What is zero-day exploit?GRIDINSOFT TEAM
Why are zero-day vulnerabilities so scary and dangerous? At a glance, some say that they have little to no difference from the other threats. And as soon as they are uncovered to the public, their main otherness evaporates. Other people may act contrary - saying that there is no reason to establish any security at all because zero-day attack breaches will be equally null the top-tier EDR solution and a hacked version of a regular antivirus tool. So, where is the intermediary? So, where is the intermediary? And finally, how to protect you and your company from zero-day attacks, if possible at all?
What is a zero-day attack?
Zero-day vulnerabilities, or zero-day exploits, are the security breaches in the programs that have never been uncovered yet. Exactly, it is their main danger. While known breaches are listed and described in all details in the specialized sources, you may only expect where the zero-day threat is. Cybersecurity analysts from all over the world try to create a solution that will at least be able to prevent this problem. Meanwhile, software vendors launch bug hunter programs, where initiative users are granted a substantial sum of money for finding the breaches.
The final effects of zero-days breach are the same as in any other case of vulnerability exploitation. Cybercriminals use the breaches to escalate privileges or to execute the code they need remotely. That gives them advanced capabilities for performing the intervention into the corporation they attacked. One may say exploited meaning - whether they’re zero-day or not - is the basis for the cyberattack. Not each one is committed to the use of them, but their share grows continuously.
But what is the danger of a zero-day attack? Is there a reason to worry so much if it grants the crooks the same abilities as a regular exploit? Yes, if you use a security solution of any sort, and know the price of data leak. Generally, when we talk about the EDR solutions, they apply different realizations of trust policy. The specialist who sets up the endpoint protection chooses which apps to trust and must be checked twice. You can set it up in a paranoid manner - up to a quasi-zero-trust model, but that will slow down the operations. Sure, there is an option “not to choose at all” - using a proper zero-trust security system, which will not affect the performance so much. However, they are much more expensive.
Zero-day attack definition
Zero-day attacks are, apparently, the cyberattacks that include the use of zero-day vulnerabilities. The severity level of these attacks and the impact on the target may be different, but the main characteristics of such attacks are their unpredictability. While you may protect your system or network from classic attacks using known breaches or design flaws, it is impossible to predict the zero-day attack.
The exact attack roadmap may be different. Crooks can use the appeared breach to escalate privileges once and execute their malware. Another option that is mainly used when scammers try to infect the whole network or to deploy the advanced persistent threat is to create a new account with administrator privileges on the local machine. After that, crooks usually hide that account and use it simultaneously with the use of the initial ones. Having the administrator account, they are free to do whatever they want - from gathering the information from the infected PC to brute-forcing the other computers in the network or even the domain controller.
Exactly, at the stage when brute force or malware spreading in the network is happening, it is quite easy to detect the malware presence if the security specialist knows that something is going on. However, crooks who do more than just ciphering the files with ransomware and asking for the ransom know how to circumvent the possibility of being detected. Obfuscation, disguising the activity as one from a legitimate program, creating the distraction - these are only the basic actions crooks may apply to reach their target.
Zero-day attack prevention: How to discover danger in advance
Just as with anything related to any application's functions, you can find zero-day vulnerabilities through the code analysis. The main question is who does that analysis - crooks, developers, or bughunters. In the way things turned out, cybercriminals and bug hunters have a much more material reward for their activity in exploit searching. First, receive ransoms and a big scoop for selling the data in the Darknet, and second get paid for each breach found. Meanwhile, the developers receive only the non-material things - like recognizing their software as safe to use. Reputational losses that then result in losing the users do not feel as accurate as a bundle of banknotes.
The deep analysis needed to detect the potential weak spot is not enough. Staring at the code rows will not indicate how exactly crooks may use the vulnerability and which benefits it will bring. That’s why the instrument kit for bug hunters and hackers is almost the same. Experts who work with that stuff know the primary “stress concentrators” - places where the program accesses the network or asks for increased privileges, are the most often places of the breach. Nonetheless, even discovering the breach and determining what crooks can use it is not enough to use it in the wild. An army of programmers from the Darknet marketplaces are ready to write a unique exploit malware for just $10, and regular antiviruses will barely stop it with signature-based detections.
