What is a zero-day attack?

Cybercriminals who detect zero-day vulnerabilities can often bypass security measures and gain backdoor access to network resources. Network owners need security policies to implement every software update and stay informed about emerging exploits.

Understanding the differences between zero-day attacks, vulnerabilities, and exploits

Before implementing security measures, it's important to understand some key terms. Zero-day vulnerabilities are undetected software flaws, zero-day exploits are attack techniques targeting those vulnerabilities, while zero-day attacks refer to the act of putting exploits into practice.

Let's quickly explore these terms to put zero-day attack methods into context.

What is a zero-day vulnerability?

Developers sometimes unintentionally release internet-facing applications with vulnerable code. This is highly likely given the complexity of modern software and the pressure to release products on schedule.

Threat actors constantly search for code flaws, known as zero-day vulnerabilities. They exist in all versions of the affected product until vendors fix their application code via a security patch.

What is a zero-day exploit?

Zero-day exploits are the methods criminals use to attack systems with known vulnerabilities.

For example, a threat actor may write exploit code that targets flawed application components. They deliver this code via injection attacks or customized malware, delivered via email phishing or drive-by downloads. When the malware activates, it changes vulnerable code to gain control or start surveillance operations.

This attack method is particularly concerning because it targets previously unknown security vulnerabilities. Security teams may not know the source of the attack or how to respond, leading to ineffective incident response processes.

Exploits also appear very quickly. On average, there is a 14-day gap between vulnerability identification and exploits becoming available. That gives vendors and security professionals a tiny window to secure their systems.

Note: Common Vulnerabilities and Exposures (CVE) and the Common Vulnerability Scoring System (CVSS) regularly appear when researching zero-day threats. CVSS scores range from 1 to 10, with 10 being the highest risk rating. These authoritative scores should guide efforts to mitigate security vulnerabilities.

How does a zero-day attack work?

Zero-day attacks tend to play out similarly, from vulnerability detection to launching exploits. A typical zero-day attack process looks something like this:

1. Researching software vulnerabilities: Attackers inspect application code, looking for errors and weak spots.
2. Creating exploit code: Coders create exploit kits targeting known vulnerabilities. They may sell these kits on Dark Web marketplaces or use them for in-house attacks.
3. Identifying target systems: Attackers scan for companies using vulnerable software.
4. Attack planning: When they find a suitable target, the threat actor carries out reconnaissance to find insecure endpoints.
5. Executing the exploit: Attackers breach network entry points. They then deploy malware to execute the zero-day exploit.

The zero-day exploit lifecycle is slightly different.

The cycle starts when vendors learn about a zero-day vulnerability and disclose it to clients and stakeholders.

At this stage, no security patch is available. Application users must digest information from the vendor in their vulnerability management response. Vendors may release a vulnerability signature that identifies the malware linked to zero-day exploits.

Vendors develop software updates to mitigate zero-day exploits and make this patch available to all users. This is not the end of the process, though. Users must take action to install updates or implement automated patch management tools.

In most cases, zero-day vulnerabilities lie dormant for months or years. There is also a dangerous period between detection and mitigation when systems are acutely at risk.

Examples of zero-day attacks

Zero-day risks are not abstract. There are many real-world examples of successful zero-day attacks targeting diverse corporations and public organizations. There are also many potential exploit vectors, from operating systems to collaboration platforms.

The case studies below illustrate how common exploits are and their cybersecurity importance:

Stuxnet

Most likely developed by US intelligence agencies, Stuxnet famously targeted Iranian nuclear research sites in 2010. This zero-day attack targeted vulnerabilities in Microsoft Windows. Attackers could jump from operating systems to the industrial software controlling nuclear centrifuges, putting vast scientific operations out of action.

RSA

In 2011, security firm RSA suffered a spectacular zero-day attack that exposed the digital Security IDs of corporate and public clients worldwide. In this attack, the Chinese threat actor exploited code flaws in Adobe Flash.

Attackers gained access via malicious Excel attachments that contained an embedded Flash file. This file automatically executed when victims opened the attachment. When that happened, attackers gained total control over RSA systems and used their privileges to access the firm's seed key vault. From there, it was a short step to using those digital keys on client networks.

Zerologon

In 2020, security researchers informed Microsoft about security vulnerabilities in the Windows NETLOGON protocol, a critical part of Active Directory authentication services.

The Zerologon exploit was assigned the highest CVSS risk score of 10 and enabled attackers to escalate their privileges undetected. We don't know how many networks were affected, although Microsoft has now made a NETLOGON patch available.

Kaseya Virtual Systems Administrator (VSA)

VSA is a popular tool for remote endpoint management, assisting centralized management of security and network performance. Unfortunately, in 2021, the REvil ransomware collective leveraged a zero-day vulnerability in the VSA application.

The Kaseya zero-day attack involved three vulnerability areas, including SQL injection, authentication processes, and XSS flaws. The attack also used a fake software update to distribute malware, making it even harder to detect.

The zero-day attack morphed into a supply chain attack, affecting over 1,500 organizations, from dentists to supermarkets. Many paid ransoms to recover their systems, while the Swedish co-op had to shut down over 800 stores.

Tips to prevent zero-day attacks

Zero-day attacks compromise confidential data, enable network infiltration, and result in devastating secondary ransomware infections. Organizations must do everything possible to identify and mitigate exploits via a comprehensive vulnerability management plan.

Scan apps for vulnerable code

Static, interactive, and dynamic application testing assesses app code, detecting entry points for zero-day attackers. Testing simulates how attacks work, using known signatures to find weaknesses.

Scanning works well against familiar exploits. However, it is not enough. Companies still face the threat of new zero-day vulnerabilities. They must also use scan data quickly to implement code changes and update assets.

Adopt comprehensive patch management

Updating apps is critical in the fight against zero-day exploits, and obtaining the latest patches is the most important aspect of any vulnerability management strategy.

Automated patch management tools detect new updates when they become available. Automation removes the human aspect, helping you avoid security gaps. Maintain an asset inventory documenting current versions, and tap into threat intelligence based on CVE feeds. This gives you a rapid heads-up when new vulnerabilities emerge.

Remember: vendors do not always make patches available soon after identifying exploits. The gap between identifying weaknesses and delivering patches is critical. Additional precautions are essential.

Use input validation to block malicious code

Input validation ensures that applications only accept valid, secure code. Validation tests new code and installed applications to check for malicious elements and block known threats.

For example, input validation could check PDF downloads to ensure they meet standard specifications and do not contain abnormal code structures. Validation also protects apps vulnerable to SQL injection by blocking suspicious code and enforcing acceptable inputs.

Guard against exploits with download protection

Remember that most zero-day attack examples rely on malware delivery to access vulnerable code. Preventing malware infection can cut the link between attackers and vulnerabilities, even when no patches are available.

Download protection tools help here. These tools scan downloads from websites, app marketplaces, and email attachments. They leverage threat intelligence databases with the latest malware signatures, including agents linked to active exploits.

Collaborate with security partners to improve detection and responses

Defeating zero-day attacks is a team effort. Fortunately, companies are cooperating to pool knowledge about active exploits and reduce the time between detection and responses. For example, the Zero Day Initiative shares exploit data with affected vendors, making incident response far more efficient.

Don't allow attackers to exploit your weak spots

Zero-day attacks can affect all organizations and applications. Attackers investigate the code of all internet-facing apps, seeking vulnerabilities and planning assaults. Block their activities with a comprehensive vulnerability management strategy, using download protection, input validation, threat intelligence, and automated patch delivery.