exploit until the system is patched
A zero-day attack typically proceeds as follows:
Threat actors who plan and carry out zero-day attacks can belong to several categories:
Targeted zero-day attacks are carried out against high profile targets, such as government or public institutions, large organizations, and senior employees who have privileged access to corporate systems, access to sensitive data, intellectual property or financial assets.
Non-targeted zero-day attacks are typically waged against a large number of home or business users who use a vulnerable system, such an operating system or browser.Often, the attacker’s goal will be to compromise these systems and use them to build massive botnets. A recent example was the WannaCry attack, which used the EternalBlue exploit in the Windows SMB file protocol to compromise over 200,000 machines in one day. Non-targeted attacks can also target hardware, firmware and Internet of Thing (IoT)
Zero-day exploits seen in the wild grew from eight in 2016 to 49 in 2017. The Trend Micro Zero Day Initiative, a network of researchers that encourages zero-day research, found 382 new vulnerabilities in the first half of 2018. Not all vulnerabilities are actively targeted by attackers and only some have exploits available.
Experts anticipate that zero-day exploits will become much more frequent. Cybersecurity Ventures expects that by 2021, attackers will launch a new exploit daily. In 2015, there was approximately one exploit per week.
The following are three examples of high profile zero-day attacks, illustrating the severe risk zero-day attacks pose for organizations.
Stuxnet was labelled as the world’s first cyber weapon. It was malware was used to break into Iran’s uranium enrichment centrifuges in 2006. Many experts believe that the National Security Agency (NSA) created the zero-day exploit. Stuxnet infected a specific industrial control system, and sped up or slowed down the centrifuges to the point where they destroyed themselves. During this process Iranian monitoring systems made it appear that systems were operating normally.
In 2011, attackers used an unpatched vulnerability in Adobe Flash Player to gain entry into the network of security vendor RSA. The attackers distributed emails via Excel spreadsheet attachments to RSA employees; the attachments activated a Flash file, which exploited the zero-day Flash vulnerability. The data stolen included key information used by RSA customers in SecurID security tokens.
In 2014, a zero-day attack targeted Sony Pictures. While the details of the vulnerability exploited in the attack remain unknown, the attack brought down Sony’s network, and attackers leaked sensitive corporate data on file sharing sites, including personal information about Sony employees and their families, internal correspondence, information about executive salaries, and copies of unreleased Sony films. Attackers used a variant of the Shamoon wiper malware to erase multiple systems on Sony’s corporate network.
A zero-day vulnerability is a valuable asset. It is vulnerable to software vendors, who want to protect their users, and valuable to attackers who can use them to their advantage.
Three markets have emerged, on which both legitimate and malicious researchers trade zero-day vulnerabilities and exploits:
Zero day attacks are difficult to defend against, but there are ways to prepare. Read our guide to zero-day protection to understand four best practices that can help you prevent zero-day attacks:
The Cynet 360 Advanced Threat Detection and Response platform provides protection against threats including zero-day attacks, advanced persistent threats (APT), advanced malware, and trojans that can evade traditional signature-based security measures.
Cynet monitors endpoints memory to discover behavioral patterns that are typical to exploit such as unusual process handle request and others, These patterns are common to the vast majority of exploits, whether known or new and provides effective protection even from zero-day exploits.
Cynet employs multi-layered malware protection that includes ML-based static analysis, sandboxing, process behavior monitoring. In addition, they provide fuzzy hashing and threat intelligence. This ensures that even if successful zero-day exploit establishes a connection with the attacker and downloads additional malware, Cynet will prevent this malware from running so no harm can be done.
Cynet uses an adversary-centric methodology to accurately detect threats throughout the attack chain. Cynet thinks like an adversary, detecting behaviors and indicators across endpoints, files, users, and networks. They provide a holistic account of the operation of an attack, irrespective of where the attack may try to penetrate.
Cynet uses a powerful correlation engine and provides its attack findings with near-zero false positives and free from excessive noise. This simplifies the response for security teams so they can react to important incidents.
You can carry out automatic or manual remediation, so your security teams have a highly effective yet straight-forward way to detect, disrupt, and respond to advanced threats before they have a chance to do damage.
Learn more about Cynet’s Next-Generation Antivirus (NGAV) Solution