Cyberattack Spotlight: The Zero-Day Exploit

A zero-day attack takes advantage of a weakness in a target’s network, software, or infrastructure—without the target even knowing. These type of cyber attacks can be devastating because the attack will continue unimpeded until it’s eventually spotted (that’s if it’s spotted at all).

This article shines a spotlight on the danger. We define the features of zero-day incidents and consider some of the most famous case studies.

Fortunately, certain tools and strategies have been developed in recent years to help mitigate the risk. We’ll finish with a consideration of some of these.

What Is A Zero-Day Attack?

Have you ever returned home to find you left a window open or a door unlocked? The whole time you were out, you had no idea your home was vulnerable. Worse, an intruder could have noticed and decided to enter your property. You, oblivious, would have had no idea any of this was happening.

This experience is a good analogy for zero-day security incidents. The intruder notices a ‘vulnerability’ (which you were unaware of) and put plans in motion to take advantage of it.  

There are a few terms it’s important to pin down and explain before we examine this topic any further. These are:

• Zero-day vulnerabilities. These are weaknesses in the victim’s security or software that the victim is unaware of.
• Zero-day exploits. Once a cybercriminal has identified a vulnerability, zero-day ‘exploits’ are the methods and tools they use to target it. This will typically be malicious code that can be inserted into the victim’s network or software.
• Zero-day attack. With the means of attack ready (i.e. the zero-day ‘exploit’), the attack can be launched. This may take various forms.

In essence, these terms map the three steps in a zero-day incident: a ‘vulnerability’ is identified, the means of ‘exploit’ is planned, and the ‘attack’ is executed.

The reference to ‘zero days’ reflects the urgency of these incidents. The moment an attacker discovers a weakness, it becomes a ‘zero-day vulnerability’, meaning the business is in jeopardy immediately. There’s no grace period in which the organization can put things right.

To mitigate the risk of zero-day attacks, it is essential to secure your IoT devices, as they are often targeted by hackers seeking vulnerabilities in the network infrastructure.

How Do Zero-Day Incidents Unfold?

Zero-day incidents can be broken down into stages like all cyber attacks.

1. The Rise of Cyber Attacks

To begin, it’s worth considering the broader context in which zero-day incidents occur.

• The dark web has provided a vibrant marketplace for cybercriminals to sell attack opportunities to others
• It’s also important to note that all this is happening quickly, and cybercriminals are proving adept at keeping pace by continually developing new modes of attack.
• Shaky geopolitical circumstances, divisive political grievances, and a challenging economic outlook are also fanning the fires of cybercrime.

Several trends in today’s world are also presenting particular opportunities for would-be attackers. These include the advent of Big Data, the rise of cloud computing, and the inexorable shift of society online. Such technological changes open new ‘attack edges’, AKA potential weaknesses.

So, zero-day incidents must be viewed in the context of these deeper shifts.

But who’s involved in such attacks? Perpetrators include:

• Cybercriminals, who aim to extract a financial profit from these crimes. This may involve launching attacks themselves or selling information or tools that enable others to (e.g. ransomware as a service).
• Corporate spies. One party (e.g. a business) might launch an attack on another to gather information.
• Activists. Some hackers seek to achieve social or political goals through their attacks. This is sometimes known as ‘hacktivism’.
• State-backed perpetrators. One nation might launch an attack on organizations from another nation. This is sometimes referred to as ‘cyber warfare’.

In short, conditions in 2023 are ripe for privacy and cyber attacks, so it’s no wonder they’ve intensified recently. Moreover, there’s no shortage of actors willing to conduct attacks or help others do so.

These troubling circumstances that modern businesses find themselves in are crucial to fully understanding zero-day incidents.

To return to our analogy, it’s unwise not to check that your house is securely locked in an online world.

2. The Zero-Day Vulnerability

A zero-day vulnerability is a weakness in the victim’s security or software, of which the victim is unaware.

Software and other online applications are often an ongoing work-in-progress. With DevOps becoming increasingly standard practice, each ‘upgrade’ can unwittingly introduce imperfections that impact performance or security.

Therefore, developers and other businesses with a significant online presence are usually proactively looking for problems and issues in their software and IT infrastructure.

The best practice is to always be on the lookout for issues (including vulnerabilities). Where these are identified in a software product or system, a decision will be needed about whether a fix can wait until the next major upgrade or a more immediate ‘patch’ should be released to address the problem.