Why do vulnerabilities appear?
Cybersecurity analysts did not consider a single reason for the appearance of vulnerabilities. Most of them are the non-intended mistakes - such ones appear from non-professionality or the lack of peers to compare the codebase. Sometimes, the developers create an exploitable function to fit some current needs. For example, there is an ability to edit the Windows Registry remotely, which was pretty useful in the ‘90s. At the time of Windows 95/98, you had a lot of reasons to set something up in the registry, and the possibility to do that for all computers in one click was a mess for system administrators. Unfortunately, cybercriminals harnessed that “feature” quickly until that function was set to “disabled” by default. However, they still sometimes enable it - it is useful for creating multi-functional backdoor access.
In some rare cases, the breaches are created intentionally, primarily to use them for the developer’s needs. Such a breach is rare, and their presence is usually pretty hard to detect. However, the scandal explodes exponentially as it is uncovered. While common vulnerabilities are not so critical for the company's reputation, intentional ones are like a nuke for the company’s reputation.
The list of most exploitable programs:
- Microsoft Outlook
- Microsoft Word
- Microsoft Excel
- Adobe Premiere
- Adobe Creative Cloud
- Adobe Photoshop
- Apache Struts 2
- Pulse Connect Secure
Examples of zero-day exploits
The cybersecurity world witnessed numerous examples of zero-day exploits. Some of them were successfully used by cybercriminals, but most of them were detected and fixed before the crooks did it. Let’s check the most notorious cases.
- Log4 Shell. An infamous vulnerability that popped out at the edge of 2022, and was successfully used by cybercriminals in various attacks. The vulnerability in the logging mechanism allowed the attacker to force the server to execute the malicious code while reading the logs. Crooks were able to put that code into the logs while interacting with Java-based applications. Even though the initial vulnerability - CVE-2021-44228 - was fixed with an instant patch, the other one appeared in that patch - CVE-2021-45046. This vulnerability already led hundreds of companies to money losses, and will likely circulate for several years. Yet it absolutely deserves the CVSS ratio of 10/10.
- LinkedIn leaked through CVE-2021-1879. The vulnerability in a chain of Apple software products, in particular iOS 12.4-13.7 and watchOS 7.3.3, allowed the universal cross-site scripting (XSS). That breach was used to steal the information of about 700 mln users. A big part of them - 500 million - was set for sale. The leaked information included email addresses, social media records, phone numbers and geolocation details. Such info may be extremely useful for spear phishing with the use of counterfeited profiles in social networks.
- Zoom Video RCE vulnerability. The breach that made it possible to execute the code on the devices connected to a conference was uncovered and used amidst the first wave of coronavirus pandemic. Since Zoom became an extremely popular solution for video conferencing and education, the potential attack surface appeared close to unlimited. CVE-2020-6110 touched Zoom versions 4.6.10 and earlier.
How to avoid zero-day exploits and attacks?
The absence of the ability to expect where the danger can come from makes most of the advice much less effective. When you know where the enemy will try to break through, you can presume how it will do this and how to defend. Meanwhile, counteracting the 0-days with well-known methods is more like fighting windmills. There is not much you can do precisely against these kinds of threats. Therefore, we’ll list only the most effective ways of zero-day malware counteraction.
- Apply the use of advanced EDR with zero-trust policy. A lot of EDR solutions offer the flexible model, where you set up which applications to trust. However, there is no other way besides the paranoid one in the zero-day breaches protection. If you want to be sure that neither well-known programs nor strange stuff from GitHub will become a part of the attack, it is better to control each one with maximum diligence. Almost 74% of 0-day-related cyberattacks successfully circumvented the “regular” antiviruses.
- Update your software as often as possible. Zero-day breaches become regular breaches after being uncovered, but never lose their effectiveness. As actual stats say, in Q1 2021 almost 25% of companies were still vulnerable to WannaCry virus - a malware that became worldwide-known as it struck in 2017. Companies are delaying the software updates for different reasons - hardware incompatibility, complaints on the interface of new versions, and the overall performance of the app. However, it is better to put up with those problems, or to find other software than to keep using outdated stuff that may easily be exploited.