While zero-day attacks aren’t the most common cause of data breaches, that doesn’t mean they can’t have an effect on your company in other ways.
A zero-day attack is a surprise attack that you do not expect.
We talk about the risks of cyber threats all day in the cybersecurity industry, and how we need to harden our defences against known attacks. But what can you do to defend yourself from a danger you might not even be aware of (or have just recently discovered)?
What is a Zero Day Vulnerability, Zero Day Exploit, or Zero Day Attack?
Okay, there are a lot of buzzwords when it comes to zero day — zero day vulnerability, zero day hack, zero day attack, n-day attack, and so on. However, you should be mindful that not all of these words are synonymous and have similar but distinct definitions. Let’s break them down, beginning with zero-day vulnerabilities, to get a better understanding of what each word means.
Zero Day Vulnerability
A zero-day vulnerability is a defect in your defence that you may or may not be aware of. This is something that could be used in an assault if anyone wanted to, but it has nothing to do with the attack. While a zero-day vulnerability has been publicly revealed by researchers or vendors, it has yet to be patched.
Yes, it’s a challenge. A zero-day vulnerability is a flaw that can be found in software, firmware, or hardware and includes things like:
- Flaws in operating systems.
- Bugs in popular (and lesser known) software applications.
- Critical holes in firmware.
Trend Micro claims that if an update or patch is released for the vulnerability, it is no longer considered a zero-day vulnerability and is now referred to as a “n-day” vulnerability. Some websites and organisations, on the other hand, group zero-day and n-day attacks together because both can be exploited by threat actors.
Zero Day Attack (or Zero Day Exploit, Zero Hour Attack, etc.)
A zero-day attack, on the other hand, is a concept that refers to leveraging an undisclosed (or publicly disclosed) vulnerability for malicious purposes.
A zero day attack, according to the National Institute of Standards and Technology (NIST), is “an attack that exploits a previously unknown hardware, firmware, or software vulnerability.” It’s a more sophisticated form of cyber attack in which a cybercriminal exploits a security bug before you have a chance to fix it. (This is why the words “zero day attack” and “zero day hack” are often used interchangeably.)
This form of exploit or attack is also well described by Trend Micro:
“When hackers or threat actors successfully develop and deploy proofs of concept (PoCs) or an actual malware that exploits the vulnerability while the vendor is still working on rolling out a patch (or sometimes, unaware of the vulnerability’s existence), it becomes a zero-day exploit or attack.”
In essence, the distinction between these words can be visualised in a rather clear manner. Assume that your company is protected by a strong, reinforced concrete wall. A zero-day flaw refers to a crack or void in the barrier that you haven’t found yet. When an adversary mounts an assault and passes through the hole or crevasse, this is known as a zero-day exploit.
What Makes Zero Day Attacks Such a Threat
According to FireEye Mandiant Threat Intelligence, “more zero-days were abused in 2019 than in any of the previous three years.”
It’s almost impossible to avoid zero-day attacks in their entirety. What is the reason for this? Since a zero-day attack is described as an attack that takes advantage of vulnerabilities that you are unaware of or that are newly discovered. When you don’t know when a punch is coming, how can you block it? This is where the individuals listed in the following section will assist.
But first, it’s necessary to remember that zero-day vulnerabilities aren’t responsible for the overwhelming majority of data breaches. Rather, the majority of breaches (and ransomware attacks) are caused by:
- Poor cybersecurity hygiene,
- A severe failure to implement updates and patches, and a
- General lack of cyber awareness amongst employees and other end users.
Who Discovers Zero-Day Exploits?
Is it a little sarcastic to say “anyone?” Finding zero-day bugs and figuring out how to hack them isn’t something that only the “good guys” or “bad guys” can do. Even the most tech-savvy end users will come across security flaws.
In fact, many people — vendors, researchers, bug bounty hunters, individual black/white/grey hat hackers, and hacker groups — look for zero day vulnerabilities in the wild that can be exploited. Trend Micro also has a division dedicated to tracking down these vulnerabilities and providing security vulnerability advisories called the Zero Day Initiative (ZDI).
Bug bounty hunting can be a lucrative business. For example, in 2019, ZDI reported awarding bug hunters more than $1.5 million in cash and other prizes. In 2019, the efforts of those concerned culminated in the issuance of 1,035 advisories. These figures will, of course, shift during 2020, as vulnerabilities discovered in late 2019 will result in advisories in 2020. However, the number of advisories is lower than the 1,450 issued in 2018.
According to the research conducted by FireEye Mandiant Threat Intelligence, which we stated earlier:
“While not every instance of zero-day exploitation can be attributed to a tracked group, we noted that a wider range of tracked actors appear to have gained access to these capabilities. Furthermore, we noted a significant increase over time in the number of zero-days leveraged by groups suspected to be customers of companies that supply offensive cyber capabilities, as well as an increase in zero-days used against targets in the Middle East, and/or by groups with suspected ties to this region. Going forward, we are likely to see a greater variety of actors using zero-days, especially as private vendors continue feeding the demand for offensive cyber weapons.”
