What is a zero-day exploit?

Acronis
Acronis Cyber Protect Cloud
for Service Providers
Other languages available: Deutsch Español (Spain)

A zero-day exploit refers to cyber attacks targeting a software vulnerability unknown to the software vendor or the antivirus software assigned to protect the system. Attackers can identify such zero-day vulnerabilities, design an exploit, and use it to launch an attack. Zero-day attacks are highly likely to penetrate the targetted network as there are no defenses against the new threat. (as "zero days" have passed since detecting the vulnerability by security parties)

This turns zero-day attacks into significant security threats.

Typically, zero-day attacks rely on Web browsers and email attachments to exploit vulnerabilities in the specific app that opens the attachment or in specific file types - Word, PDF, Excel, Flash, etc. Once the zero-day malware enters the system, it can spread quickly across all targeted areas.

Zero-day vulnerabilities come in many forms. Attackers can take advantage of broken algorithms, poor password security, a faulty web application firewall, missing authorizations, unprotected open-source components, and more to initiate an SQL injection attack. If the attack is successful, it can compromise more software on the targetted network, steal sensitive information, hold data at ransom for large sums, attempt identity theft, corrupt the company operating system, and more.

Typical targets for zero-day exploits

Zero-day vulnerabilities are valuable to various parties. This is why a market exists where organizations hire researchers to discover vulnerabilities. In addition to this "white market", there are black and grey markets, where malicious actors can trade zero-day vulnerability details without public disclosure.

The typical targets for zero-day exploits are large organizations, government agencies, individuals with critical file access (such as intellectual property), hardware devices, Internet of Things (IoT), firmware, home users who use a vulnerable system (if infected, they can become cogs in a botnet), and more. Sometimes, government agencies use zero-day exploits to target countries, organizations, or individuals who threaten national security.

Acronis

What are zero-day vulnerabilities?

Usually, when an individual (or a security team) detects software carrying potential security vulnerabilities, they will alert the software vendors so a patch can be issued to fix the vulnerability.

With enough time, software developers can fix the issue and distribute patches (or software updates) so all software users can apply them as soon as possible. If malicious actors learn about the vulnerability, designing an exploit and launching an attack may take some time. Meanwhile, hopefully, the patch will already be available and deployed.

How do zero-day attacks work?

Hackers can be the first to discover a weak link in a software program. Since vendors and security teams don't know about the vulnerability yet, they practically have zero days to build a defense against a targeted attack. Companies vulnerable to such exploits can initiate early detection procedures to safeguard their networks.

Dedicated security researchers often try to cooperate with software vendors and typically agree to withhold zero-day vulnerability details for an extended period before publishing them.

Once a zero-day vulnerability is made public, it is called an "n-day" or "one-day" vulnerability.

Examples of zero-day attacks

Below are several examples of zero-day attacks in recent years.

  • Stuxnet

A malicious computer worm targeted zero-day vulnerabilities on supervisory and data acquisition systems (SCADA) by first infiltrating Windows operating systems. Stuxnet exploited four Windows zero-day vulnerabilities to spread through corrupted USB drives. This way, the worm infected both Windows and SCADA systems without launching a network attack.

Stuxnet hit computers used to manage manufacturing in Iran, India, and Indonesia. It's supposed that the primary target was Iran's uranium enrichment plants. A hit on those was intended to disrupt the country's nuclear program. Once infected, the programmable logic controllers (PLCs) on the targeted computers carried out unexpected commands on assembly line machinery, causing a malfunction in the centrifuges used to produce nuclear material.

  • Sony zero-day attack

Sony Pictures fell victim to a zero-day exploit at the end of 2014. The exploit impacted Sony's network, leading to a corporate data breach on file-sharing websites.

The leaked information included details of upcoming movies, business strategies, and personal email addresses for senior Sony executives.

  • Adobe Flash Player zero-day attacks

In 2016, a zero-day attack exploited a previously undiscovered vulnerability (CVE-2016-4117) in Adobe Flash Player. Moreover, in 2016, over 100 organizations were also impacted by a zero-day exploit (CVE-2016-0167) that enabled an escalation of privilege attacks targeting Microsoft Windows.

In 2011, malicious actors used an unpatched vulnerability in Adobe Flash Player to gain access to the RSA security company network. The threat actors sent Excel spreadsheet email attachments to several RSA employees. The Excel documents contained an embedded Flash file to exploit the zero-day vulnerability.

Upon opening one of the corrupted attachments, an employee unknowingly enabled the installation of the Poison Ivy remote administration tool that took control of the infected computer. Once they infiltrated the RSA network, hackers searched, copied, and transmitted sensitive information to external servers in their control.

