The majority of people associate zero-day vulnerabilities with a black hat, criminal hackers. Government agencies all across the globe, on the other hand, are equally eager in getting them, usually to use in surveillance or their own cyberattacks. In reality, the tremendous rivalry on both sides to be the first to know about zero-day vulnerabilities and how to attack them has resulted in a booming black market.
But the truth is, even though these are associated with malicious activity, this is not always the case. Someone might be looking for the 0-day vulnerabilities to make the internet safer. But about everything from the beginning.
So, what exactly is a zero-day vulnerability? What makes them so risky? How the a zero-day vulnerabilities are used in the wild? And what can be done to reduce the damage?
Let’s hash it out.
What Is a Zero-Day Vulnerability?
A zero-day vulnerability is one that has been discovered but not yet fixed in a system or device. A zero-day exploit is one that makes use of a zero-day vulnerability. Zero-day vulnerabilities are more dangerous to consumers since they were found before security researchers and software developers were aware of them – and before they could provide a patch – for the following reasons:
- To benefit from their schemes, cybercriminals are rushing to exploit these vulnerabilities.
- Vulnerable systems are exposed until the vendor issues a patch.
In most targeted assaults, zero-day vulnerabilities are used; nevertheless, many campaigns still employ existing vulnerabilities.
If you are bug bounty hunter, you probably always dreamed about finding a 0-day vulnerability. Many bug bounty platforms pay big money for critical vulnerabilities. And finding a 0-day vulnerability in a component that the system uses, might result in a big bounty. However, what is worth mentioning that many programs consider third-party components out of scope of the their programs.
What Makes Vulnerability a Zero-Day?
Unencrypted data, flawed algorithms, flaws, and weak passwords are only a few examples of security software weaknesses. When someone who is responsible for mitigating security flaws is ignorant of it, a zero-day vulnerability exists, which means there is no official patch or update to remedy it. It is no longer considered a zero-day vulnerability after it is found.
Many known software weaknesses from the CWE list can lead to an unknown (to the public) vulnerability.
How Does the Zero-Day Attack Works?
You have probably heard on the media that one or another 0-day attack had lead to massive leak of data. Log4j library vulnerability was one of the biggest recent threats to a big number of systems.
You might also had heard about the Stuxnet – an attack that made a big hit to the Iran nuclear program. Allegedly, a zero-day vulnerability was used for the attack. As the manufacturer had not fixed it fast enough, and the systems that were attacked, were vulnerable.
Zero-day attacks start with zero-day vulnerabilities, or security software faults or gaps. These can be caused by incorrect computer or security setups, as well as programming faults made by developers.
The fundamental point of a zero-day assault is that cybercriminals take advantage of these flaws without the creators’ knowledge. To find these flaws, cybercriminals may write – or purchase from the dark web – exploit codes. It’s like putting out a welcome mat for a zero-day attack when they do. Malware, sometimes known as zero-day malware or, more widely, a zero-day exploit, is frequently brought to the door by hackers.
They might do so by using social engineering or phishing techniques. The zero-day assault is launched once the zero-day exploit has been downloaded onto devices. The following are examples of the mayhem that can result to:
- Stolen information.
- Hackers gaining remote access to gadgets and systems
- Malware installed on critical systems
- Corrupted files
- Spam mails sent from the contact list accessed after the attack
- Deployed spyware that steals confidential information
- Encrypted data and demanded ransom
Because zero-day exploits are inherently dreadful, it might take months or even years for them to be discovered. This is frequently the case when the aforementioned issues develop. However, in some circumstances, developers may be able to block or repair vulnerabilities before they cause too much damage.
In simplest terms, a zero-day attack is similar to a criminal discovering an unlocked store door on a regular basis. They keep plundering the business through that unlocked entrance until the proprietor notices the fault – the unlocked door. And a company, that had a ransom for their data to be decrypted, can become a victim again if the vulnerability was not fixed.
Who Conducts the Zero-Day Attacks?
Usually a well financed hacker groups are behind the zero-day attacks. These groups might be backed up by the government, or these might be criminal groups. After one successful attack, that potentially resulted in million dollars of profit, the criminals have the money to buy the next 0-day vulnerability. And by using it, they can proceed with new ferocious attacks.
While the software companies are always seeking for methods to fix security issues, (by using software updates, implementing security tools, and performing periodical security assessments), hackers are constantly looking for new ways to attack them. Cybercriminals come in many forms and sizes, each with its own set of goals:
- Hacktivists are driven by a desire to raise awareness about a social or political problem. The most infamous hacktivists group is Anonymous.
- Some hackers are spying on companies and performing corporate espionage acts.
- Governments or single hostile people can use cyber warfare to destabilize a cybersecurity system as a form of warfare. For example, critical infrastructure might be hacked to make an impact.
Who Can Become Victims of These Attacks?
Zero-day exploitations are comparable to spear phishing and phishing in a way that there are both targeted and non-targeted intrusions. The former aims to affect as many victims as possible, whereas the latter targets valued, specific victims.
