What is Zero Day

Zero-day. What it means.

A zero-day vulnerability is a security flaw in software that the enterprises  don’t know about yet. Since people don’t know about the flaw, they haven’t had a chance to fix it. Cyber-attackers can exploit this flaw to attack systems before the vendors release a patch. Making zero-day is a race against time to find and fix the problem. Think of zero-day like a hole in the fence around your house that you didn’t know is there, but a burglar does. Burglars can easily sneak in until you discover and repair the hole.

Zero-day vulnerability, exploit, and attack all don’t mean the same. Here is the difference:

A zero-day vulnerability is a security gap that exists until it’s fixed. During the time it takes to develop, test, and release a patch, cyber-villains can exploit this gap. This period is critical because malware can be created quickly to take advantage of the flaw.

A zero-day exploit is the worst-case scenario where cyber-villains develop and use malicious code before a fix is available.

A zero-day attack happens when the cyber-villains use this exploit to target a vulnerable system, causing damage or stealing sensitive information.

How Cyber-Villains Perform Zero-day Attacks

  1. Finding Flaws: Hackers look for security flaws in software, either by writing code to find them or by using special tools. Sometimes, they buy information about these flaws from secret online markets.
  2. Making Malware: Once hackers find a flaw, they create malicious software to exploit zero-day.
  3. Scanning for Targets: Hackers use automated tools to scan the internet and find IT networks with the vulnerability.
  4. Choosing Victims: In targeted attacks, hackers spend time planning the best way to break into specific organizations. For non-targeted attacks, they use bots or phishing emails to find as many vulnerable systems as possible.
  5. Breaking In: Hackers breach the network, getting past any security measures the organizations have in place.
  6. Launching the Attack: Finally, hackers launch a zero-day attack by running malicious code on the compromised system.

Life of a Zero-day

This vulnerability can go unnoticed for days, months, or even years until someone discovers it.

Once the flaw is found, it usually becomes public knowledge quickly. Companies and security experts tell customers so they can protect themselves. Hackers might share the flaw with each other, and researchers might learn about it by watching cybercriminal activity. Some companies might keep the flaw a secret until they have a fix ready, but this can be risky.

When a new zero-day flaw is discovered, it starts a race. Security experts work on creating a fix while hackers try to develop a way to exploit the flaw to break into systems. Once hackers create an exploit, they use it to launch cyberattacks.

Hackers often create exploits faster than security teams can develop patches. On average, exploits are available within 14 days of a flaw being disclosed. However, once zero-day attacks start, patches often follow within a few days because vendors use information from the attacks to identify and fix the flaw. While zero-day vulnerabilities are dangerous, hackers usually can’t exploit them for long.

Some Examples of a Zero-day Attack

Yahoo (August 2013)

The Yahoo attack in August 2013 remains one of the most significant zero-day incidents. Over 3 billion accounts were accessed by a hacking group in 2016. This breach impacted Yahoo’s ongoing deal with Verizon, which was negotiating to buy Yahoo at the time. Due to the breach’s severity, Yahoo agreed to a lower purchase price.

LinkedIn (June 2021)

In June 2021, LinkedIn reported a zero-day attack affecting 700 million users, over 90% of its user base. A hacker exploited the site’s API to scrape data. The hacker has since released data on about 500 million users and threatened to sell information on all 700 million affected accounts.

The UK’s National Cyber Security Centre cautions that the stolen data, which includes email addresses, phone numbers, geolocation records, genders, and social media details, could be used to create highly convincing social engineering attacks.

Stuxnet (2010)

One of the most notable zero-day attacks was Stuxnet. Discovered in 2010, but originating as far back as 2005, this malicious computer worm targeted manufacturing computers running programmable logic controller (PLC) software. Its main objective was to disrupt Iran’s nuclear program by infecting the PLCs in uranium enrichment plants.

Stuxnet exploited vulnerabilities in Siemens Step7 software, causing the PLCs to execute unexpected commands on assembly-line machinery. The story of Stuxnet was later made into a documentary called “Zero Days”.

How Many Zero-day Attack Have Happened, you ask?

Around 80-100 zero-day attacks have happened every year from 2020.

How to Prevent Zero-day Attacks?

Preventing zero-day attacks requires a mixed approach:

  • Patch management: Regularly update software to fix security holes and protect against attacks.
  • Network Monitoring: Keep an eye on network activity to spot unusual behavior and potential threats early.
  • User Education: Teach employees how to identify and avoid phishing scams and other tricks hackers use.
  • Application Whitelisting: Only allow approved software to run, stopping unapproved programs from causing harm.
  • Endpoint Protection: Use strong antivirus and anti-malware tools to catch and block harmful software.
  • Zero-Day Threat Intelligence: Stay updated on new threats and vulnerabilities to be ready for the latest attacks.

Conclusion

In conclusion, zero-day vulnerabilities pose a significant challenge in cybersecurity due to their hidden nature and the urgent need for timely mitigation. These vulnerabilities are like unseen cracks in the foundation of software systems, unknown to developers but potentially exploitable by cyber attackers.

The rapid development of exploits and the subsequent attacks highlight the importance of vigilance, timely software updates, and robust security measures. To defend against zero-day threats, organizations must adopt a proactive and mixed approach, including patch management, continuous network monitoring, comprehensive user education, application whitelisting, strong endpoint protection, and staying informed about emerging threats through zero-day threat intelligence.