A Closer Look at The Zero-Day
This bug is one of the most valuable weapons a hacker can have in his arsenal. It has devastated some of the biggest companies and even governments. Also known as “Never Before Seen”, these vulnerabilities are used to ambush victims and leave them no time for remediation.
In this blog we’re exploring the zero-day vulnerability - what it is, how it works, and how to prevent attacks.
What Is a Zero-Day?
Why is it Called a Zero-Day?
Zero day is used to refer to the number of days the software vendor has known about the vulnerability or its exploit. In the case of a zero-day vulnerability, the developers have zero days to fix it since they don’t have prior knowledge of it. So, 0-day marks the beginning of the time that developers take to fix or patch the vulnerability.
Zero Day Vulnerability, Exploit, and Attack
Vulnerability, attack, and exploit are three terms that are most commonly used with zero-days. What does each of them mean? Check out the quick breakdown below:
Vulnerability
- A zero-day vulnerability is a security gap in a system that is previously unknown to developers/software vendors, usually found by attackers first.
Attack
- When hackers use such zero-day vulnerabilities to compromise a system or device, it is known as a zero-day attack.
Exploit
- The code used by hackers to exploit a zero-day vulnerability and subsequently attack and infiltrate systems is called a zero-day exploit.
How Do Zero-Day Attacks Work?
When developers release new software, hackers work relentlessly to find vulnerabilities in the code. Once the vulnerability is found and exploited, the zero day attack begins.
Security researchers have broken down the timeline of a zero-day attack into the following 7 stages from the creation of the vulnerability to patch release:
Stages of a Zero-Day Attack
Vulnerability Introduction
- A software with vulnerable code is created and released. Attackers then look through the code to find vulnerabilities. They may even hoard zero-day vulnerabilities by purchasing them from the black market.
Exploit Code Released
- The attacker discovers the vulnerability before the developer becomes aware of its existence. They then develop malicious code or other technical means to exploit the vulnerability.
Vulnerability Discovery
- The software vendor becomes aware of the security vulnerability. However, a patch does not exist for the vulnerability yet.
Vulnerability Disclosure
- The vulnerability is publicly acknowledged and users are alerted about it.
Releasing Antivirus Signatures
- Antivirus vendors identify the signatures of the malware used to launch the attack, and provide protection against it. However, if other means were used to carry out the attack, compromised systems still remain exposed.
Security Patch Released
- A public fix is released to close the vulnerability.
Types of Zero-Day Attacks
Who Carries Out Zero-Day Attacks?
How Are Zero-Day Bugs and Attacks Discovered?
Software vendors try their best to prevent or eradicate security flaws with regular updates that contain the necessary patches. When it comes to finding security holes, developers are usually the ones to work internally and find them. However, outsiders can also help in spotting these bugs in the code. They include:
Security Researchers
- These are skilled computer experts that use their technical knowledge and expertise to identify vulnerabilities within an organization or industry.
White Hat Hackers
- Also known as ethical hackers, these specialists are often hired by companies to help bolster their network security. Their job may include identifying zero-day bugs.
Grey Hat Hackers
- Grey hat hackers are similar to white hat hackers, but they don’t work for an enterprise. They can find zero-day flaws for many reasons - to land a dream job, gain recognition, or simply for fun.
Competitions
- Software companies sometimes organize contests and pay hackers money to find flaws in their product. At these programs, hackers uncover holes in mobile apps, operating systems, computers, and web browsers.
When it comes to zero-day attacks, they are usually discovered by the end user when the infected software or system starts to behave suspiciously. The following scenarios could indicate an imminent attack:
- Unusual traffic on a legitimate port
- Unexpected potentially legitimate traffic or considerable scanning activity coming from a client or a server
- When the compromised client or server exhibits similar behavior even after applying patches
Example Zero-Day Attacks
Zero-day attacks are particularly dangerous attacks because nobody anticipates them. Organizations are left vulnerable and exposed with no immediate solution at hand. This is why 0-day attacks pose a very high risk to businesses. Let’s explore some of the most high-profile attacks till date:
Stuxnet
The Stuxnet virus is widely known as the world's first digital weapon. It was launched in 2009 with the objective of sabotaging Iran’s nuclear program. The uranium-enrichment centrifuges were broken into, infected with malware and eventually destroyed. It is believed that the American and Israeli governments worked together to create this worm. The Stuxnet worm enters a system primarily via USB sticks and usually infects Windows computers. Once it infiltrates a network, it uses a variety of methods to spread within the network and gain privilege. Among these propagation techniques were four zero-day exploits, all unknown and unpatched at the time of release of the worm, that were exploited to infect other computers.
