Zero-Day Exploits: A Brief History
Of all the types of cybersecurity threats, few are as feared as the zero-day exploit. The term zero-day is used to refer to the fact that the associated software developer or vendor typically had no prior knowledge of the vulnerability in question, and they have zero days to fix it before it is exploited. These types of vulnerabilities can be so damaging that they typically sell for millions of dollars on the dark web or other underground marketplaces. The term zero-day is often accompanied by the words vulnerability, exploit, and attack. Here are the different definitions for each:
A zero-day vulnerability is a vulnerability in software, firmware, or hardware that security researchers or malicious actors discover before the developer or vendor learns about it. Because the software vendor and developer don’t know the vulnerability exists, they have not developed a patch for it. Hackers can easily exploit the fault to their advantage. Usually, zero-day vulnerabilities are only discovered after an attack has occurred and an investigation is conducted by computer forensic and cybersecurity experts.
A zero-day exploit is a method a malicious actor uses to attack a system with a zero-day vulnerability. Usually, hackers will create a code that they can use to attack the system.
A zero-day attack is the use of a zero-day exploit to damage a system or steal valuable data from a system with vulnerability. Zero-day attacks are usually conducted through zero-day malware containing an exploit. Once hackers have launched an attack, it could be minutes, days, weeks or months before the vulnerability is discovered, let alone patched.
Why zero-day attacks are so dangerous
As we mentioned earlier, the developers and vendors are not aware of the vulnerability by the time malicious hackers exploit it. This means that they have not yet developed a patch to fix the problem. Hackers are therefore free to execute zero-day attacks on unknowing targets.
It can take several days, weeks, or even months for a patch to be developed. Users might have no option but to use the compromised system as they wait for a fix. Their machines and data are exposed to malicious actors this whole time. Even when the patches are released, most users don’t rush to update their systems, leaving them exposed for longer than necessary.
Additionally, zero-day exploits significantly increase the risk for everyday users. Both the developers and vendors are unprepared for the zero-day exploits. This means that a user’s antivirus software will not catch the zero-day exploit. While the improved security of modern operating systems and networks has helped mitigate a host of security vulnerabilities, zero-day exploits remain a potent threat.
Malicious actors who carry out zero-day attacks
Those who carry out zero-day attacks fall into the following categories:
Hacktivists – these are hackers motivated by a social or political cause. They want to publicize the attacks to draw attention to the cause.
Cybercriminals – these are hackers whose sole motivation is financial gain.
Cyberwarfare – these are political actors or countries attacking or spying on another country’s cyberinfrastructure.
Corporate espionage – these are hackers who spy on a company to gain information about them.
Typical targets of a zero-day attack
Zero-day attacks exploit vulnerabilities in several systems such as:
- Web browsers
- Internet of things devices
- Open-source components
- Operating systems
- Hardware and firmware
- Office applications
As such, zero-day attacks can target any of the following potential victims:
- Large businesses and organizations
- Individuals with access to vulnerable business data
- Political targets
- Individuals using vulnerable systems such as operating systems and browsers
- Government agencies
- Hardware devices, firmware, and internet of things devices
Most zero-day attacks are targeted at potentially valuable targets such as government agencies, large organizations, or high-profile individuals. However, hackers still conduct non-targeted attacks. Such attacks are directed towards users of vulnerable systems such as browsers and operating systems.
Even for targeted zero-day attacks, large numbers of people can be affected by the zero-day attacks as collateral damage. Untargeted attacks are aimed at expanding the exploit's reach to affect as many people as possible, which makes it more likely for users’ data to be collected en masse.
The process of zero-day attacks/ zero-day vulnerability timeline
Now that you know what zero-day attacks are, who the targets are, and why they are so dangerous. Let’s delve into the timelines of zero-day attacks.
- First, a software developer creates a system and unknowingly leaves out some vulnerability.
- The software is released to the general public.
- A malicious actor discovers the vulnerability in the system.
- The hacker develops a zero-day exploit to take advantage of the vulnerability. They can either choose to deploy it immediately or wait for a more optimal time to attack.
- Once the hackers exploit the vulnerability, security teams that deal with the affected software will scramble once they notice the attack and notify the software vendor or developer.
- The vendor, developer, and security researchers warn the public about the vulnerability and the dangers it poses.
- Next, antivirus signatures are released. The software vendor identifies the signature of the zero-day malware being used to attack the system. However, even if an antivirus can now catch and block the malware, users must still be careful.
