Zero-Day Vulnerability Exploits 101: A Glossary | ArcusTeam
Zero-Day Vulnerability Exploits 101
What is a Zero-Day Vulnerability?
A zero-day (0day) vulnerability is an existing vulnerability in software or hardware that can become a pathway for hackers to weaponize and exploit. The name is derived from “Day Zero”, the day that the threat is identified, at which point it becomes a race against the clock for security teams to patch the vulnerability before hackers exploit it.
Unlike known vulnerabilities that are well documented in public repositories like the National Vulnerability Database (NVD) and usually preemptively patched, vendors are usually unaware of 0day vulnerabilities and enterprises often don’t have security measures in place to prevent their exploitation, making them wild cards.
Once hackers have successfully identified a zero-day vulnerability, they try to leverage it to carry out attacks on a system, which is known as a zero-day exploit.
What is a Zero-Day (0day) Exploit?
A zero-day exploit is a method or technique that attackers leverage to attack systems that contain a zero-day, or a zero-hour vulnerability.
When organized cybercriminal groups come across the opportunity for a zero-day exploit, they aim to use it against targets with the highest value. Therefore, they have to carefully plan when and how to carry out the attack. Strategic planning reduces the chance that a vulnerability will be discovered by the victim and has the potential to extend the lifespan of the exploit.
Popular Targets for Zero-Day Exploits
The following are popular potential targets for zero-day exploits:
- Financial institutions
- Large enterprises
- Government organizations
- Medical institutions
- Firmware, hardware devices, and IoT
Even if your enterprise is able to develop a patch against a zero-day vulnerability, it doesn’t mean you’re home-free. The patch needs to be updated across all systems affected by the vulnerability, a process that can take time. The attacker can take advantage of any lags and continue to attack non-updated systems until everything is fully updated.
A zero-day attack is when the attacker puts the zero-day exploit to use in order to damage, and/or steal data from the systems affected by the zero-day vulnerability.
Process of a Zero-Day Attack
The process for carrying out a zero-day attack usually consists of the followings stages:
- Discover vulnerabilities: In order to discover the zero-day vulnerabilities, attackers will go through code or randomly test their luck with popular applications. Some attackers even “purchase” vulnerabilities that someone else has uncovered on the black market.
- Create exploit code: Attackers create malware programs to exploit the vulnerability.
- Identify systems that are affected by the vulnerability: Attackers use methods such as bots, scripts, or automated scanners to identify systems that are affected by the vulnerability.
- Plan the attack: Once attackers are equipped with the tools to exploit the zero-day vulnerability and carry out the attack, they scout out the most efficient time and method to penetrate the affected systems.
- Infiltrate: Attackers typically penetrate through an organization’s perimeter defenses or personal devices.
- The zero-day exploit is launched: Once the attackers gain access to the vulnerable systems, they can remotely execute the exploit code.
Zero-Day Vulnerability Trends
Threat actors are increasingly targeting zero-day vulnerabilities that were discovered and patched in the past. In 2020, Google’s Project Zero, which aims to discover zero-days, found 24 zero-day vulnerabilities that were exploited by attackers. Of those 24 vulnerabilities, 25% were previously disclosed, but due to insufficient patching, hackers were able to re-weaponize them to carry out new attacks. Experts predict that this threat will increase if vendors don’t take a closer look at the root cause of the vulnerabilities and invest more in patching.
In cases like these, EDGE by ArcusTeam identifies the inner components of such vulnerabilities and provides mitigation measures for preventing such devastating attacks.
Examples of Recent Attacks
- Internet Explorer: In 2020, Microsoft’s browser Internet Explorer (IE) fell victim to a zero-day attack. The vulnerability (CVE-2020-0674) affected IE v9-11 and was caused by a flaw in the IE scripting engine that handles objects in memory. Attackers were able to leverage this vulnerability by directing IE users to a website that was created to exploit the flaw.
- Sony Pictures: In 2014, Sony Pictures was a victim of a major attack, which resulted in a leak of personal information and unreleased content. Entire corporate systems were also erased, causing millions of dollars in damages.
In the world of cybercrime, zero-day exploits are a hot commodity and are often sold for astronomical prices. They have been found circulating the following three markets:
- The black market: Where attackers use or sell stolen personal information (i.g, credit card information) on the dark web.
- The white market: Where non-threat hackers discover zero-day vulnerabilities and present them to the vendor, sometimes for a potential reward.
- The grey market: A military-based market in which exploits are sold for use for surveillance, espionage, and technological warfare.
How ArcusTeam can help Prevent these Attacks
ArcusTeam’s threat elimination platform, DeviceTotal, takes a proactive approach to vulnerability management, identifying both known and unknown vulnerabilities on connected devices. This capability allows DeviceTotal to identify potential zero-day vulnerabilities before threat actors find them. But DeviceTotal doesn’t stop with identification. It also provides automated mitigation for all identified vulnerabilities in connected devices, saving enterprises valuable manpower and resources on mediating vulnerabilities. DeviceTotal dives deep into the bill of materials (BoM) and components of the attack to get to the root cause and ensure the vulnerability isn’t re-weaponized.
Instead of waiting for corporate network attacks to take place, ArcusTeam’s solution is predictive and preventative, implementing security measures that stop the attack from happening. ArcusTeam’s predictive solution gives enterprises the peace of mind that their networks are protected from both current and future attacks.