What is a zero-day exploit?
by Tina Siering
Zero-day exploit - the definition
This form of exploit is named after the lack of warning time for developers. They thus have zero days to find a fix for a vulnerability that criminals are already exploiting. So the moment developers become aware of the vulnerability in their system, cyberattacks are already running through that gap.
In many cases, cyberattacks are also the way developers discover such zero-day gaps. A second possibility is that so-called white-hat hackers find the vulnerability and inform the developer directly. White-hat hackers are people who actively search for gaps in software, but do not use found vulnerabilities for criminal activities, but inform the developers.
The three different zero-day terms
In the beginning, there is the zero-day vulnerability. This is a vulnerability in software or hardware that is not yet known to the manufacturer. Consequently, no patch is available to close the gap. Accordingly, all products in which the component containing the vulnerability is integrated are affected.
The zero-day vulnerability becomes an exploit, when hackers have discovered the gap. The attackers know how to exploit the vulnerability and have found an attack vector to compromise third-party systems. A specific attack is then called a zero-day attack.
Why are zero-day exploits so dangerous?
The danger of these exploits is based on the defenselessness of the targets. On the one hand, attacks through this particular attack vector are unknown. Secondly, all systems are vulnerable because there is no patch for the vulnerability from the developer yet.
Accordingly, a race against time begins for the developers with the first zero-day attack. The task is to identify the vulnerability as quickly as possible, find out how the attackers trick the system, and then close the vulnerability with a patch.
Zero-day security vulnerabilities pose another danger as well: Hacker groups that have knowledge of such a vulnerability and exploit it to their advantage have a vested interest in keeping this attack vector secret for as long as possible. Even when a successful cyberattack is discovered, it is often not clear at first glance which route the attackers took. It is the task of IT forensics to uncover the gateway and the specific modus operandi of the attackers. In the course of such investigations, it sometimes happens that IT forensic experts identify a previously unknown gap in a system.
The danger of these vulnerabilities is multiplied by the fact that all users of an affected system are potential victims. In the case of known gaps that have been closed by the developer via patches, the potential victim group is minimized very quickly. All IT managers who keep their systems up-to-date and apply security patches promptly are safe from such attacks. In the case of zero-day security vulnerabilities, on the other hand, there is no protection through patches.
Even if the zero-day vulnerability has already been made public by the developer, there is an increased risk until a patch is available. If companies deploy an affected piece of software or hardware, their options are limited. Securing the vulnerable system is usually not possible unless a workaround is available. Then the only option is to temporarily shut down the compromised system. If this is a business-critical platform, this disrupts the company's operations. However, continued operation carries the risk that a cyberattack can be launched at any time.
What kind of attacks are possible via zero-day vulnerabilities?
Another factor that makes zero-day attacks so dangerous is the broad spectrum of possible cyberattacks. Basically, it is impossible to predict which attack techniques and consequences are imminent. This is due to the fact that zero-day gaps are quite different. In some cases, the gaps are located in critical areas of the network infrastructure or only very specific program components are affected. Accordingly, it is possible that a zero-day vulnerability allows access to specific data in a closed system such as a database. It is equally possible that a zero-day attack could allow the hackers to take control of the network or deliver any malicious software. Thus, attacks with ransomware including the encryption of data in the network and an extortion are also among the likely scenarios. At first glance, completely inconspicuous, but equally dangerous, are zero-day gaps that criminals exploit for espionage. Attackers may then have unnoticed access to internal data. In practice, this state has lasted for weeks or even months.
Who is exploiting zero-day vulnerabilities for cyberattacks?
This question also cannot be answered in a generalized way. The entire spectrum is represented here, from common criminals and actors with economic interests to state institutions.
In addition, there are trading centers for such security breaches on the darknet. Here, savvy hackers meet financially powerful buyers who have a wide variety of goals. The hackers earn enormous sums and have great skill in finding such loopholes. Intelligence agencies and the military also buy information about such zero-day vulnerabilities in order to prepare for a cyberwar or actively infiltrate networks.
Accordingly, attackers used tools for zero-day attacks in different ways. Zero-day attacks are used, for example, in the context of espionage. In this way, attackers steal internal information from companies and other organizations, often undetected over a long period of time. States infiltrate networks of other countries and spy on or lay access points for launching full-scale attacks in the event of a cyberwar. The classic cybercriminals, on the other hand, primarily try to gain control of networks or deploy malware such as ransomware in the hacked systems.
Examples of zero-day attacks
Unfortunately, zero-day vulnerabilities are not uncommon. In recent years, such incidents have occurred time and again. The companies affected include the giants of the IT industry, which shows that such gaps can potentially be found in any system.
For example, in early 2021, a zero-day vulnerability was identified in the Chrome browser. On January 24, the vulnerability became public knowledge. It took until February 4 for developers to update the browser to close the vulnerability.
The Log4Shell vulnerability, which was discovered in December 2021, gained notoriety. This is particularly explosive because all versions since 2013 are affected and Log4Shell is part of numerous systems. Since some very old hardware and software have the vulnerability, it is unlikely that updates will be released for all systems. The zero-day vulnerability therefore remains active in these affected platforms.
What defenses are available against zero-day exploits?
Fortunately, companies and IT managers of networks are not completely defenseless against zero-day attacks. On the one hand, there are no official patches that protect against such zero-day vulnerabilities. Antivirus software and similar programs also offer no protection against the actual attacks, because the attack patterns are unknown. On the other hand, modern IT security technology has some tools up its sleeve that can detect zero-day attacks.
An important defense against such attacks from unknown directions and unpredictable vectors are systems for early attack detection. Meanwhile, such solutions have become a significant part of IT security. Early attack detection is based on software that actively monitors all activities on the network in real time. This includes user logins, connection IP addresses, data transfers and many other actions. The software draws on log data, such as that recorded by databases, routers and other systems. With the help of artificial intelligence, these programs learn what activities are normal in a network. They then detect unusual accesses that do not match normal accesses. This is where early attack detection shows its strength against zero-day attacks.
The Active Cyber Defense Service (ACD) from secion is such a service solution. secion provides this service via the network. Local installation or changes to the systems are therefore not necessary. secion's ACD service monitors all systems within a network, from databases to services for authentication to IoT devices at the edge of the network, and reports identified anomalies. If necessary, the secion analyst team immediately informs the responsible persons in the IT security of the company concerned. In this way, detection of attacks is possible almost in real time, before any damage is done - and without the need for enormous investments in the company's own IT department.
There are also a number of organizational measures that companies and IT managers can take in response to the threats posed by zero-day attacks. These include various measures that are part of a comprehensive IT security strategy anyway. First and foremost is a backup system. The backup must also be up-to-date, which requires making regular backups. It is also important to have at least two separate backup systems. With a full backup, systems can be restored after an attack with ransomware and encryption of data.
The second measure is to structure the network so that cyber attacks only have a local impact. Especially against a zero-day attack, this is a good defense technique. A zero-day vulnerability is located in a specific system, such as software. If this is operated in an isolated area, the extent of an attack is also limited. Suitable measures include virtual servers, containers and role-based access control.
Conclusion on zero-day exploits
Vulnerabilities in software are one of the biggest challenges for IT security. Zero-day gaps are even a notch more dangerous. Even with a perfect update routine and an optimally trained workforce, it is impossible for IT managers to anticipate and thus prevent zero-day attacks. For this reason, additional mechanisms are needed to act as quickly as possible in the event of such an attack and prevent worse. This requires active measures such as a system for early attack detection and appropriate structuring of the network. These methods can significantly minimize the threat posed by zero-day attacks.