- The vendor finally releases a patch to block the vulnerability. How long it takes for a patch to be available depends on the complexity of the vulnerability.
- Users are now able to deploy the patch by downloading the software update. This process takes time and is largely dependent on how quickly users download the update.
Detecting zero-day vulnerabilities
At this point, you must be wondering how hackers detect zero-day vulnerabilities. Well, there are several methods that they use.
One method is fuzzing. Here, the hacker inputs large amounts of data into a program at various intervals. The hacker then checks to see how the program responds. Overloading a system can lead to crashes or strange behavior which can expose bugs. Once a bug is detected, the hacker writes code to replicate the behavior that led to the bug. This code is what we call a zero-day exploit.
Sometimes, a hacker will use previous exploits to try and adapt the same methodology to newer software. Even when software vendors create patches, hackers still study the patches to understand the inner workings of the software and find other vulnerabilities.
It’s not just the bad actors that use these methods to discover zero-day vulnerabilities. The software developers themselves will follow a similar process during the development process to try and detect vulnerabilities before they release the software to the rest of the world. Test-driven development with a host of edge cases can often help, but system stress testing is equally important.
There are several things that developers look for that helps them identify zero-day vulnerabilities. These include:
- Abnormal behavior of software - developers look at how applications respond to previous exploits and apply the knowledge to new products.
- Trends- most zero-day attacks happen soon after an update. For example, for Microsoft products, an attacker will rush to attack the system after an update because they have a month to use an exploit before an update is issued to patch up the problem. Developers can leverage statistics of previous attacks to prevent future zero-day attacks.
- Signatures of previous vulnerabilities – it is possible that signatures of vulnerabilities will appear again. Developers can scan for these signatures and locate and remove the vulnerability before an attack is launched.
Examples of top zero-day vulnerabilities in recent history
In 2020, hackers discovered a vulnerability in Zoom, a popular video conferencing tool. This vulnerability allowed a hacker to access the PC of a Zoom user who was still using an old version of windows. If the target was an administrator in the Zoom meeting, the hacker was able to access and take over all their files.
2020: Apple iOS
In 2020, Apple iOS was a victim of a series of zero-day attacks. One of the attacks involved a zero-day bug that enabled hackers to compromise iPhones remotely.
2019: Microsoft Windows
In 2019, hackers took advantage of local escalation privileges on Microsoft Windows. The attack was mostly aimed at government institutions in Eastern Europe. An exploit was used to run arbitrary code, install applications, and view and change data on compromised applications.
Luckily, the attack was identified and reported to Microsoft. A patch to block the vulnerability was soon rolled out.
2017: Microsoft Word
In 2017, a zero-day exploit was developed to attack compromised personal bank accounts of people who downloaded a malicious word document. The word document asked the user to 'load remote content'. It also displayed a pop-up requesting external access from another program. Once the user clicked yes, the malware was installed on their devices. The malware was used to capture banking log-in details.
How to protect your business from zero-day attacks
The best way to protect yourself and your business from zero-day attacks is to follow cybersecurity best practices such as:
Keep all operating systems and software updated
Whenever a vulnerability is discovered, the software developers and vendors include a security patch in the software update. If you fail to download the latest version of the software, you remain at risk of being attacked by malicious actors.
Use only essential applications
The more software you install on your devices, the more likely you are to fall prey to a zero-day attack. To reduce the risk of being attacked, only install the software that you need.
Use a firewall
Firewalls are crucial when it comes to protecting against zero-day attacks. Always use the most recent version of a firewall to protect yourself against network intrusion.
In addition to a firewall, you should also use updated antivirus software to protect your devices. Antivirus software works by blocking known and unknown threats, hence protecting your devices from potential zero-day attacks.
Protecting your organization against zero day vulnerabilities and attacks is critical to the integrity of your data. You must always stay vigilant to the developing tactics and methods used by attackers. Remember that zero-day vulnerabilities are not just an issue for your organization, it affects all end-users.
Overall, you should make education, preparation, and swift response to zero-day vulnerabilities a company-wide concern. All your employees from executives to its staff should be involved in the education and preparation process. Alongside the National Cyber Security Alliance and the Cybersecurity and Infrastructure Security Agency (CISA), we invite you to celebrate Cybersecurity Awareness Month this October by raising awareness around the importance of cybersecurity. Onyx Government Services is strategically positioned to give you the solutions and insights you need to strengthen your organization’s security posture today and in the future.