Zero-Day Attacks, Exploits, and Vulnerabilities: A Complete Guide

What Is a Zero-Day Attack?

From time to time, vulnerabilities are discovered in computing systems. These vulnerabilities represent security holes that allow attackers to gain unauthorized access to, damage or compromise a system. Known vulnerabilities are documented in public repositories such as the National Vulnerability Database (NVD).

Both software vendors and independent security researchers are constantly on the lookout for new vulnerabilities in software products. When a vulnerability is discovered, it is the software vendor’s responsibility to quickly issue a patch that addresses the security issue – users of the software can then install the patch to protect themselves.

A zero-day (or 0-day) attack is a software vulnerability exploited by attackers before the vendor has become aware of it. At that point, no patch exists, so attackers can easily exploit the vulnerability knowing that no defenses are in place. This makes zero-day vulnerabilities a severe security threat.

Once attackers identify a zero day vulnerability, they need a delivery mechanism to reach the vulnerable system. In many cases the delivery mechanism is a socially engineered email – an email or other message that is supposedly from a known or legitimate correspondent, but is actually from an attacker. The message tries to convince a user to perform an action like opening a file or visiting a malicious website, unwittingly activating the exploit.

What Is a Zero-Day Exploit and Why Is it Dangerous?

A zero-day exploit is when an attacker leverages a zero-day vulnerability to attack a system. These exploits are especially dangerous because they are more likely to be successful than attacks against established vulnerabilities. On day zero, when a vulnerability is made public, organizations have not yet had a chance to patch the vulnerability, making the exploit possible.

Something that makes zero-day exploits even more dangerous is that some advanced cybercriminal groups use zero-day exploits strategically. These groups reserve zero-day exploits for use with high-value targets, such as medical or financial institutions, or government organizations. This reduces the chance that a vulnerability is discovered by the victim and can increase the lifespan of the exploit.

Even after a patch is developed, users must still update their systems. If they don’t, attackers can continue to take advantage of a zero-day exploit until the system is patched.

Anatomy of a Zero-Day Attack

A zero-day attack typically proceeds as follows:

1. Looking for vulnerabilities – attackers search through code or experiment with popular applications, looking for vulnerabilities. They may also buy vulnerabilities on the black market (see more details about zero-day markets below).
2. Exploit code created – attackers create a malware program or other technical means to exploit the vulnerability.
3. Looking for systems affected by the vulnerability – attackers can use bots, automated scanners and other methods to identify systems that suffer from the vulnerability.
4. Planning the attack – in a targeted attack on a specific organization, attackers may carry out detailed reconnaissance to identify the best way to penetrate the vulnerable system. In a non-targeted attack, attackers will typically use bots or massive phishing campaigns to try to penetrate as many vulnerable systems as possible.
5. Infiltration – an attacker gets through the perimeter defenses of an organization or personal device.
6. Zero-day exploit launched – attackers are now able to execute code remotely on the compromised machine.

Who are the Attackers?

Threat actors who plan and carry out zero-day attacks can belong to several categories:

• Cybercriminals— hackers whose primary motive is typically financial.
• Hacktivists— attackers motivated by an ideology, they will typically want attacks to be highly visible to help them in their cause.
• Corporate espionage— attackers who aim to illicitly gain private information from other organizations.
• Cyberwarfare— in recent years nation states and national security bodies have often resorted to cyberthreats against another country’s infrastructure, or organizations within another country that represent critical infrastructure (for example, the Stuxnet attack).

Targeted vs. Non-Targeted Zero-Day Attacks

Targeted zero-day attacks are carried out against high profile targets, such as government or public institutions, large organizations, and senior employees who have privileged access to corporate systems, access to sensitive data, intellectual property or financial assets.

Non-targeted zero-day attacks are typically waged against a large number of home or business users who use a vulnerable system, such an operating system or browser.Often, the attacker’s goal will be to compromise these systems and use them to build massive botnets. A recent example was the WannaCry attack, which used the EternalBlue exploit in the Windows SMB file protocol to compromise over 200,000 machines in one day. Non-targeted attacks can also target hardware, firmware and Internet of Thing (IoT).

