In general, zero-day refers to two things:
- Zero-day vulnerabilities: A security hole, such as one in an operating system, that is unknown to its developer and antivirus software.
- Zero-day exploits: A cyber attack that takes advantage of a zero-day vulnerability. Zero-day exploits can be used to install different types of malware, steal sensitive data or credit card numbers and cause data breaches.
Zero day gets its name from the number of days that a patch has existed for the flaw: zero.
What are the risks of zero-day vulnerabilities?
Zero-day threats represent significant cybersecurity risk because they are unknown to the party who is responsible for patching the flaw and may already be being exploited.
For example, BlueKeep (CVE-2019-0708) is a remote code execution flaw that affects approximately one million systems (as of 29 May, 2019) running older versions of Microsoft operating systems.
This zero-day vulnerability made headlines during Microsoft's May 2019 Patch Tuesday due to its wormability.
Microsoft saw BlueKeep as such a large cyber threat to information security and cybersecurity that they released patches for out-of-support and end-of-life operating systems like Windows 2003 and Windows XP.
BlueKeep is easily discovered with tools like Masscan and Zmap scanning large parts of the Internet in minutes, making it trivial for attackers to find vulnerable systems.
What makes a vulnerability a zero-day vulnerability?
Ordinarily security researchers find potential vulnerabilities in software programs, notify the software company to patch the security risk and after a period of time disclose it to the public on CVE.
For example, Google's Project Zero gives vendors up to 90 days to patch a vulnerability before they disclose the flaw. That said, flaws deemed critical are given seven days to patch and actively exploited vulnerabilities may be publicly disclosed right away.
This is because most companies given time can fix the vulnerability and distribute a software update (patch) to fix it.
And generally this works. It takes potential attackers time to figure out the best way to exploit the vulnerability.
However, there are situations when the discoverer chooses not to notify the software vendor as well as antivirus vendors.
Zero-day vulnerabilities and exploit codes are extremely valuable, not just to cybercriminals, but to nation-state actors who can use them to launch cyber attacks on enemy states.
What are common zero-day attack vectors?
The attack vector used in a zero-day attack will depend on the type of zero-day vulnerability.
Sometimes, when users visit rogue websites, malicious code on the site can exploit zero-day vulnerabilities in web browsers like Internet Explorer or Chrome.
Another common attack vector to exploit zero-day vulnerabilities is email. Cybercriminals may use email spoofing, phishing or spear phishing to launch attacks that need to be opened by the victim to execute the malicious payload.
The danger of zero-day attacks is that their attack vector is unknown and typically undetected by threat intelligence and security software.
Who are the typical targets of zero-day attacks?
- Government agencies
- Large enterprises
- Individuals with access to valuable business data or intellectual property
- Groups of individuals with vulnerable systems such as an outdated Android or linux device
- Hardware devices and their firmware
- Internet of Things (IoT)
- Enemies of the state
What are examples of zero-day attacks?
- WannaCry: A ransomware computer worm that exploited EternalBlue, a software vulnerability in legacy versions of Microsoft Windows that used an outdated version of the Server Message Block (SMB) protocol. Security researchers at the National Security Agency (NSA) discovered the security hole months prior to Wannacry but chose not to disclose it to the public. EternalBlue was stolen by cybercriminals and used to create WannaCry which was able to spread to hundreds of thousands of machines before Microsoft could issue a security patch to close the exploit.
- Stuxnet: A malicious computer worm, first uncovered in 2010, thought to have been in development since at least 2005. Stuxnet targeted SCADA systems in Iran's uranium enrichment plant at Natanz and used five zero-day exploits to spread and bypass access control to systems. Though one of these vulnerabilities had been patched by Microsoft prior to the attack, the machines had not been kept up-to-date.
- RSA: In 2011, attackers used an unpatched vulnerability in Adobe Flash Player to breach the network security of security company RSA. The attackers used phishing and email spoofing to spread infected Excel spreadsheets to small groups of RSA employees. The Excel files contained an embedded Flash file that exploited the zero-day vulnerability, installing the Poison Ivy remote administration tool (RAT). Once they gain access, the attackers searched for sensitive data and transmitted it to their servers.
- Operation Aurora: In 2009, attackers believed to be from China gained unauthorized access to dozens of American companies including Google, Adobe, Juniper Networks and Rackspace by exploiting a zero-day vulnerability found in several versions of Internet Explorer.
- Sony Pictures: Sony Pictures suffered from a zero-day malware attack in late 2014. The attackers exploited a vulnerability in Server Message Block (SMB) which led to a massive data breach of valuable corporate data that could be used for corporate espionage including forthcoming movies, business plans and personal email addresses of key Sony executives.
How UpGuard can help protect your organization from vulnerabilities
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.
UpGuard BreachSight can help monitor for DMARC, combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
If you'd like to see how your organization stacks up, get your free Cyber Security Rating.