How Zero Day Exploits Are Identified
You’ve probably noticed that most vulnerabilities are assigned long numbers that begin with CVE. (See CVE-2020-1234, CVE-2019-12345, and so on.) But what exactly do these names imply? Who is coming up with these ideas, and who is coming up with them?
Who’s Responsible for Naming Common Vulnerabilities and Exploits
CVE Numbering Authorities are a group of organisations that work together to assign numbers to vulnerabilities (CNAs). By assigning ID numbers to common vulnerabilities and exposures (CVEs), these organisations have been granted the opportunity to metaphorically rubber stamp them. These numbers are used by a range of people, including manufacturers, analysts, and vulnerability disclosers, to identify vulnerabilities in their first-time public announcements.
According to the MITRE website, there are 128 CNAs from 21 different countries as of May 28, 2020. The vast majority of them — 77 — are found only in the United States.
What’s in a Name: Let’s Take a Closer Look at CVE Naming Conventions
Let’s take a look at the CVE-2020-1234 naming convention in more detail:
- CVE stands for “common vulnerability and exposure”
- The next four-number component refers to the year in which the vulnerability is discovered
- The next set of numbers, consisting of four or more digits, identifies the specific vulnerability
CVE products include:
- Software (both closed and open source),
- Cloud and software as a service offering, and/or
- Protocols, standards, and APIs.
It’s called a single weakness if only one product is affected. If there are bugs in several goods, they will be treated as separate issues. However, many products nowadays prefer to share code, so if several products share the same vulnerable code, they’ll all be grouped together under a single shared vulnerability ID.
If a CNA is uncertain if several products share the same code, it’s better to be safe and mark them as separate vulnerabilities.
Where to Find the List of Known CVEs
You may look up unique CVE entries or IDs on the MITRE website’s CVE list. CVEs can also be found on the NIST website’s National Vulnerability Database (NVD) list.
Examples of recent or newly found zero-day vulnerabilities
Let’s look at three examples of crucial zero-day vulnerabilities now that you know what a zero-day vulnerability is and how it functions.
1. Windows 10 Vulnerability Spoofs Authentication in Executables
The National Security Agency (NSA) revealed a crucial flaw (CVE-2020-0601) in their public key infrastructure earlier this year, which could impact the cryptographic functionality of 32- and 64-bit Windows 10 operating systems, as well as specific versions of Windows Server.
The mechanism by which Windows CryptoAPI validates elliptic curve cryptography contains this particular form of vulnerability (ECC). The danger here is that a bad guy might exploit this weakness by signing an executable with a spoofed code signing certificate to deceive unsuspecting users. Of course, attackers can’t do it all by themselves; they’d need a victim to interact with it in order for it to work.
What’s the end result? The signed file appears to have come from a reliable and trustworthy source. Microsoft, thankfully, was swift to issue an alert and patch the vulnerability.
2. Netgear Zero Day Firmware Routers are susceptible to takeover attacks due to a weakness.
ZDI researchers told Netgear about an unpatched zero-day vulnerability in their router firmware in January 2020. Initially thought to affect only the R7000 router series, it was later discovered to affect “79 Netgear devices and 758 firmware images that included a compromised copy of the web server” by Grimm cybersecurity firm researcher Adam Nichols.
Nichols explains the weakness in his blog post on SOHO system exploitation:
“In most modern software, this vulnerability would be unexploitable. Modern software typically contains stack cookies which would prevent exploitation. However, the R7000 does not use stack cookies. In fact, of all of the Netgear products which share a common codebase, only the D8500 firmware version 18.104.22.168 and the R6300v2 firmware versions 22.214.171.124-126.96.36.199 use stack cookies. However, later versions of the D8500 and R6300v2 stopped using stack cookies, making this vulnerability once again exploitable. This is just one more example of how SOHO device security has fallen behind as compared to other modern software.”
To remedy some of the bugs, Netgear recently announced hotfixes for some of their routers. “Until a firmware patch for your product is available, NETGEAR recommends that you follow the workarounds and best practises in this advisory,” they add.
3. Zyxel Vulnerabilities Within Firmware for NAS and Firewall Solutions
Brian Krebs of Krebs on Security announced in February 2020 that Zyxel firewalls and network attached storage (NAS) devices both had critical bugs that resulted in zero-day vulnerabilities.
The CVE-2020-9054 NAS vulnerability exploited a pre-authentication command injection vulnerability in specific firmware models. Using an OS command injection, the bug will allow hackers to remotely execute arbitrary code on affected computers.
The exploit affected UTM, ATP, and VPN firewalls running firmware versions ZLD V4.35 Patch 0 through ZLD V4.35 Patch 2 according to Zyxel’s revised security advisory. Versions of the firmware previous to the ZLD V4.35 Patch 0 were unchanged.