Zero-Day Vulnerability Trends

Zero-day exploits seen in the wild grew from eight in 2016 to 49 in 2017. The Trend Micro Zero Day Initiative, a network of researchers that encourages zero-day research, found 382 new vulnerabilities in the first half of 2018. Not all vulnerabilities are actively targeted by attackers and only some have exploits available.

Experts anticipate that zero-day exploits will become much more frequent. Cybersecurity Ventures expects that by 2021, attackers will launch a new exploit daily. In 2015, there was approximately one exploit per week.

Examples of Zero-Day Attacks

The following are three examples of high profile zero-day attacks, illustrating the severe risk zero-day attacks pose for organizations.

Stuxnet

Stuxnet was labelled as the world’s first cyber weapon. It was malware was used to break into Iran’s uranium enrichment centrifuges in 2006. Many experts believe that the National Security Agency (NSA) created the zero-day exploit. Stuxnet infected a specific industrial control system, and sped up or slowed down the centrifuges to the point where they destroyed themselves. During this process Iranian monitoring systems made it appear that systems were operating normally.

RSA

In 2011, attackers used an unpatched vulnerability in Adobe Flash Player to gain entry into the network of security vendor RSA. The attackers distributed emails via Excel spreadsheet attachments to RSA employees; the attachments activated a Flash file, which exploited the zero-day Flash vulnerability. The data stolen included key information used by RSA customers in SecurID security tokens.

Sony

In 2014, a zero-day attack targeted Sony Pictures. While the details of the vulnerability exploited in the attack remain unknown, the attack brought down Sony’s network, and attackers leaked sensitive corporate data on file sharing sites, including personal information about Sony employees and their families, internal correspondence, information about executive salaries, and copies of unreleased Sony films. Attackers used a variant of the Shamoon wiper malware to erase multiple systems on Sony’s corporate network.

The Zero-Day Market

A zero-day vulnerability is a valuable asset. It is vulnerable to software vendors, who want to protect their users, and valuable to attackers who can use them to their advantage.

Three markets have emerged, on which both legitimate and malicious researchers trade zero-day vulnerabilities and exploits:

• White Hat Markets – there are several bounty programs in which software vendors and security organizations pay money for the discovery of a new unknown vulnerability. Bounty programs have been launched by GitHub and BugCrowd, by large technology brands like Apple, Microsoft, and Facebook, and even by government agencies including the Pentagon. All these offer researchers between hundreds to hundreds of thousands of Dollars if they can detect and document a security vulnerability.}
• Zero-day feeds – security research companies offer their customers zero-day feeds, with information about unknown vulnerabilities, which is kept private to retain its value.}
• Grey Hat Markets – there are zero-day brokers that look for good zero-day research and buy it on behalf of their customers, keeping buyer and seller identities anonymous. The seller, who may be a legitimate researcher, has no control over what the end purchaser will do with the vulnerability information; while it may be provided to software vendors or legitimate parties, in some cases it may be sold to a hostile foreign country, a terrorist organization or a hacker group.}
• Black Markets – there is a thriving black market for zero-day vulnerabilities and exploits. Hackers, or unethical researchers, offer vulnerabilities they discover for sale, and threat actors buy them with the aim of conducting attacks against vulnerable systems. Researchers who monitor these black markets report that the creation and distribution of zero day information and exploits by cybercriminals is on the rise.}

Zero Day Protection and Prevention

Zero day attacks are difficult to defend against, but there are ways to prepare. Read our guide to zero-day protection to understand four best practices that can help you prevent zero-day attacks:

• Windows Defender Exploit Guard – a security tool built into Windows 2010, which has several capabilities that can effectively protect against zero day attacks. It can be a first line of defense against zero-day attacks targeting Windows endpints.
• Next-Generation Antivirus (NGAV) – traditional antivirus is largely ineffective against zero-day exploits, because they utilize vulnerabilities in existing software. However, Next Generation Antivirus (NGAV) solutions leverage threat intelligence, behavioral analytics, , machine learning code analysis and dedicated anti-exploit techniques which can be effective against some zero-day attacks.
• Patch Management – establishing a formal process, and implementing automated tools, can help organizations detect systems in need of patching, obtain the patches and deploy them quickly, before attackers can strike with a zero-day attack.
• Incident Response Plan – having a specific plan focused on zero-day attacks can reduce confusion and increase the chances of detecting, mitigating and reducing the damage caused by zero-day attacks.

