Zero Day Vulnerability: What it is, and How it works
November 9, 2020 | Roei Amit
What is a Zero-Day Vulnerability?
A zero-day vulnerability is a software flaw that can be potentially abused in different ways, and is unknown to the targeted software vendor. The term ‘Zero-day Attack’ refers to a vulnerability that is both exploited in the wild and unknown to the target software vendor, and therefore the targeted vendor has “zero days” to fix it.
A zero-day vulnerability is considered the ultimate infection method since it is less likely to trigger an operating system security warning and less dependent on the user’s lack of awareness. Other attack vectors such as phishing email require user interaction, be it to download an email or click on a link. In contrast, a zero-day exploit would potentially abuse the operating system or a software flaw to infect a target machine.
Private zero-day vulnerabilities are only known to their discoverer and whoever it’s been shared with. These are mostly owned by elite cyber-espionage groups, usually state-sponsored. Though these are a major security risk, they are not very widespread since their owners would like to keep them from being discovered.
When a zero-day vulnerability is discovered publicly - either through a leak, a security researchers’ publication, or a disclosure – it is no longer private. However, a newly exposed zero-day vulnerability can still hold a threat, and in many cases represents more of a risk than a private one. Once it is exposed, even if it was already patched by the vendor, a race against the clock starts between attackers creating exploits for the vulnerability while the targeted vendor’s users that need to apply the fix. This window of time leaves an opening for attackers to abuse while the vulnerability is still available. This situation is known as a One-day or an N-day attack.
The Race Against the Clock
One of the most famous cases of an active zero-day vulnerability exploited in the wild is the case of EternalBlue. The Shadow Brokers, a threat group known for leaking hacking tools and exploits of the United States National Security Agency (NSA) had leaked in April 2017 an exploit for a vulnerability in the Microsoft Server Message Block protocol (CVE-2017-0144). The vulnerability is exploited by sending crafted packets to a vulnerable machine, which will result in the attacker executing arbitrary code remotely in the compromised system.
The consequences of these leaks were the massive ransomware campaigns of May to August 2017, which included malware such as WannaCry, Petya, NotPetya, and more. Even though the vulnerability that was abused by the leaked EternalBlue exploit was patched one month prior to the leak, it was still a major part of some of the most proliferating malware campaigns of all time, due to the massive number of machines worldwide that remained unpatched.
A more recent example occurred in August 2020, when Microsoft had released a patch for a severe Netlogon Remote Protocol (MS-NRPC) vulnerability, discovered and published by the Dutch security company Secura.
The vulnerability, known as Zerologon (CVE-2020-1472), allows an unauthenticated attacker to access the domain admin account. Due to a flaw in the authentication protocol, sending crafted authentication requests to will lead to the attacker gaining complete control over an environment.
Two months after the patch release and one month after Secura’s researchers published the technical details of the vulnerability, the Ryuk ransomware operation began exploiting Zerologon in a massive campaign, targeting unpatched systems en-mass.
How to Defend Against Zero-day Attacks
Defending against zero-day and N-Day attacks requires an alert and agile approach that includes:
- A multi-layered cybersecurity policy. Defending against zero-day exploits requires controlling every aspect of your network through up-to-date tools, such as firewalls and next-gen antivirus software, endpoint protection, authentication and identity management, SIEMs, and most importantly software patching. When developing your multi-layered approach keep your focus on prevention. Aside from the fact that it’s so much cheaper to prevent attacks rather than reacting to them, it keeps your systems cleaner and gives your SIEM tools a fighting chance against the latest exploits that do get through.
- Good cyber hygiene. Training employees for cybersecurity awareness at all ranks in the organization is a must. Every employee should know what to look out for in email communication and were to address suspicious links and attachments. This, along with a planned on-time software patching policy, could prevent attackers’ initial foothold and foil an infection.
Zero-day attacks, though uncommon, can potentially have destructive consequences to an organization. N-day attacks exploiting known vulnerabilities are much more common and while they can cause severe damage, are nevertheless much easier to defend against. By keeping up to date with recent updates and cybersecurity news, and consistently patching vulnerable systems, companies can amplify their protection from zero-day attacks.