Zero-Day (0day) Exploit: Identification & Vulnerability Examples

Published on 12 December 2022 12:00 AM

🍿 7 min. read

This post thumbnail

The term "zero day" shows that the vendor or developer has just informed about the vulnerability, and they have "zero days" to fix it, because the vulnerability has already been exploited. The words zero-day and or 0-day can be used in the context of a vulnerability, attack, exploit, or malware.

What is a Zero-Day Exploit?

Zero-day exploit is exploitation of a software security vulnerability for a subsequent cyberattack. And this security flaw is known only to attackers, which means that vendors and software developers have no idea about its existence and do not have a patch to fix it.

How Do 0day Exploits Work?

When hackers discover a previously unknown vulnerability, they develop code to exploit a particular vulnerability or chain of vulnerabilities, which can then be packaged into malware. The code, when executed, can compromise the target system and reach the attacker's goal.

Once the attackers discover a zero-day vulnerability, the next step is to gain access to the target system. One of the most popular methods is social engineering using phishing - attackers pass off their messages as messages from legitimate senders, forcing them to open a malicious email and follow the instructions in it. A malicious email may contain malicious attachments or links that contain exploits. These malicious payloads are executed after the user interacts with them.

When a vulnerability becomes known, the vendor tries to fix it as soon as possible to prevent further cyberattacks. However, discovering a zero-day vulnerability can take a significant amount of time: days, weeks or even months before a patch is released to fix the vulnerability.

Zero-Day Exploit Examples

Here are some of the most famous examples of zero-day exploits:

Stuxnet: 2010

One of the most famous examples of zero-day exploits was Stuxnet. Stuxnet worm that used 4 zero-day vulnerabilities with zero-day exploits on Windows systems. First discovered in 2010, but whose roots go back to 2005, this malicious computer worm affected production computers running with programmable logic controller (PLC). The main target was Iran's uranium enrichment plants to disrupt the country's nuclear program. The attackers' goals were successfully completed.

Sony: 2014

Sony Pictures was the victim of a zero-day exploit in late 2014. The attack damaged Sony's network and led to the publication of confidential corporate data on file sharing sites. The compromised data included information about upcoming films, business plans, and personal email addresses of Sony's top executives.

WannaCry: 2017

The most famous example is the WannaCry ransomware epidemic in 2017. WannaCry exploited the SMB (Server Message Block) zero-day vulnerability in Windows operating systems. At the beginning of these attacks, zero-day vulnerabilities were exploited, but despite the rapid release of updates, users continued to ignore and report new infections.

Zoom: 2020

A vulnerability has been discovered in a popular video conferencing platform. In this example of a zero-day attack, hackers gained remote access to a user's computer if it was running an older version of Windows. If the target is an administrator, a hacker can take full possession of their machine and gain access to all the host's sensitive data.

Updates from Google Chrome and Microsoft: -

Every second Tuesday of every month, Microsoft releases massive updates that often include zero-day vulnerabilities. Microsoft does not provide a detailed technical description in its updates, but sometimes it mentions that this or that vulnerability has already started to be exploited in the wild.

Likewise, updates for Google Chrome, which are steadily released every month. Such updates often contain similar explanations.

Who are the Victims of Zero-Day Exploits?

The targets of zero-day exploits for subsequent operation can be operating systems, web browsers, applications, hardware and even IoT or modern cars.

After all, anyone using a hacked system can fall victim to a zero-day exploit, including:

  • regular users
  • companies and businesses of any scale
  • government

Even if attackers don't target specific individuals, a large number of users can still be affected by zero-day attacks, usually as collateral damage. Non-targeted attacks are aimed at capturing as many users as possible, which means that any user's data can be affected.

