A Zero-day vulnerability is a software flaw that has the potential to be abused in multiple different ways and which is unknown to the targeted software. The term ‘Zero-day Attack’ refers to an attack situation in which a vulnerability is both exploited in the wild and unknown to the target software, and the target therefore has “Zero days” to remedy the problem.
A Zero-day vulnerability is considered to be the ultimate infection method, since it is less likely to trigger an operating system security warning and, unlike many attack types, is less dependent on the user’s lack of awareness. Other attack vectors such as phishing email attacks require user interaction, whether to download an email or to click on a link. By contrast, a zero-day exploit would potentially abuse the operating system or a software flaw to infect a target machine directly – effectively bypassing any user interaction and thereby increasing its chances of success.
A private zero-day vulnerability, in turn, is one that is only known to its discoverer and whomever they have shared it with. The methodologies or attacks that exploit such vulnerabilities are mostly owned by elite cyber espionage groups, which are usually state sponsored. Though private zero-day vulnerabilities do present a major security risk, they are typically not very widespread, since their owners have a vested interest in preventing them from being discovered – keeping them as the proverbial “ace up their sleeves,” to be saved to attack high value targets that will yield the greatest returns.
When a zero-day vulnerability is discovered publicly – whether that is through a leak, publication by a security researcher, or some other form of disclosure – it is no longer private. However, a newly exposed zero-day vulnerability can still pose a significant threat, and in many cases presents more of a risk than a private one. Once that vulnerability is exposed, even if it has already been patched, a race against the clock starts between attackers who are creating exploits for the vulnerability and the targeted users who in turn need to create and apply a fix. This window of time leaves an opening for attackers to abuse while the vulnerability is still available to be exploited. A situation of this nature is known as a One-day or N-day attack.
A race against the clock
One of the most famous cases of an active zero-day vulnerability exploited in the wild is the case of EternalBlue. In April 2017, the Shadow Brokers, a threat group known for leaking hacking tools and exploits of the United States National Security Agency (NSA), had leaked an exploit for a vulnerability in the Microsoft Server Message Block protocol (CVE-2017-0144). That vulnerability was exploitable by sending crafted packets to a vulnerable machine, which in turn would enable the attacker to execute arbitrary code remotely in the compromised system.
The consequences of these leaks were the massive ransomware campaigns that ran amok in the time span from May to August 2017, and which included malware such as WannaCry, Petya, NotPetya, and others. Despite the fact that the vulnerability that was abused by the leaked EternalBlue exploit had already been patched by Microsoft one month prior to the leak, it was nevertheless still a major part of some of the most proliferating malware campaigns of all time, due to the massive number of machines worldwide that remained unpatched. Indeed, the events of 2017 provide the most compelling argument of all for routine software updates as part of any enterprise’s basic security hygiene initiatives.
A more recent example occurred in August 2020, when Microsoft had released a patch for a severe Netlogon Remote Protocol (MS-NRPC) vulnerability that was discovered and published by the Dutch security company, Secura.
The vulnerability, known as Zerologon (CVE-2020-1472), allows an unauthenticated attacker to access the domain admin account. By exploiting a flaw in the authentication protocol, attackers sending crafted authentication requests could gain complete control over an environment.
Two months after the patch release and just one month after Secura’s researchers published the technical details of the vulnerability, the Ryuk ransomware operation began exploiting Zerologon in a massive campaign, targeting unpatched systems en masse.
Defending against zero-day attacks
Defending against zero-day and N-Day attacks requires 24/7 alertness and an agile approach that includes the following.
A multi-layered cyber security policy. Defending against zero-day exploits requires that an enterprise control every aspect of its network using the most up-to-date tools possible, such as firewalls and next-gen antivirus software, endpoint protection, authentication and identity management, SIEMs, and most importantly by routine software patching. When developing this multi-layered approach, keep your focus on prevention. Aside from the fact that it is infinitely less expensive to prevent attacks than to react to them, it will keep your systems cleaner, and gives your SIEM tools a fighting chance against the latest exploits that still somehow break through your defenses.
Good cyber hygiene. Training employees for cybersecurity awareness at all ranks in the organization is an absolute must. Every employee should know what to look out for in email communication, how to identify suspicious links and attachments, and who to alert. Education of this type, along with a planned on-time software patching policy can be an effective means to prevent attackers from gaining that initial foothold, and many an infection attempt has been cut off at the pass by alert employees armed with good training and a keen eye for what constitutes a phishing attempt.
Zero-day attacks, though uncommon, can potentially have destructive and far-reaching consequences for an organization. N-day attacks that exploit known vulnerabilities are much more common and while they, too, have the potential to cause severe damage, are nevertheless much easier for enterprises to defend against. By keeping up to date with recent software updates, staying abreast of cyber security news, and consistently patching vulnerable systems, companies can amplify their protection from zero-day attacks.
Roei Amit, Threat Intelligence Researcher, Deep Instinct