Zero Day Attack

Zero Day attack exploits a previously unknown vulnerability in hardware or software. This is called a Zero Day vulnerability. The software developers have produced software, but are not aware that it contains a vulnerability of any kind. The threat actor identifies the vulnerability either before a developer is aware of it, or, before the developer has created a patch (or fix) to eliminate it. The threat actor designs and creates the exploit code while the vulnerability is still open and accessible. This code and the procedure that uses it is called a Zero Day exploit – it is the method that threat actors use to attack systems and software with the Zero Day vulnerability. The process of using the Zero Day exploit is called a Zero Day attack. 

Sometimes considerable time passes before the developer or the community at large becomes aware of an open vulnerability or relates the open vulnerability to recent attacks. This vulnerability is exploited and utilized by threat actor’s before any engineer can design a patch for the vulnerability. Once the patch is created and used, then the exploit is no longer a Zero Day. 

The dangers to users may exist long beyond the time that a patch is available. Many users may not be aware of the vulnerability. Many users that are aware of the vulnerability, may not have patched it. For these reasons, vulnerabilities may be dangerous to the exploit long after they have been discovered. 

Zero Day exploits which are new can often be sold by the discoverer. This often happens on the dark web. The dark web is a special place on the Internet which is only accessible using special browser software. Website owners and operators on the dark web can remain completely anonymous and virtually untraceable in support of both legal and illegal activities. 

Motivations for the investment to acquire Zero Day attacks include cyber warfare, corporate information theft, cybercriminals active for financial gain, and activist hackers (hacktivists). Hacktivists are motivated by social and political causes. Corporate information theft is driven by an attacker that wants to gain competitive advantage. Cybercriminals that are motivated by financial gain both steal and then sell information, may use this information for ransom, or may directly intercept and steal funds. Threat actors supporting cyber warfare seek to gain advantage which can be used in a possible future attack on an adversary’s information technology infrastructure. They may also seek to exfiltrate sensitive information and confidential data on other sensitive defense systems and infrastructure.

Zero Days attacks may be deployed against a wide array of information technology infrastructure. This can include web browsers, operating systems, application software of all types, hardware, firmware, and specialized devices such as Internet of Things devices. Target Zero Day attacks will focus on specific people or organizations. Other less targeted attacks may be deployed for illicit gain directly against groups of people and organizations using, for example, a specific browser. The purpose of the attack may be perhaps to gain illicit funds as in the case of ransomware, or to steal and divert funds directly through an attack on the application infrastructure in, for example, a point-of-sale network.

Zero Day attacks can be very difficult to identify. Usually they are identified in the wake of a successful cyberattack, or through the use of one or more security controls, that may discover unexpected command and control communications originating from within the target organization’s networks. Worse yet, are scenarios where data exfiltration or financial fund theft has been discovered, but the attribution to a specific cyberattack, let alone a cyberattack leveraging a Zero Day vulnerability, takes considerable time to uncover forensically. 

There are several ways that a Zero Day exploit might be identified. These include behavior-based monitoring, signature-based variant detection, statistics and analytics-based monitoring, and various approaches which use two or more of these methods. There are many malware databases that can detail the activities of existing malware, their interactions with the targeted systems and applications. This enables new tools such as advanced analytics, machine learning, and artificial intelligence to utilize this knowledge and other patterns of data to detect previously undetected variants which could be part of a Zero Day attack. 

In May 2022 Microsoft put out patches for over 70 software vulnerabilities including a Zero Day vulnerability that was identified as being exploited already by some users and organizations. It is important to note that of these vulnerabilities, perhaps 7 are identified as critical. Microsoft confirmed that a remote execution vulnerability in the Microsoft Windows Support Diagnostic Tools was apparently being exploited “in the wild” since at least April.  

Another example of a recent Zero Day vulnerability involved the Sophos XG firewall. Threat actors exploited an SQL injection vulnerability (CVE-2020-12271) to successfully attack the PostgreSQL database server of the firewall. This allowed them to potentially inject code into the database, changing firewall settings, installing malware, and more. 

In another example, the vulnerability in the Netlogon protocol (CVE-2020-1472) was identified by the security researchers. This CVE received a maximum Common Vulnerability Scoring System (CVSS) score of 10. This particular Zero Day vulnerability allowed an unauthenticated threat actor that obtains network access to a domain controller to start a Netlogon session which allowed them to gain domain administrator privileges. All that was required was to gain a connection with a domain controller, so this Zero Day could be particularly dangerous.

Earlier in 2019 Microsoft Internet Explorer was identified as having a vulnerability due to the way the IE scripting engine managed objects in memory. This Zero Day (CVE-2020-0674) impacted IE versions 9 through 11. Threat actors could exploit this vulnerability by prompting users to visit a website which was created to, in turn, exploit the vulnerability. This could be done by malicious link redirection or perhaps through the use of phishing email.

Microsoft notified users in 2020 of Zero Day attacks which were exploiting two particular vulnerabilities. The vulnerabilities impacted all supported versions of Windows and targeted remote code execution (RCE) vulnerabilities. These vulnerabilities were within the Adobe Type Manager (ATM) library, built into Windows, to manage PostScript Type 1 fonts. These weaknesses in the Adobe library allowed threat actors to use malicious documents to remotely execute scripts. These documents were delivered via MalSpam or users were socially engineered into downloading them directly. 

Mandiant Threat Intelligence noted in 2020 that they identified 80 Zero Day vulnerabilities and attacks “in the wild” which was more than double the record set in 2019 per their data. Beyond these Zero Day attacks were Chinese threat actors. Most seemed to be ransomware groups which utilized extortion to meet their financial goals. This massive increase in Zero Day exploitation impact just about every industry and most developed countries worldwide. 

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.