RSA later admitted that among the stolen data was sensitive information regarding the company's SecurID two-factor authentication tools used globally to safeguard critical workloads and devices.

  • Microsoft Office zero-day attacks

In 2017, a zero-day vulnerability revealed that Microsoft Office documents in "rich text format" can enable the execution of a visual basic script carrying PowerShell commands upon opening. (CVE-2017-0199)

Another zero-day exploit from 2017 (CVE-2017-0261) carried encapsulated PostScript to present a platform for initiating malware infections.

  • Operation Aurora

In 2009, a zero-day exploit targeted several major enterprises - Google, Yahoo, Adobe Systems, and Dow Chemical - to find and steal intellectual property (IP). The zero-day vulnerability existed in Internet Explorer and Perforce. (Google used the latter to manage its source code)

How to detect a zero-day attack?

A zero-day attack is challenging to detect. Antivirus software, intrusion detection systems (IDSes), and intrusion prevention systems (IPSes) can't pinpoint the threat signature as one doesn't yet exist.

The most optimal way to detect zero-day threats is via user behavior analytics. Most entities authorized to interact with your network typically exhibit specific usage and behavior patterns - considered "normal" behavior. Network actions outside the normal scope could indicate a zero-day threat.

Companies attacked by a zero-day exploit will often detect unexpected traffic or suspicious scanning attempts from a service or a client. In addition to behavioral analytics, organizations can also detect a zero-day threat via the following:

  • Existing malware database and malware behavior statistics as a reference. However, even if those databases are updated in real-time, zero-day exploits take advantage of newly discovered vulnerabilities by attackers. So, by definition, an existing database is limited when it comes to detecting unknown threats.
  • Machine learning is increasingly used to detect previously recorded exploit information to present a baseline for safe system behavior based on past and current system interaction data. As organizations gather more and more data, the approach can detect zero-day threats more reliably.

As exploiting vulnerabilities is an ever-evolving field, a hybrid detection approach is recommended to protect organizations and their valuable business data.

How to protect against zero-day vulnerability exploits?

As zero-day exploits are so difficult to detect, defending against them is challenging. Software vulnerability scanning tools rely on malware signature checkers to compare suspicious code with known malware signatures. When a zero-day attack uses a zero-day exploit that hasn't been encountered before, vulnerability scanning will fail to detect and block the malicious code.

Since zero-day attacks exploit an unknown security flaw, companies can't know the specific exploit before it occurs. Nonetheless, several methods exist to reduce risk exposure and protect companies against new threats.

Use VLANs

Virtual local area networks (VLANs) can segregate specific network areas or use physical or virtual network segments to isolate essential traffic between company servers.

This way, even if attackers breach company defenses and gain access to the network, they won't be able to steal data from business-critical network areas.

Keep all systems up-to-date

Adequate patch management is crucial for organizations of all sizes.

Software developers will issue security patches as soon as they are aware of a potential exploit threat. Applying zero-day and n-day patches as soon as possible won't fix unknown software vulnerabilities but will make it more difficult for a zero-day attack to succeed.

Implement network traffic encryption

It's impossible to detect all security vulnerabilities before a zero-day exploit occurs. However, companies can use an IP security protocol (IPsec) to invoke encryption and authentication to critical network traffic.

On the other hand, missing data encryption can render all information on the company network vulnerable, lead to heavy downtime, and severely impact revenue.

Deploy IPS or IDS

Signature-based IPS and IDS may not be able to detect and counter an attack on their own. Nonetheless, they may alert security teams of suspicious incoming files as a side effect of an ongoing attack.

Implement NAC

Rogue machines can access critical company environment areas and compromise devices across the entire network. Network access control (NAC) denies missing authorization, allowing only people authorized to explore said areas.

Perform regular checks and educate employees

Regular vulnerability scanning on all enterprise networks is critical to discover vulnerabilities and lock them down before attackers can exploit them.

What's more, many zero-day exploits rely on human error. Educating employees on good cybersecurity hygiene will keep them protected online and prevent accidentally enabled zero-day exploits and other malicious threats.

Use a comprehensive cybersecurity solution

Dedicated EDR software like Acronis Cyber Protect Cloud can detect, stop, and block malicious activity and quickly restore any affected files. Moreover, you can use Acronis Backup 12.5 to protect files and documents in real-time, automate critical software patching, and create multiple complete system backups to ensure full recovery even if a zero-day attack occurs.

About Acronis

A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.