‘Patches’ are often temporary (think of sticking a plaster on a wound) but do the job as an interim measure.

While this is all well and good, however, hackers will be simultaneously investing a great deal of effort into analyzing and exploring networks and software.

Their targets typically include institutions, government departments, infrastructure, enterprises, and even individuals. They’ll sometimes find weaknesses in the target before the target does itself.

That’s when the problem starts. The organization (or individual) now has zero days of safety in which to fix the issue—it’s become an immediate liability. Yet how can they fix or patch something they don’t know about?

What happens next depends on the intentions of the actor. They may either exploit the vulnerability themselves, launch their attack, or sell your personal information (and possibly the means to exploit it) to another party.

Indeed, some cybercriminals specialize in the latter, selling exploits on the dark web for hundreds of thousands of dollars.

Either way, once identified, the zero-day vulnerability becomes a valuable opportunity for cybercriminals.

3. The Zero-Day Exploit

So, a weakness has been found, and a zero-day vulnerability has opened up. Now, attackers will start planning their next steps i.e. how to exploit the opportunity.

The zero-day ‘exploit’ is the means or tactics used in an attack. These will usually involve attackers creating malicious code (known as ‘exploit code’) and then inserting this into the target’s ecosystem.

Zero-day exploits often employ social engineering tactics. That is where individuals are tricked into performing an action that allows the exploit code into the infrastructure.

For example, a phishing email may be crafted, prompting the recipient to open an attachment or visit a particular website. Doing either of these things allows the attacker in.

The attack has now begun.

4. The Zero-Day Attack

The attacker gains access to the target’s systems if the exploit works. They can now extract from it or undermine it in some way. The nature of attacks can vary depending on the target. However, they typically aim to achieve one or more of the following objectives.

• To steal sensitive data (to sell or make publicly available)
• To carry out fraudulent transactions
• To disrupt critical infrastructure (e.g. power supplies, transportation, communication)
• To steal secrets and intelligence (and enable espionage)
• To gain leverage over the target (e.g. stealing data or taking over a system and then demanding a ransom)
• To gain access to an individual’s device and accounts

In other words, attacks come in various guises, and they can have a huge financial and reputation impact. The additional VoIP cost you’re considering will be nothing compared to the potential hit of a data breach in your business.

Moreover, attacks can continue for an extended period. Indeed, they can be sustained for as long as the vulnerability remains undetected. For this reason, hackers are often careful to carry out their attacks slowly, thus reducing the chances of being discovered. It can be months or even years—only once vast damage has been inflicted—before the vulnerability is finally detected and closed.

That said, and as we shall see, there are ways to mitigate the risk of undetected vulnerabilities, so it’s certainly not a hopeless situation. As soon as the attack is detected, the target organization can then take steps to close the vulnerability, by issuing a patch, for example.

This also marks the beginning of a crucial postmortem: determining what went wrong and assessing the extent of the damage.

Famous Examples of Zero-Day Incidents

There are many famous examples of zero-day incidents. In fact, most prominent cyber attacks in recent years fall into this category. Let’s consider a few examples.

• Stuxnet (2010). One of the oldest and most infamous zero-day attacks targeted Iran’s nuclear program, causing significant damage to its facilities. Although it was discovered in 2010, development on the Stuxnet worm (the exploit used) is thought to have started in 2005.
• Yahoo (2013). In one of the most significant zero-day attacks, the details of around three billion user accounts were compromised by hackers.
• Sony (2014). A team of hackers was able to access sensitive company content (including new movies), business plans, and personal contact details. This attack was silent and lightning-fast.
• Microsoft Word (2017). Hackers discovered a weakness in the software and developed a Trojan (which they called Dridex) to exploit this. People who downloaded this malicious document opened the door of their networks to hackers. By the time it was discovered and patched, millions of users had been affected.
• Zoom (2020). It was reported that at least one zero-day exploit targeting Zoom was available to purchase on the dark web—for $500,000. This would reportedly have allowed attackers to spy on communications and even take control of a user’s computer, making it perfect for espionage.
• SolarWinds (2020). Attackers gained access to the business's systems after identifying a vulnerability in its CI/CD pipeline in September 2019. They injected malicious code into SolarWinds’s software updates, rolled out to over 18,000 customers. This enabled attackers to access the systems of those customers. The attack was so stealthy that it was only reported in December 2020.  