The issue is that, while they had patches available for affected models that were still under warranty and assistance, they weren’t as helpful with legacy systems:
“For affected NAS products that reached end-of-support in 2016 or earlier, firmware updates are no longer provided. We strongly recommend that users follow the workaround procedure […] to remediate the vulnerability.”
3 Real World Zero Day Attack Examples
Now that you’ve seen some examples of zero-day vulnerabilities, let’s look at some of the most high-profile zero-day attacks in recent years:
1. Hackers Exploit WhatsApp Vulnerability to Distribute Spyware
CVE-2019-3568, a crucial zero-day vulnerability, was discovered in 2019 as being used to enable the spread of malware to unique target devices. It was essentially a buffer overflow flaw that was exploited to spread spyware across affected versions of the WhatsApp mobile app for Windows, iOS, and Android. This exploit allowed them to remotely execute code by sending RTCP packets to the target phone numbers.
WhatsApp alleged in a federal lawsuit that NSO Group, an Israeli mobile surveillance agency, used an audio-calling loophole to deliver government-grade spyware to “approximately 1,400 mobile phones and computers.” The idea is that because WhatsApp is end-to-end encrypted, they had to come up with a way to get access to message data. Instead of attempting to hack the messages directly, they will target the computers.
While WhatsApp was swift to fix the flaw, others quickly followed, making 2019 a particularly difficult year for the Facebook-owned company.
2. Hackers Use Microsoft Windows Vulnerability to Carry Out Government Espionage in Europe
In June 2019, Buhtrap, a hacker group notorious for cyber bank robbery, used a Windows OS vulnerability to launch zero-day attacks against Eastern European government institutions. The hacker group carried out their attack by exploiting a vulnerability that affected older versions of Windows OSes and Windows Server 2008, according to cybersecurity writer Davey Winder.
The vulnerability, dubbed CVE-2019-1132, was a privilege escalation bug affecting Win32k memory artefacts. It was one of the bugs fixed by Microsoft in a fix Tuesday update on July 9, 2019.
According to a report:
“The group used decoy documents to deliver a piece of malware designed to steal passwords from email clients and browsers, and send them to a command and control (C&C) server. The malware also gave attackers full access to the compromised device.”
3. ‘EternalBlue’ Exploit Affected Hundreds of Thousands of Devices Worldwide
IT managers and companies all over the world had a bad year in 2017. EternalBlue, one of many exploits created by the National Security Agency and published by a hacker group known as the Shadow Brokers, was used in the WannaCry ransomware attacks in this year.
Of course, the hack was used in other malware and cyber attacks (TrickBot, WannaMine, Coin Miner, and so on), but WannaCry was the first and most well-known version, affecting over 200,000 computers in over 100 countries.
The zero-day exploit functioned by allowing hackers to remotely exploit a software vulnerability in Microsoft’s Windows OS server message block (SMB) version 1 protocol. They will be able to compromise the entire network that an infected computer was connected to, as well as any devices connected to the network, with this access.
While Microsoft released a patch for EternalBlue a month before the WannaCry attacks, several companies refused to instal the patch on their systems, which contributed to WannaCry’s success as a cyber attack. The National Health Service of the United Kingdom is one such example (NHS).
The NHS was warned about security concerns relating to legacy systems in advance of the WannaCry attacks, according to the UK’s National Audit Office, but they were slow to react. According to the NAO’s head, Amyas Morse:
“The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
4. Stuxnet Wreaks Havoc on Iranian Nuclear Facility Before Going Public
We’ll wrap up this list by discussing Stuxnet, the most well-known zero-day exploit. Before going public, the Stuxnet exploit wreaked havoc on Iran’s nuclear facilities by affecting its uranium enrichment centrifuges.
According to a study from ZDNet, the sophisticated computer worm developed by the US and Israeli governments eventually spread to computers in 115 countries. While Stuxnet is considered old news by today’s standards, it is still significant in that it was the first widely recognised form of cyber attack to threaten industrial systems around the world.
Final Thoughts on Zero Day Vulnerabilities & Attacks (and How to Protect Your Organization Against Them)
Despite the fact that we’ve seen enough high-impact zero-day attacks to make the IT and security community sit up and take notice, patching remains a major problem. This holds true for a wide variety of companies and organisations, regardless of their size or location.
Patching isn’t the only way for companies, governments, and organisations to safeguard their IT infrastructure, networks, and data:
- Have IT disaster response and recovery plans in place.
- Identify and train key team members so they understand their roles and responsibilities.
- Purge legacy systems and technologies.
- Regularly back up your data and follow the 3-2-1 backup rule.
- Train your employees to be cyber aware so they can identify common threats and know how to safely respond to them.
- Use continuous monitoring solutions to identify unusual activity and advanced persistent threats.
- Regularly assess your network and other cybersecurity defenses to identify vulnerabilities.
- Use multi-layered cybersecurity defenses.