What is a zero day?

A zero-day (0-day) is an unpatched vulnerability that is unknown to the developers of software, hardware or firmware. “Zero-day” means that the affected parties have zero days to prepare for or defend against the attack because they are not yet aware of the vulnerability. Zero-day exploits are often traded on the black market or used by criminal hackers to exploit the vulnerability.

In general, the term zero-day refers to two things:

Zero-day vulnerabilities: A vulnerability, e.g. in an operating system, that is unknown to the developer and the anti-virus software.

Zero-day exploits: A cyber attack that takes advantage of a zero-day vulnerability. Zero-day exploits can be used to install various types of malware, steal sensitive data or credit card numbers and cause data breaches.

The name zero-day is derived from the number of days since a patch for the vulnerability has been available: Zero.

What are the risks of zero-day vulnerabilities?

Zero-day threats pose a significant risk to cyber security as they are unknown to the person responsible for fixing the vulnerability and may already be exploited.

BlueKeep (CVE-2019-0708), for example, is a remote code execution vulnerability that affects around one million systems (as of May 29, 2019) with older versions of Microsoft operating systems.

This zero-day vulnerability made headlines during Microsoft’s Patch Tuesday in May 2019 as it is wormable.

This means that successful cyberattacks using BlueKeep can spread in a similar way to the WannaCry EternalBlue exploit.

Microsoft saw BlueKeep as such a major cyber threat to information and cyber security that they released patches for unsupported and unavailable operating systems.

BlueKeep can be detected within minutes using tools such as Masscan and Zmap, which scan large parts of the internet, making it trivial for attackers to find vulnerable systems.

What makes a vulnerability a zero-day vulnerability?

Normally, security researchers find potential vulnerabilities in software programs, notify the software company to fix the security risk and, after a certain period of time, make it public via CVE.

Google’s Project Zero, for example, gives providers up to 90 days to close a vulnerability before they publish it. A period of seven days is granted for vulnerabilities classified as critical, and actively exploited vulnerabilities can be made public immediately.

The reason for this is that most companies are able to fix the vulnerability and distribute a software update (patch) to fix it.

And it generally works. Potential attackers need time to find out how they can best exploit the vulnerability.

However, there are situations where the discoverer chooses not to notify the software manufacturer and antivirus vendors.

Zero-day vulnerabilities and exploit codes are extremely valuable, not only to cybercriminals, but also to state actors who can use them to launch cyberattacks against hostile states.

What are common zero-day attack vectors?

Which attack vector is used in a zero-day attack depends on the type of zero-day vulnerability.

When users visit fraudulent websites, malicious code on the website can sometimes exploit zero-day vulnerabilities in web browsers such as Internet Explorer or Chrome.

Another common attack vector for exploiting zero-day vulnerabilities is email. Cybercriminals use email spoofing, phishing or spear phishing to launch attacks that need to be opened by the victim to execute the malicious payload.

The danger of zero-day attacks is that their attack vector is unknown and usually remains undetected by threat intelligence and security software.

Who are the typical targets of zero-day attacks?

Government agencies

Large companies

Individuals with access to valuable business data or intellectual property

Groups of individuals with vulnerable systems such as an outdated Android or Linux device

Hardware devices and their firmware

Internet of Things (IoT)

Enemies of the state

What are examples of zero-day attacks?

WannaCry: A ransomware worm exploited EternalBlue – a vulnerability in old versions of Windows with an outdated SMB protocol. The NSA discovered the vulnerability months before WannaCry, but did not publicize it.cybercriminals stole EternalBlue and used it for WannaCry. WannaCry spread to hundreds of thousands of computers before Microsoft released a patch.

Stuxnet: A malicious computer worm that was first discovered in 2010 and is believed to have been in development since at least 2005. Stuxnet targeted SCADA systems at Iran’s Natanz uranium facility. The worm used five zero-day vulnerabilities to spread and bypass access controls. One vulnerability was patched, but many computers were not updated.

RSA: In 2011, attackers used an unpatched vulnerability in Adobe Flash Player to penetrate the network security of the security company RSA. The attackers used phishing and email spoofing to distribute infected Excel spreadsheets to small groups of RSA employees. The Excel files contained an embedded Flash file that exploited the zero-day vulnerability and installed the Remote Administration Tool (RAT) Poison Ivy. Once they had gained access, the attackers searched for sensitive data and transmitted it to their servers.

Operation Aurora: In 2009, suspected Chinese attackers gained unauthorized access to dozens of American companies, including Google, Adobe, Juniper Networks and Rackspace, by exploiting a zero-day vulnerability in several versions of Internet Explorer.

Sony Pictures: Sony Pictures fell victim to a zero-day malware attack at the end of 2014. The attackers exploited a vulnerability in the Server Message Block (SMB). This vulnerability led to a massive loss of data. Valuable company data was stolen. This included upcoming movies, confidential business plans and personal e-mail addresses, as well as the addresses of important Sony executives. The stolen data could be used specifically for corporate espionage.

So the question must be – can I protect myself against this and if so, how?

I look forward to your questions!

Andreas Marreck

Key Account Consultant

Book an appointment