Cyber threats and attacks are a growing issue for businesses because the amount of vulnerabilities has increased. The volume of global malware has risen 58% annually, and the volume of spam has risen by more than one-third in the past 12 months. These issues have made it more difficult for employees to focus on what they need to do. Zero-day attacks in cyber security are one such challenge for security teams around the world.
As more and more people rely on technology in their everyday lives, the risks posed by zero-day threats grow bigger and bigger. What is a Zero-day attack? A comprehensive guide to understanding these dangerous security issues that you need to know about.
What are zero day attacks?
Zero day attacks are those where an attacker uses a malicious program before a developer has released a fix for that vulnerability. These new types of attacks are called “zero days” because they take place before their vendor makes a patch available. Developing an exploit for a specific software application takes time and effort, so attackers generally only do it if there’s enough reward to make it worthwhile.
Protecting from zero-days is not easy as there are no anti-virus updates, no definitions for security devices or no patches either. Most of the time, there are workarounds available by the security research community or by vendors based on how proactive is the vendor.
Risk implications of the zero-day vulnerabilities vary in terms of the exposure of the affected asset. For instance, last year, during COVID, several zero-day remote code execution (RCE) bugs were identified in the Internet-facing perimeter security devices. These types of issues are a race against time for vendors to develop a patch or sometimes a quick workaround. In contrast, a patch is being developed simply because of the exposed attack surface to cybercriminals.
The security community has seen lots of ups and downs in this area to have come this far. Initiatives such as ZDI (zero-day initiative) were started to encourage reporting of 0-days privately to affected vendors by rewarding researchers financially. Back in the day, this was also the perception that reporting vulnerabilities to companies by finding their flaws may also attract legal threats, discouraging many researchers from openly helping businesses fix their flaws. This is where clever initiatives such as ZDI have greatly contributed by balancing the support for the research community and bringing the affected vendors to the table to responsibly fix their flaws.
Zero-day vulnerability timeline
The Iranian Government discovered the Stuxnet virus. They claimed that it had attacked their Natanz nuclear facility and caused significant damage to industrial machinery used in uranium enrichment, though this has never been confirmed. It is thought to be the first-ever malware designed specifically against critical infrastructure systems such as power plants or water distribution networks rather than for financial gain.
The US government discovered the first cyber-espionage campaign, which involved numerous zero-days such as IE, PDF, and Flash exploit targeting companies in Europe and the Middle East related to arms trading or oil supply chains. It was speculated that this included agents from Russia, China or Iran but no evidence has been uncovered to prove the true source of the attacks.
First Android malware designed to steal money from PayPal users was discovered by Kaspersky Lab, which used a zero-day software vulnerability in the way that Google processes Flash files. This allowed hackers to bypass sandbox protection and install additional programs on victims’ phones without their knowledge or consent. It is thought that around a quarter of a million people were affected by this attack.
The first zero-day virus was discovered in the wild, which could infect iOS devices and could be used to track their locations or install additional programs. It is thought that around 25,000 users were affected at first before Apple issued a software update to fix the security vulnerabilities. For the first time that Apple had ever released a patch for iOS zero-day attacks and prompted other companies to take security vulnerabilities more seriously.
The first instance of state-sponsored cyber espionage in which NSA contractor Edward Snowden gave information about their secret surveillance programs to journalists, including details on how they use zero-days in popular software such as Internet Explorer, Adobe Flash and Windows to gain access to targets’ computers. The information contained in the leaks was so sensitive that it led many experts to speculate we were entering a new era of cyber warfare.
First documented case of an Android ransomware attack that encrypted users data and demanded money for its decryption. It is thought that around 50,000 users were affected by the attack which was discovered in February and led Google to release a security vulnerability update.
First zero-day vulnerability exploited on Twitter’s live streaming service Periscope, allowing hackers to inject code into users’ web browsers. They used this access to steal login data for accounts owned by high profile individuals such as Mark Zuckerberg of Facebook and Twitter’s CEO Jack Dorsey.
The first instance of a zero-day exploit used by criminals to infect victims’ computers with ransomware. It is thought that more than 40,000 users were affected and led Microsoft to release patches for older versions of Windows that no longer receive security updates to prevent the attack from spreading further. These examples demonstrate just how common zero-day threats are and why companies need to invest in cyber security solutions that can protect against them.
First ever ransomware attack which targets Linux servers. It encrypts access keys for Amazon Web Services, causing widespread disruption across the internet with many websites unreachable or operating at much-reduced capacity. The scale of the attack led some experts to suggest that it could be the work of a state or nation-state actor.
The first zero-day exploit was discovered in Apple’s mobile operating system, iOS, which allowed hackers access to users’ messages, photos and contacts. It is thought that over 50 million iPhones were affected by the software vulnerability Apple patched within 24 hours. Zero-day attacks pose a serious threat to businesses and individuals alike, which is why they must protect themselves with cyber security solutions like antivirus software.