Example no. 1: ransomware groups might have a specific zero-day vulnerability. And they might try to find as much vulnerable systems, as possible. Their main motive would be to encrypted data of many companies before the 0-day vulnerability becomes known to the public.
Example no. 2: a government backed squad of hackers might spend months, or even years to find a zero-day vulnerability that is relevant to a specific company. Previously mentioned Stuxnet attack is an example of a targeted attack.
At the end of the day, everyone who uses a vulnerable system could become victims:
- Organizations or businesses
- Public sector organizations
A zero-day vulnerability can pose major security concerns to regular computer users since exploit software can infect operating systems, web browsers, programs, open-source components, hardware, and even IoT devices via otherwise innocent online surfing activities. Viewing a website, reading a phishing email, or playing infected media are all examples of this.
Some of the Biggest 0-Days in 2021
Because the cybercriminals are becoming more and more active, 2021 had beaten all records of number of 0-days found. According to research by MIT Technology Review based on data from several sources, at least 66 zero-day vulnerabilities were discovered and exploited in 2021, nearly double the number documented year before. It attributed the fast growth in such attacks to government-backed hackers. Despite the fact that such assaults have become more common, numerous cybersecurity experts say the news isn’t all bad. They went on to say that as the number of assaults has risen, so has the ability to detect and halt them before they cause significant damage.
We will cover some of the infamous newly discovered vulnerabilities in 2021.
Some critical remote code execution vulnerabilities were found in the Microsoft Exchange Server. According to Microsoft, DHS, and CISA, attackers were able to access email accounts, exfiltrate data, move laterally in target environments, and install additional accesses and malware to get long-term access to victim networks. These flaws were targeted and exploited as a zero-day (or 0day), meaning they were discovered and exploited before the vendor was aware of them. To put it another way, before the weakness was exploited in an attack, the vendor had 0 days to fix it. These weaknesses are part of a chain of vulnerabilities that allow an attacker to inject code into Exchange Offline Address Book (OAB) service resources.
Malicious attackers were exploiting the Log4j vulnerability to remotely execute code on any machine. Businesses and online portals frequently utilize Log4j, an open source logging package for Java. This open source software was in the headlines at the end of the 2021 due to several security flaws. As the logging library Log4j is implemented in many commercial and open-source of systems, it caused a serious concern by the IT community.
In the past couple of years Zoom had gained big popularity. After the remote work become common, number of people that are using Zoom had skyrocketed. Soon after that, many security flaws were detected in the software. Even though it was fixed, last year one zero-day was detected in the Zoom.
It was discovered during a hacking contest Pwn2Own. Ethical hackers that found it were rewarded with 200 000 USD.
Even thought products of Apple are extremely high quality, even the biggest ones can be vulnerable. But as the Apple has bug bounty program, and are paying a lot of attention to the cybersecurity, critical vulnerabilities are rare. In 2021 a vulnerability was found in Apple’s iOS software that might potentially end in compromise of smartphones from a remote locations.
How to Detect Zero-day Vulnerability
By definition, zero-day exploits are undetectable since they lack fixes or antivirus signatures. There are, however, a variety of techniques for discovering previously unknown software problems.
If you are bug bounty hunter, zero-day vulnerability is a vulnerability that you found before anyone else did.
But even if you are just trying to understand how to protect your system, these advices might help you to found unknown security weaknesses.
Some zero-day security flaws can be detected via vulnerability scanning. When it comes to the security scanning, there are different types:
- SAST – when the source code is audited with a scanner
- DAST – when the application is audited from the external perspective knowing only the hostname
- IAST – compromise between DAST and SAST scanning. It is considered being a grey-box testing, as an agent should be installed on the server that you are testing
Businesses can use vulnerability scanning tools to identify security flaws in the software code, assess application from the external perspective, and hunt for new vulnerabilities that may have been introduced because of the lack of software updates. This strategy will not catch all zero-day exploits. Scanning, even for those it detects is inadequate to avoid an attack, businesses must act on the scan’s results, perform code reviews, and sanitize their code. In reality, most companies take a long time to respond to newly disclosed vulnerabilities, but attackers may take advantage of a zero-day vulnerability in seconds.
Fuzzing is one way, which involves feeding a huge amount of data to a computer at random intervals. The attacker then examines the program’s response. Overloading might result in crashes or odd behavior, which can reveal problems. Finally, the attacker develops code to replicate the behavior that caused the defect, which is how the exploit is made.
Deploying a honeypot is one way to find a zero-day. However, technically you will be trying to catch an already known zero-day. How does it work you might wonder? Well, let’s say you start a Linux server, and leave it exposed to the internet. You install various monitoring tools, and you periodically check logs. When the new 0-day is exploited in the wild, you might notice that your server acts weird, and from the logs you might see some interesting requests that indicates exploiting one or another component. After a further investigation you might realize that you were hacked with a previously unknown vulnerability.
I Found a Previously Unknown Vulnerability – Now What?
Never, ever you can exploit it for your personal gain.
This is not only unethical, but even considered being illegal activity. You might cause significant damages, especially if you do not fully understand the potential impact of the vulnerability.