Chrome Zero-Day Vulnerability
Apple iOS
Earlier this year, Apple dropped emergency fixes for two critical zero-day vulnerabilities that affected iPhones, iPads, and Macs. These bugs were being exploited in the wild and gave attackers access to the internals of the OSes of these devices. The first flaw, tracked as CVE-2022-22675, existed in macOS for Monterey and in iOS or iPadOS for most iPhone and iPad models. It was the result of an out-of-bounds write issue and allowed hackers to run malicious code with privileges on the most security-sensitive region of the OS - the kernel. The second bug, CVE-2022-22674, was also from an out-of-bounds read issue that could cause disclosure of kernel memory. These security flaws were the fourth and fifth zero-days found in Apple kit found till date in 2022.
How to Protect Against Zero-Day Attacks
Real-time Protection
While it is impossible to foresee the exact techniques of a zero-day exploit, it is possible to monitor your network continuously for any suspicious or unusual activity. Deploy a Network Intrusion Prevention System (NIPS) that can provide real-time and comprehensive protection for your business network. An NIPS has an edge over typical antivirus solutions because it does not depend on updates, patches, or a known database of threats to check software. It monitors the day-to-day patterns of activity across networks.
Vulnerability Scanning
Vulnerability scanning
solutions simulate attacks on software code, review the code for errors and try to identify new issues after a software update. However, this approach doesn’t guarantee the identification of all 0-day flaws. Moreover, the most important part of a scan is what comes after. Businesses need to review the results of the scan and act quickly to fix the issues that have been spotted.
Least Privilege
Enforcing the principle of least privilege across your organization is always the best practice to follow. In addition to minimizing the risk of zero-day attacks, it protects your business against a host of other threats. Least privilege requires that you only give users, devices, and applications the most basic permissions they need to operate. By restricting access of your users, devices, and apps, you limit the possibility of abuse of access.
Network Segmentation
Even though 0-day vulnerabilities don’t have patches at the time of the exploit, deploying the patch as soon as it is released can reduce your risk of getting attacked if not prevent it entirely. Regularly updating your system is also crucial to ensure reduced risk. Previous updates that contain important patches and fixes for similar vulnerabilities can go a long way in preventing the exploitation of new zero-day bugs.
Patch Management and Regular Updates
Even though 0-day vulnerabilities don’t have patches at the time of the exploit, deploying the patch as soon as it is released can reduce your risk of getting attacked if not prevent it entirely. Regularly updating your system is also crucial to ensure reduced risk. Previous updates that contain important patches and fixes for similar vulnerabilities can go a long way in preventing the exploitation of new zero-day bugs.
Zero-Day Initiative
Similar to bug bounty programs, the zero-day initiative encourages security researchers to report vulnerabilities to organizations and are compensated for their findings.
However, even with the above measures in place, you cannot completely eliminate the possibility of an attack. Ensure that you have a well-defined
incident response
plan and preventive security measures like a modern firewall in place to protect your business.
Conclusion
At least 66 zero-day vulnerabilities were recorded in 2021 - a record high till date and nearly double the number recorded in 2020. While more of these vulnerabilities are being identified and patched, the market for them continues to flourish and the attacks keep growing in number and intensity. Unless you take a proactive and holistic approach to your security, you could be the victim of the next cybercrime. At Threat Intelligence, we combine a team of highly-skilled security specialists with security automation capabilities to quickly identify endangered systems and contain the impacts of a major breach. Check out our complete and flexible suite of
Managed Security Services
that can help you elevate your security posture and help you stay on top of the latest vulnerabilities.