Jailbreaking of iPhone devices is an entirely big topic on its own, given the advancements and attacks on iPhone users.
What are zero-day vulnerabilities?
A zero-day vulnerability is a technical security weakness that can be used to launch zero-day attacks against an application or system. These types of threats were previously considered theoretical, but have seen a sharp increase in recent years as cybercriminals have begun actively targeting them.
Software vendors often do not know about the existence of zero-day vulnerability until they are actively being exploited, which means there is no patch available to fix them. In some cases, vendors are notified through vulnerability disclosure policies of companies reporting these issues specifically to get manufacturers or software developers to work on fixes.
In the past, it has taken vendors months or even years for a solution to be developed and distributed. This makes zero-day vulnerabilities one of the most dangerous types of threats – they are used in targeted attacks that require extensive knowledge about their target’s systems.
An attacker will attempt to exploit these security holes by sending a specially crafted file to the victim’s computer via email or instant messaging. The exploit may be embedded in an image, document or even a video and can also take advantage of software vulnerability in browser plug-ins such as Flash Player, Adobe Reader and Java.
What are zero-day threats?
A zero-day threat is a constant threat from an unknown flaw that can affect your software, service or device. It is a type of malware that takes advantage of a zero-day vulnerability to infect a victim’s computer and gain complete control. The infection starts with the attachment or link sent by the attacker, which may be disguised as an email from someone you know or come from a familiar website.
If we do not patch our systems regularly and keep them up to date with the latest security patches, we are at risk of zero-day attacks.
What is a zero-day exploit?
A zero-day exploit is a malicious code or malware that takes advantage of previously unknown security weaknesses, otherwise known as vulnerability. Zero days are named such because the developer or software vendor does not have any knowledge about them until they become active threats and start targeting victims.
Learning about new exploits usually comes from bug reports submitted by researchers who discover these flaws independently – a new zero-day vulnerability is introduced into the wild every week, on average.
What should I do if infected?
Firstly, zero day attacks are no different from other forms for the majority of us. Secondly, zero day attacks are not as common as they have are portrayed in the media. Zero day attacks are few and far between that are actually dangerous and legitimately pose a threat to a service, software or device. Most of the times, zero day attacks or advanced persistent threats (APTs) attacks are wrongly labelled just because something unusual or weird has happened to affected systems.
In line with your defensive strategy, asking help from incident response teams and containing the affected assets are the initial basics. Apart from the unusual, we can take steps in certain scenarios to protect ourselves against zero-day malware by keeping our system up to date with the latest security software patches. It is also important that we avoid clicking on suspicious links or emails, even if they appear trustworthy as this could be part of a social engineering tactic being used by hackers to gain access to our system.
How do I protect myself against zero-day attacks?
Technically, no defences exist against zero-day vulnerabilities. It is also the reason why zero-day attacks are highly likely to succeed most of the time.
Wherever you read, patch your systems, keep them up to date is NOT a solution to zero days. How can we patch something we aren’t aware of yet? Patch only approach works to keep systems in shape on an ongoing basis. However, patch only approach suffers from various flaws in this specific scenario. Do not read it wrong that patches are not good. We are saying that patch only approach is not good to fix zero-day problems because SOC will suffer from alert fatigue, it is reactive in nature and does not help prevent future attacks and any hastily pushed mitigations such as Microsoft did with Spectre and Meltdown with bios updates could lead to business disruptions or negative performance impacts.
What are some of the most recent zero-day attacks?
Meltdown and Spectre
In 2018, Meltdown and Spectre are two serious CPU vulnerabilities disclosed in early 2018 that have affected billions of devices. These flaws provided malicious software with the ability to read and access sensitive data from a system’s memory (e.g., private files, passwords).
In May 2017, WannaCry was a ransomware assault that infected over 200,000 Windows PCs in 150 countries. The malware successfully encrypted files on the hard drive of the PC, making them inaccessible to users. In order to decrypt them, victims were urged to pay a ransom (paid in bitcoin). The assault was a result of an unknown zero-day exploit known as EternalBlue. Microsoft released a fix to protect against the EternalBlue exploit before the outbreak, but it failed because users were sluggish to upgrade their software, resulting in an estimated $4 to $8 billion worth of losses.
Back in 2014, this bug was discovered in Bash causing it to execute commands from environment variables. This vulnerability allowed an attacker to remotely exploit anything running Bash that was accessible, it caused a lot of damages to lots of electronic devices running Linux as base kernel, laptops, hardware devices.
There are online resources that can help us stay up-to-date with zero-day threats, including this blog at Cyphere. We should also install security software that will protect our operating systems against emerging types of malware and perform regular scans to detect any infections.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.