There is a very clear line between ethical and unethical hackers in this matter. If you are an ethical hacker, your goal is to make the internet world safer. Getting paid for your contribution is a recognition, that you might not always get. Companies you report vulnerabilities to, might ignore it, or think that it is not a big deal. But you should not get demotivated and run to the bad guys with your exploit.
What you should do:
- Report it to the company in whose product you found it.
- If you are afraid of exposing your name, alternatively you can report it anonymously to the companies, such as Zerodium
- Publicly disclose information about it only if you got the permission
What you shouldn’t do:
- Sell it to anyone, except the organizations buying zero-days for good cause. If you are seeking for a financial gain, you should report your finding to one of the companies mentioned in the following paragraph. Selling it on darknet, might have devastating consequences.
- Discuss the vulnerability with anyone else before reporting it. Information might leak, and harm could be made.
How to sell zero-days in a legal way?
There are a couple of big and reliable players that are buying zero-days:
Zerodium pays massive amounts of money for zero-days. The bounty can go up to 2 500 000 dollars per submission. Vulnerabilities eligible are mostly remote code execution, local privilege escalation, VM escape, or information disclosure (if it is found in email servers). These vulnerabilities can be found in a variety of products: operating systems, web browsers, clients/files, mobile devices, web or email servers, web apps WiFi devices, routers, etc.
Another platform you can sell 0-days to, is the Zero Day Initiative. This initiative is owned by the Trend Micro. It is an initiative designed to encourage security researchers to properly disclose vulnerabilities rather than selling them on the black market. Its goal is to build a large community of vulnerability researchers who can find security flaws before hackers and notify software manufacturers. There are no publicly announced rewards that you can get for vulnerabilities. The program works like this: you submit a vulnerability, and then you get the valuation by the Zero Day Initiative. Then you can agree with the offer, and if you do, you will get paid. But if you don’t, your finding is your property.
How to Avoid Experiencing a Cyberattack
Zero-day vulnerabilities are difficult to defend against since they come without warning. Often these attacks are performed on high-profile targets. However, by following basic security best practices and having a backup plan in place, you may assist to mitigate the possible impact.
Always deploy fixes as quickly as possible, as this will reduce the time a system is vulnerable. If you follow these guidelines, your chance of becoming a victim of a zero-day attack will be as minimal as feasible.
We can secure our devices and data in the case of an attack, even if we can’t always discover these flaws. Consider these security procedures, both proactive and reactive.
- Keep your software up to date to guarantee that security fixes are installed and the danger of malware infiltration is minimized.
- Keep your apps to a minimum since the less you download, the less data you risk losing.
- Monitor and prevent suspicious activities, such as zero-day exploits, through a firewall.
- Become knowledgeable about zero-day exploits and look for remedies when they are revealed.
- Antivirus software should be used to guard against both known and unknown threats.
Deploying a web application firewall (WAF) on the network edge is one of the most effective techniques to avoid zero-day attacks. A WAF examines all incoming traffic and filters out harmful inputs that might be used to exploit security flaws. Additionally, runtime application self-protection is the most recent innovation in the battle against zero-day assaults (RASP). RASP agents reside inside applications, evaluating request payloads in the context of the application code during runtime to decide if a request is legitimate or malicious, allowing apps to protect themselves.
Input Validation and Sanitization Is Also Very Important
Many of the challenges that come with vulnerability detection and patch administration may be solved with input validation. It doesn’t leave businesses vulnerable while they patch systems or sanitize code, which can take a long time. It is run by security specialists and is considerably more adaptable, allowing it to react to emerging threats in real time.
Input validation might not prevent from every potential zero-day, but it might ensure that the system is used as supposed to. For example, if only numbers are allowed to the input field, entering letters might crash the system. And at the worst case it might even lead to vulnerabilities, such as SQL injection. However, it is important to keep in mind that even if the input validation is in place, code could still be vulnerable. In this case, if an attacker finds a vulnerability, he can try bypassing the validation. And there comes the sanitization – another important thing to keep in mind. User input, as it reaches the server, should be sanitized before passing to the database or to any other place.
Patch Management Will Let You Sleep Better at Night
Another technique is to distribute software updates for newly found software vulnerabilities as quickly as feasible. While this will not prevent zero-day attacks, if patches and software upgrades are done quickly, the chances of an attack will be greatly reduced. However, there is a reason why the security fixes might be delayed:
It takes time for software providers to identify vulnerabilities, create a fix, and disseminate it to consumers.
The fix may also take some time to apply to organizational systems. The longer this activity takes, the more likely a zero-day attack will occur.
As we all know, a zero-day assault is a major issue for not just software companies and developers, but also people and even governments, as hackers might get access to critical data. Finding a zero-day vulnerability is difficult yet necessary. One may defend one’s systems and reduce the chance of a zero-day attack by following the aforementioned security and preventive guidelines.
Highly passionate about cyber security (penetration testing, bug bounty hunting, cybersecurity in general), and blogging. I am experienced in vulnerability assessments, penetration testing, various security audits, had worked with various clients, most of them were in finance sector. Currently holder of CompTIA Security+, CEH, CEH Practical, and CEH Master certificates.