A zero-day attack exploits an unpatched vulnerability, and could significantly affect organizations using vulnerable systems. Until a patch becomes available, it is often a race between threat actors trying to exploit the flaw and vendors or developers rolling out a patch to fix it.
Here's an overview detailing what businesses need to know about zero-day vulnerabilities — what they are and how they work — so they can better mitigate the risks and the threats that exploit them.
A zero-day vulnerability is a flaw, weakness, or bug in software, firmware, or hardware that may have already been publicly disclosed but remain unpatched. Researchers may have already disclosed the vulnerability, and the vendor or developer may already be aware of the security issue, but an official patch or update that addresses it hasn’t been released.
The flaw is referred to as a “zero-day” vulnerability because the vendor or developer — and accordingly, the users and organizations whose systems are affected by the vulnerability — have just learned of the vulnerability. Once the vulnerability becomes public and the vendor or developer already deployed a patch for it, it becomes a known, or “n-day” vulnerability.
When hackers or threat actors successfully develop and deploy proofs of concept (PoCs) or an actual malware that exploits the vulnerability while the vendor is still working on rolling out a patch (or sometimes, unaware of the vulnerability’s existence), it becomes a zero-day exploit or attack. While developers and vendors, as well as researchers and security experts, continuously invest time and effort to find and fix security flaws, the same can be said for threat actors, too. The result is an arms race between threat actors finding and trying to exploit a vulnerability and the vendors working to release a patch to fix it.
Zero-day exploits aren’t only highly valued in legitimate bug bounty programs — with one even fetching up to US$2 million — they are also valuable in underground marketplaces. For threat actors, zero-day exploits are a boon because most security defenses are designed to handle known flaws. Attacks based on unknown and unpatched vulnerabilities can thus go unnoticed for a long time.
The success of zero-day attack also depends on the organization’s “window of exposure,” or the time between the discovery of a vulnerability and the release (and installation) of a patch that fixes it. Even known vulnerabilities can have a lengthy window of exposure — whether due to the organization’s patch management policies or the level of difficulty in developing the patch. A longer window of exposure makes it more likely for an attack to remain undetected.
Threat actors use zero-day exploits in a number of ways:
During the peak of their activities, exploit kits were known to integrate zero-day exploits for Internet Explorer and Adobe Flash. Perhaps the most notorious example is Stuxnet, a worm that exploited several zero-day vulnerabilities and was mainly designed to affect components of an industrial control system (ICS). A series of attacks also resulted from the trove of exploits that The Shadow Brokers hacking group leaked. The most infamous of these was EternalBlue, which was used by the WannaCry and Petya/NotPetya ransomware families.
Other recent examples are the PoCs and exploit codes that the independent researcher, going by the handle SandboxEscaper, publicly released. These PoCs and exploits demonstrated how a (then) zero-day vulnerability in Windows 10’s Task Scheduler (CVE-2019-1069) can be taken advantage of to gain access to normally protected files. And if chained with other security flaws, the hacker can escalate privileges to hijack the vulnerable system.
A zero-day vulnerability poses significant security risks, with effects that mostly depend on the attack's intent. BlueKeep (CVE-2019-0708), a zero-day vulnerability in remote desktop services, made headlines in May due to its “wormability.” Successfully exploiting BlueKeep can enable malware to propagate, similar to the way WannaCry used the EternalBlue exploit. The risk BlueKeep posed was so significant that Microsoft even released patches for Windows 2003 and Windows XP, which were out-of-support and end-of-life operating systems.
Beyond the exposure of an organization’s sensitive data and mission-critical systems, businesses will also contend with marred reputations, financial losses, and penalties imposed by data privacy and patch management regulations.
Cybercriminals and threat actors can capitalize on the gap between the discovery and patch of a vulnerability — a gap that, on average, reportedly takes an organization around 69 days to fix. In a 2018 survey by the Ponemon Institute, 76% of organizations whose endpoints were successfully compromised were due to attacks that used zero-day exploits. In today’s era of digital transformation, where newfangled technologies are constantly put together and integrated into existing (and sometimes, outdated) ones, vulnerabilities are inevitably introduced into systems that use them. In fact, zero-day attacks are predicted to increase from one per week to once per day in 2021.
Given their nature, zero-day attacks are inherently unpredictable and difficult to prepare for and defend against. This is especially true for organizations whose security measures are developed around known and already-patched flaws. A proactive, defense-in-depth approach, however, can help mitigate them.
Here are some of the other countermeasures that organizations can adopt to defend against zero-day attacks:
Virtual patching (also known as vulnerability shielding) is one of the mechanisms that can complement an organization’s existing security measures. It functions as a countermeasure against threats that exploit known and unknown vulnerabilities by implementing layers of security policies and rules that intercept an exploit from successfully taking paths to and from a vulnerability. This can buy organizations additional time, enabling their IT and system administrators to test official patches before they are applied.
Virtual patching also provides protection to IT infrastructures for which patches are no longer issued or are too expensive to update, such as legacy systems, end-of-support OSs, and internet-of-things (IoT) devices.
To learn more about zero-day vulnerabilities and exploits — what they are, how they work, and how to mitigate them — view our infographic, “Security 101: Zero-Day Vulnerabilities and Exploits.”
The Trend Micro™ Deep Security solution provides virtual patching that protects cloud workloads, servers, and containers from threats that exploit network-based vulnerabilities in critical applications, operating systems (Linux kernels, AIX, Solaris, and Windows including those in end-of-support status like Windows Server 2008 and Server 2003), and platforms like Docker and Kubernetes.
The Trend Micro Apex One™ security solution’s virtual patching delivers the timeliest vulnerability protection across a variety of endpoints, including point-of-sale (PoS), internet of things (IoT) devices, and systems with end-of-support (EoS) operating systems.
The Trend Micro™ Deep Discovery™ solution provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, customized sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats even without any engine or pattern update.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.