In general, zero-day refers to two things:
- Zero-day vulnerabilities: A security hole, such as one in an operating system, that is unknown to its developer and antivirus software.
- Zero-day exploits: A cyber attack that takes advantage of a zero-day vulnerability. Zero-day exploits can be used to install different types of malware, steal sensitive data or credit card numbers and cause data breaches.
Zero day gets its name from the number of days that a patch has existed for the flaw: zero.
What are The Risks of Zero-Day Vulnerabilities?
For example, BlueKeep (CVE-2019-0708) is a remote code execution flaw that affects approximately one million systems (as of 29 May, 2019) running older versions of Microsoft operating systems.
This zero-day vulnerability made headlines during Microsoft's May 2019 Patch Tuesday due to its wormability.
Microsoft saw BlueKeep as such a large cyber threat to information security and cybersecurity that they released patches for out-of-support and end-of-life operating systems like Windows 2003 and Windows XP.
BlueKeep is easily discovered with tools like Masscan and Zmap scanning large parts of the Internet in minutes, making it trivial for attackers to find vulnerable systems.
What Makes a Vulnerability a Zero-Day Vulnerability?
Ordinarily security researchers find potential vulnerabilities in software programs, notify the software company to patch the security risk and after a period of time disclose it to the public on CVE.
For example, Google's Project Zero gives vendors up to 90 days to patch a vulnerability before they disclose the flaw. That said, flaws deemed critical are given seven days to patch and actively exploited vulnerabilities may be publicly disclosed right away.
This is because most companies given time can fix the vulnerability and distribute a software update (patch) to fix it.
And generally this works. It takes potential attackers time to figure out the best way to exploit the vulnerability.
However, there are situations when the discoverer chooses not to notify the software vendor as well as antivirus vendors.
Zero-day vulnerabilities and exploit codes are extremely valuable, not just to cybercriminals, but to nation-state actors who can use them to launch cyber attacks on enemy states.
What are Common Zero-Day Attack Vectors?
The attack vector used in a zero-day attack will depend on the type of zero-day vulnerability.
Sometimes, when users visit rogue websites, malicious code on the site can exploit zero-day vulnerabilities in web browsers like Internet Explorer or Chrome.
Another common attack vector to exploit zero-day vulnerabilities is email. Cybercriminals may use email spoofing, phishing or spear phishing to launch attacks that need to be opened by the victim to execute the malicious payload.
The danger of zero-day attacks is that their attack vector is unknown and typically undetected by threat intelligence and security software.
Who are the Typical Targets of Zero-Day Attacks?
- Government agencies
- Large enterprises
- Individuals with access to valuable business data or intellectual property
- Groups of individuals with vulnerable systems such as an outdated Android or linux device
- Hardware devices and their firmware
- Internet of Things (IoT)
- Enemies of the state
What are Examples of Zero-Day Attacks?
- WannaCry: A ransomware computer worm that exploited EternalBlue, a software vulnerability in legacy versions of Microsoft Windows that used an outdated version of the Server Message Block (SMB) protocol. Security researchers at the National Security Agency (NSA) discovered the security hole months prior to Wannacry but chose not to disclose it to the public. EternalBlue was stolen by cybercriminals and used to create WannaCry which was able to spread to hundreds of thousands of machines before Microsoft could issue a security patch to close the exploit.
- Stuxnet: A malicious computer worm, first uncovered in 2010, thought to have been in development since at least 2005. Stuxnet targeted SCADA systems in Iran's uranium enrichment plant at Natanz and used five zero-day exploits to spread and bypass access control to systems. Though one of these vulnerabilities had been patched by Microsoft prior to the attack, the machines had not been kept up-to-date.
- RSA: In 2011, attackers used an unpatched vulnerability in Adobe Flash Player to breach the network security of security company RSA. The attackers used phishing and email spoofing to spread infected Excel spreadsheets to small groups of RSA employees. The Excel files contained an embedded Flash file that exploited the zero-day vulnerability, installing the Poison Ivy remote administration tool (RAT). Once they gain access, the attackers searched for sensitive data and transmitted it to their servers.
- Operation Aurora: In 2009, attackers believed to be from China gained unauthorized access to dozens of American companies including Google, Adobe, Juniper Networks and Rackspace by exploiting a zero-day vulnerability found in several versions of Internet Explorer.
- Sony Pictures: Sony Pictures suffered from a zero-day malware attack in late 2014. The attackers exploited a vulnerability in Server Message Block (SMB) which led to a massive data breach of valuable corporate data that could be used for corporate espionage including forthcoming movies, business plans and personal email addresses of key Sony executives.