For obvious reasons, we still can’t be sure about the full extent of zero-day incidents. As they’re clandestine and secretive, who knows how many large-scale attacks are active even as you read this? There’s no guarantee they’ll all get detected either—after all, that’s the nature of the beast.

Preventing Zero-day Attacks

Not all hackers are bad-faith actors. Indeed, ethical hacking plays a key role in the fight against cyber attacks.

For example, in 2020, a Zero-Day Initiative competition challenged a number of hackers to discover and close down weaknesses. Three Zoom vulnerabilities were reported.

If used, these would have enabled attackers to gain control of a Zoom user’s computer (leaving them free to pry, open programs, and access data). Following this discovery, Zoom was able to begin working on a solution.

Initiatives like this play an important role in helping prevent zero-day attacks—but it’s not enough for organizations to rely on them. Tools, processes, and cultural values must also be implemented to mitigate the dangers. Fortunately, there’s a lot that can be done, such as:

• Ensuring that all software and applications are up to date. This means you’ll have access to all the latest security patches for any known vulnerabilities. Otherwise, these weaknesses may remain on your network.
• Only using software from trusted providers. You need to be confident about the software and applications you’re bringing into your ecosystem. Are they rigorous in ensuring there are no exploits in their products?
• Implementing strong network segmentation. You can limit the impact of potential attacks by splitting your infrastructure into smaller chunks. Strong walls between segments can help prevent attacks from spreading.
• Carrying out real-time vulnerability scanning to uncover potential weaknesses in your code. Once identified, vulnerabilities need to be promptly addressed to ensure they’re not exploited.
• Conducting regular and ongoing risk assessments of your entire IT infrastructure. This should include the vulnerability scanning mentioned above, but it should also consider other aspects too, such as hardware changes, levels of training, and security controls across the business (e.g. who can access what?). For example, if you’re debating whether to continue with either landline or VoIP telecommunications, be sure to consider the security arguments.
• Using a firewall and antivirus software. These sound obvious, but you need to ensure you have the best services to protect your infrastructure. As your organization evolves, you may need different levels of protection.
• Fostering a security-conscious culture. Human error is key to the success of many zero-day attacks, so ensure your employees understand the need for good security hygiene (e.g. around passwords) and the risks of social engineering (e.g. how to avoid malicious attachments and links). Your entire team needs to instill a high level of digital security.
• Protect your company’s data. These 12 concrete tips will help you secure your devices and protect your company against data spying.

Finally, you need a speedy and robust approach to patch management. Remember, a patch is a quick coding fix to address a software problem—in this case, a security vulnerability. As soon as a problem is identified, the business needs to develop a patch and then roll this out to all users and customers.

Implementing contract automation can also streamline the patch management process by automating the creation, review, and deployment of legal agreements, ensuring that necessary patches and updates are incorporated efficiently and effectively.

Detecting and Responding to Zero-Day Attacks

A great cybersecurity posture mitigates the risk of being targeted by zero-day exploits. However, even doing all these things brilliantly doesn’t preclude an attack. Remember, it only takes one unnoticed vulnerability, and the attacker is in.

With this in mind, it’s important to be prepared for attacks if they do occur. There are several things to consider here.

• First, the threat landscape is constantly evolving, so ensure that your IT specialists (e.g. data engineers) get regular training on all the latest threats and security techniques. As well as helping with prevention, this will assist with detecting attacks and responding appropriately.
• Second, ensure your organization has robust monitoring and detection processes across your network. All network activity should be tracked and monitored, with any unusual behavior immediately flagged. There are various approaches to detection and monitoring (i.e. statistical, behavioral, and signature-based). It’s crucial to ensure you have a good mix of these.
• Third, you need to plan for the worst case should an attack happen. Develop a live incident response plan setting out exactly what will happen and who will do it. Make sure everyone knows about the plan and contemplate this on the case studies.

Make a Strong Security Posture a Top Priority

In our increasingly digital world, businesses cannot afford to leave their defenses down; the danger of an attacker discovering a zero-day vulnerability and exploiting it is too great to ignore.

The financial and reputational damage that this could cause is immense. In short: educating yourself is crucial to avoid cybersecurity mistakes that could cost you your privacy!

It’s an intimidating outlook in many ways. However, there are lots of tools to help combat the risks. Stay vigilant and informed of the dangers and what you can do to tackle them.