Zero Day

What is a Zero-Day Vulnerability?

A zero-day vulnerability is a software vulnerability that is discovered by hackers or digital adversaries before it is known to the software vendor or the public. The term “zero-day” refers to the fact that the software vendor has had zero days to fix the vulnerability since it was discovered or exploited by attackers.

Digital adversaries can exploit zero-day vulnerabilities to launch targeted cyber attacks against specific organizations or individuals. These attacks are relatively likely to succeed because they target previously-unknown vulnerabilities for which no patches or fixes are yet available. Digital adversaries may also sell information about the vulnerability to other cyber criminals on the dark web.

What is a Zero-Day Exploit?

A zero-day exploit is the specific method used by hackers or digital adversaries to take advantage of a zero-day vulnerability. 

Zero-day exploits are specifically designed to target a known zero-day vulnerability, with the goal of gaining unauthorized access to the target’s network, stealing data, misappropriating funds, or causing damage.

What is a Zero-Day Attack?

A zero-day attack is the use of a zero-day exploit against a zero-day vulnerability. A successful attack gives the digital adversary unauthorized access to the target’s network, allowing the attacker to commit financial fraud, steal data, or cause damage.

Zero-day attacks can take a variety of forms, including:

  • Remote Code Execution – The adversary uses the zero-day exploit to execute arbitrary code on the target system, giving them full control over the system.
  • Privilege Escalation – The adversary uses the zero-day exploit to gain elevated privileges on the target system, allowing them to perform actions that are normally restricted.
  • Denial of Service (DoS) – The adversary uses the zero-day exploit to crash the target system or network, rendering it unusable.
  • Data Theft – The adversary uses the zero-day exploit to steal sensitive data from the target system or network, including passwords, financial information, or other confidential data.

How Do Zero-Day Attacks Work?

  1. 1. Target Selection

Potential targets for zero-day attacks include firmware and hardware devices, government agencies, political groups, large corporations, SMBs, and individuals with access to valuable data. Target selection depends on the specific nature and motivation of digital adversaries. 

  • Cybercriminals are motivated by financial gain and may target enterprise organizations, SMBs, or individuals with significant access to cash or data.
  • Hacktivists are politically motivated and may launch disruptive zero-day attacks against their ideological enemies, including individuals, government agencies, and political targets.
  • Corporate espionage operatives are motivated to steal valuable IP and cause damage to rival corporations.
  • State-sponsored adversaries are motivated to launch cyber attacks against national security threats or perceived enemies of the state.
  1. 2. Searching for Zero Day Vulnerabilities

After selecting a target, digital adversaries will work to discover which software applications are in use by the target organization. From there, the adversary will analyze the design and coding of software applications in the target’s technology stack in hopes of identifying a zero-day vulnerability that can be exploited.

In addition to commercial software programs, zero-day vulnerabilities may also appear in operating systems, web browsers, open-source applications, software extensions and plug-ins, firmware and hardware devices, and IoT devices. 

  1. 3. Building a Zero Day Exploit

Once a digital adversary identifies a zero-day vulnerability, they can start to build a zero-day exploit that leverages that vulnerability to gain unauthorized access to the target’s network. 

The exploit may be a malware application, some data, or a sequence of commands that causes unanticipated behavior in the software, allowing the attacker to access secure systems and exfiltrate data or cause damage.

  1. 4. Launching a Zero Day Attack

Once a zero-day exploit has been prepared, the final step is to launch a zero-day attack against one or more target organizations. Some successful zero-day attacks are so covert that targeted organizations don’t realize until weeks or months later that their data was accessed by hackers and exfiltrated without their knowledge.

Four Zero-Day Attacks You Should Know About

  • Stuxnet (2010)

Stuxnet was a highly sophisticated computer worm that targeted a zero-day vulnerability in the industrial control systems used in Iran’s nuclear program. 

Stuxnet was designed to take control of Siemens programmable logic controllers (PLCs) and modify the code to cause centrifuges used in Iran’s nuclear program to malfunction, effectively sabotaging the program. The attack is believed to have been a joint operation between the US and Israel. 

  • SolarWinds (2020)

The SolarWinds attack was a sophisticated supply chain attack that targeted the SolarWinds Orion software, which is used by thousands of organizations worldwide. 

The attackers compromised the software’s update mechanism, allowing them to distribute a modified version of the software that included a backdoor. This allowed the attackers to gain access to the networks of organizations that used the compromised software. The attack is believed to have been carried out by a state-sponsored hacking group from Russia. 

  • Zoom (2020)

The Zoom zero-day vulnerability was discovered in 2020 and allowed attackers to take control of a user’s computer and access sensitive data. 

The vulnerability was discovered in the macOS version of the Zoom client and was caused by a local web server that Zoom installed on users’ computers. This web server could be used by attackers to force users to join a Zoom meeting with their video camera enabled, effectively allowing the attackers to spy on the users. The vulnerability was quickly patched, but it highlighted the risks of installing software that includes hidden web servers.

  • Microsoft Exchange Server (2021)

The Microsoft Exchange Server zero-day vulnerability was discovered in early 2021 and affected Exchange Server versions 2010, 2013, 2016, and 2019. 

The vulnerability was caused by a flaw in the Exchange Server’s code that allowed attackers to gain access to email accounts and steal data. The vulnerability was quickly exploited by hacking groups, and Microsoft released emergency patches to address the issue.

Enhance Your Zero Day Protection Strategy with ZeroFox

ZeroFox provides enterprises with digital risk protection, threat intelligence, and adversary disruption to enhance protection against zero-day attacks.

The AI-driven ZeroFox platform monitors the public attack surface at scale for attack chatter that could indicate an impending zero-day attack on your business. Our curated threat intelligence feeds deliver timely and relevant vulnerability intelligence with descriptions of the newest zero-day exploits and recommendations for safeguarding your IT infrastructure.

Ready to learn more?

Download the 2023 Threat Intelligence Forecast to learn more about the digital risks facing your business and how to adapt.