How to Detect Zero-Day Exploits

zero-day exploit detection

Since zero-day vulnerabilities can be anything - popular protocols, authorization mechanisms, incorrect algorithms or encryption and so on - they are always a challenge for security teams to detect. Because of these types of vulnerabilities, information about zero-day exploits is only available after the exploit has been identified. However, there are several ways to detect unknown vulnerabilities and exploits for them. It is recommended to use an integrated approach, since at this stage of technology development it is impossible to 100% detect the exploitation of non-day vulnerabilities.

Block Exploit-like Behavior

Analysis of user behavior when interacting with software to detect malicious activity. For example, if an unprivileged user tries to run a process or software with higher privileges, this is an indirect indication that a privilege escalation exploit has been used on the target system. That is, behavioral detection attempts to identify and block behavior that is not expected.

Block Exploit-derived Malware

Existing malware databases can help block exploit-derived malware. Zero-day exploits are, by definition, new and unknown, which is why it is impossible to rely entirely on malware databases. Also, it is recommended to keep track of Threat Intelligence reports about new threats. Threat Intelligence information often contains information about the latest malware trends that use exploits and more.

Uncover Hidden Threats

Machine learning is used to detect hidden threats based on already discovered exploits and known threats. Also, machine learning helps to analyze the safe behavior of the system based on data on previous and current interactions.

Additionally, EDR based security solutions can help with their generic detection rules. For example, if the system processes started network interaction with a suspicious or malicious network resource. Or if the system started using unexpected software.

How to Avoid Zero-Day Exploits and Vulnerabilities

While we may not always be able to detect these vulnerabilities, we can protect our devices and data in case an exploit does occur.

Browser Isolation

Opening a suspicious or malicious attachment in an email requires interaction with code from unreliable sources, which allows you to execute exploit on the target system and achieve the hackers' goals. Browser isolation allows you to separate browser activity from user hosts and networks so that potentially malicious code is not run on the target device.

Firewall

Firewall is a security system that monitors and controls incoming and outgoing network traffic based on security policies. The firewall is located between internal or trusted networks and the Internet to protect against threats, block malicious traffic and prevent sensitive information from leaving the network. By controlling traffic, a firewall can block traffic that targets zero-day vulnerabilities, followed by the use of zero-day exploits.

How Vulners Can Help Against 0day Exploits?

The speed of obtaining information when external signs appear (news, report, social media, darknet, etc.) of the presence of a 0day vulnerability. Such information is accompanied by the fact that hackers are using a previously unknown vulnerability to compromise hosts.

Due to the high risk of zero-day vulnerabilities and their consequences, it is important to carefully monitor new security updates and timely fix discovered vulnerabilities on your systems. For this purpose, the continuously updated Vulners database will help. When a software vendor releases a new update, the Vulners database contains the appropriate information with a list of required packages for installation. To do this, you can sign up for a free subscription indicating your software and make decisions in a timely manner. Also, with Vulners it is possible to create your own patch management process and be up-to-date.

Conclusion

Zero-day exploits are one of the most dangerous threats in cybersecurity. By definition, this is a category of threats that is very difficult to prepare for, but it is possible. The approach to protection against zero-day exploits should be comprehensive and the Vulners service can become one of the elements of your protection against such threats. As world practice shows, to protect against the most urgent cyber threats, it is important to be in the trend, follow the news and be up-to-date.

FAQ

Are zero-day exploits rare?

Not a binary answer. As a rule, it is always possible to find a 0day exploit for a popular product on the dark web at a high cost. If there is no 0day exploit, then for the APT attack, hackers perform deep research to find the 0day vulnerability and create exploits for it.

How zero-day exploits are found?

Exploitation of 0day vulnerabilities can be detected in many ways, but they are all non-trivial: behavioral detection, investigation of the attack that happened, patterns of behavior, information from the darknet, etc.

What is the most famous zero-day exploit?

Stuxnet worm is one of the most famous malware which used 4 0day vulnerabilities → 0day exploits.

What is a 1day exploit?

The 1-day exploit is an exploit based on checking patched versions of software to determine which vulnerabilities are actually patched vulnerabilities.