Zero-Day Attack Protection with Cynet

The Cynet 360 Advanced Threat Detection and Response platform provides protection against threats including zero-day attacks, advanced persistent threats (APT), advanced malware, and trojans that can evade traditional signature-based security measures.

Block exploit-like behavior

Cynet monitors endpoints memory to discover behavioral patterns that are typical to exploit such as unusual process handle request and others, These patterns are common to the vast majority of exploits, whether known or new and provides effective protection even from zero-day exploits.

Block exploit-derived malware

Cynet employs multi-layered malware protection that includes ML-based static analysis, sandboxing, process behavior monitoring. In addition, they provide fuzzy hashing and threat intelligence. This ensures that even if successful zero-day exploit establishes a connection with the attacker and downloads additional malware, Cynet will prevent this malware from running so no harm can be done.

Uncover hidden threats

Cynet uses an adversary-centric methodology to accurately detect threats throughout the attack chain. Cynet thinks like an adversary, detecting behaviors and indicators across endpoints, files, users, and networks. They provide a holistic account of the operation of an attack, irrespective of where the attack may try to penetrate.

Accurate and precise

Cynet uses a powerful correlation engine and provides its attack findings with near-zero false positives and free from excessive noise. This simplifies the response for security teams so they can react to important incidents.

You can carry out automatic or manual remediation, so your security teams have a highly effective yet straight-forward way to detect, disrupt, and respond to advanced threats before they have a chance to do damage.

Learn more about Cynet’s Next-Generation Antivirus (NGAV) Solution.

Learn More About Zero-Day Attacks

5 Ways to Defend Against Zero-Day Malware

In computing, the term zero day refers to the unknown. If a vulnerability, exploit, or threat of any kind is not known to security researchers, it can be classified as a “zero day attack”.

Learn what is zero day malware, and why it can get past traditional signature-based antivirus. Discover 5 ways you can use to defend against zero day malware.

Read more: 5 Ways to Defend Against Zero-Day Malware

Zero-Day Exploit: Recent Examples and Four Detection Strategies

Zero-day exploits are techniques used by malicious actors to attack a system that has a vulnerability, while the users and developers of the system are still unaware of the vulnerability.

Understand why zero-day exploits are so severe, see examples of devastating breaches caused by zero days, and learn how to detect zero day attacks.

Read more: Zero-Day Exploit: Recent Examples and Four Detection Strategies

Zero-Day Attack Prevention: 4 Ways to Prepare

A zero-day vulnerability is a weakness in a computer system that can be exploited by an attacker, and which is undetected by affected parties. A zero-day attack is an attempt by a threat actor to penetrate, damage, or otherwise compromise a system that is affected by an unknown vulnerability. By nature of the attack, the victim will not have defenses in place, making it highly likely to succeed.

What happens if your organization is the victim of a zero-day exploit? Understand how to protect your organization against surprising and unknown attacks.

Read more: Zero-Day Attack Prevention: 4 Ways to Prepare

See Additional Guides on Key Cybersecurity Topics

Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of cybersecurity.

XDR

Authored by Cynet

• What Is Extended Detection and Response (XDR)? Complete Guide
• XDR by Palo Alto: Understanding Cortex XDR
• XDR Security Solutions: Get to Know the Top 8

What is TTPs

Authored by Exabeam

• What is Lateral Movement and How to Protect Against It | Exabeam
• What Are TTPs and How Understanding Them Can Help Prevent the Next Incident

UEBA

Authored by Exabeam

• What Is UEBA (User and Entity Behavior Analytics)?
• What Is UEBA and Why It Should Be an Essential Part of Your Incident
  Response
• UEBA Tools: Key Capabilities and 7 Tools You Should Know