A zero-day vulnerability is a software flaw that can be potentially abused in different ways, and is unknown to the targeted software vendor. The term ‘Zero-day Attack’ refers to a vulnerability that is both exploited in the wild and unknown to the target software vendor, and therefore the targeted vendor has “zero days” to fix it.
A zero-day vulnerability is considered the ultimate infection method since it is less likely to trigger an operating system security warning and less dependent on the user’s lack of awareness. Other attack vectors such as phishing email require user interaction, be it to download an email or click on a link. In contrast, a zero-day exploit would potentially abuse the operating system or a software flaw to infect a target machine.
Private zero-day vulnerabilities are only known to their discoverer and whoever it’s been shared with. These are mostly owned by elite cyber-espionage groups, usually state-sponsored. Though these are a major security risk, they are not very widespread since their owners would like to keep them from being discovered.
When a zero-day vulnerability is discovered publicly – either through a leak, a security researchers’ publication, or a disclosure – it is no longer private. However, a newly exposed zero-day vulnerability can still hold a threat, and in many cases represents more of a risk than a private one. Once it is exposed, even if it was already patched by the vendor, a race against the clock starts between attackers creating exploits for the vulnerability while the targeted vendor’s users that need to apply the fix. This window of time leaves an opening for attackers to abuse while the vulnerability is still available. This situation is known as a One-day or an N-day attack.
One of the most famous cases of an active zero-day vulnerability exploited in the wild is the case of EternalBlue. The Shadow Brokers, a threat group known for leaking hacking tools and exploits of the United States National Security Agency (NSA) had leaked in April 2017 an exploit for a vulnerability in the Microsoft Server Message Block protocol (CVE-2017-0144). The vulnerability is exploited by sending crafted packets to a vulnerable machine, which will result in the attacker executing arbitrary code remotely in the compromised system.
The consequences of these leaks were the massive ransomware campaigns of May to August 2017, which included malware such as WannaCry, Petya, NotPetya, and more. Even though the vulnerability that was abused by the leaked EternalBlue exploit was patched one month prior to the leak, it was still a major part of some of the most proliferating malware campaigns of all time, due to the massive number of machines worldwide that remained unpatched.
A more recent example occurred in August 2020, when Microsoft had released a patch for a severe Netlogon Remote Protocol (MS-NRPC) vulnerability, discovered and published by the Dutch security company Secura.
The vulnerability, known as Zerologon (CVE-2020-1472), allows an unauthenticated attacker to access the domain admin account. Due to a flaw in the authentication protocol, sending crafted authentication requests to will lead to the attacker gaining complete control over an environment.
Two months after the patch release and one month after Secura’s researchers published the technical details of the vulnerability, the Ryuk ransomware operation began exploiting Zerologon in a massive campaign, targeting unpatched systems en-mass.
Defending against zero-day and N-Day attacks requires an alert and agile approach that includes:
Zero-day attacks, though uncommon, can potentially have destructive consequences to an organization. N-day attacks exploiting known vulnerabilities are much more common and while they can cause severe damage, are nevertheless much easier to defend against. By keeping up to date with recent updates and cybersecurity news, and consistently patching vulnerable systems, companies can amplify their protection from zero-day attacks.