A zero-day (0-day) is an unpatched securityvulnerabilitythat is unknown to the software, hardware or firmware developer, and theexploitattackers use to take advantage of the security hole.
In general, zero-day refers to two things:
- Zero-dayvulnerabilities:A security hole, such as one in an operating system, that is unknown to its developer and antivirus software.
- Zero-dayexploits:Acyber attackthat takes advantage of a zero-dayvulnerability. Zero-dayexploits can be used to install differenttypes of malware, stealsensitive dataor credit card numbers and causedata breaches.
Zero day gets its name from the number of days that a patch has existed for the flaw: zero.
What are The Risks of Zero-Day Vulnerabilities?
Zero-day threats represent significant cybersecurity risk because they are unknown to the party who is responsible for patching the flaw and may already be being exploited.
For example,BlueKeep (CVE-2019-0708)is a remote code execution flaw that affects approximately one million systems (as of 29 May, 2019) running older versions of Microsoft operating systems.
This zero-day vulnerability made headlines during Microsoft's May 2019 Patch Tuesday due to its wormability.
This means successfulcyber attacksusing BlueKeep can propagate in a similar way toWannaCry'sEternalBlue exploit.
Microsoft saw BlueKeep as such a largecyber threatto information security and cybersecurity that they released patches for out-of-support and end-of-life operating systems like Windows 2003 and Windows XP.
BlueKeep is easily discovered with tools like Masscan and Zmap scanning large parts of the Internet in minutes, making it trivial for attackers to find vulnerable systems.
Learn about the MOVEit Transfer Zero Day >
What Makes a Vulnerability a Zero-Day Vulnerability?
Ordinarily security researchers find potential vulnerabilities in software programs, notify the software company to patch the security risk and after a period of time disclose it to the public onCVE.
For example, Google's Project Zero gives vendors up to 90 days to patch a vulnerability before they disclose the flaw. That said, flaws deemed critical are given seven days to patch and actively exploited vulnerabilities may be publicly disclosed right away.
This is because most companies given time can fix the vulnerability and distribute a software update (patch) to fix it.
And generally this works. It takes potential attackers time to figure out the best way to exploit the vulnerability.
However, there are situations when the discoverer chooses not to notify the software vendor as well as antivirusvendors.
Zero-day vulnerabilities and exploit codes are extremely valuable, not just to cybercriminals, but to nation-state actors who can use them to launch cyber attacks on enemy states.
What are Common Zero-Day Attack Vectors?
The attack vector used in a zero-dayattack will depend on the type of zero-dayvulnerability.
Sometimes, when users visit rogue websites, malicious code on the site can exploit zero-dayvulnerabilities in web browsers like Internet Explorer or Chrome.
Another common attack vector to exploit zero-dayvulnerabilities is email. Cybercriminals may use email spoofing, phishing or spear phishing to launch attacks that need to be opened by the victim to execute the malicious payload.
The danger of zero-dayattacks is that their attack vector is unknown and typically undetected by threat intelligence and security software.
Who are the Typical Targets of Zero-Day Attacks?
- Government agencies
- Large enterprises
- Individuals with access to valuable business data or intellectual property
- Groups of individuals with vulnerable systems such as an outdated Android or linux device
- Hardware devices and their firmware
- Internet of Things (IoT)
- Enemies of the state
What are Examples of Zero-Day Attacks?
- WannaCry: Aransomwarecomputer wormthat exploited EternalBlue, a software vulnerability in legacy versions of MicrosoftWindows that used an outdated version of the Server Message Block (SMB) protocol. Security researchers at the National Security Agency (NSA) discovered the security hole months prior to Wannacry but chose not to disclose it to the public. EternalBlue was stolen by cybercriminals and used to create WannaCry which was able to spread to hundreds of thousands of machines before Microsoft could issue a security patch to close theexploit.
- Stuxnet:A maliciouscomputer worm, first uncovered in 2010, thought to have been in development since at least 2005. Stuxnet targeted SCADA systems in Iran's uranium enrichment plant at Natanz and used five zero-dayexploits to spread and bypassaccess controlto systems. Though one of these vulnerabilities had been patched by Microsoft prior to the attack, the machines had not been kept up-to-date.
- RSA:In 2011, attackers used an unpatched vulnerability in Adobe Flash Player to breach the network security of security company RSA. The attackers used phishing and email spoofing to spread infected Excel spreadsheets to small groups of RSA employees. The Excel files contained an embedded Flash file that exploited the zero-dayvulnerability, installing the Poison Ivy remote administration tool (RAT). Once they gain access, the attackers searched for sensitive data and transmitted it to their servers.
- Operation Aurora:In 2009, attackers believed to be from China gained unauthorized access to dozens of American companies including Google, Adobe, Juniper Networks and Rackspace by exploiting a zero-dayvulnerability found in several versions of Internet Explorer.
- Sony Pictures:Sony Pictures suffered from a zero-day malwareattack in late 2014. The attackers exploited a vulnerability in Server Message Block (SMB) which led to amassive data breachof valuable corporate data that could be used forcorporate espionageincluding forthcoming movies, business plans and personal email addresses of key Sony executives.
Ready to see
UpGuard in action?
Ready to save time and streamline your trust management process?
