The Threat of Zero-Day Vulnerabilities

Imagine you have a lock on your door, but it's broken. You aren't aware of this, but a chance thief tries the door and enters your house. Cybercriminals do this when they find an unknown flaw in software, hardware, or firmware. Vulnerabilities (flaws) can be exploited to access apps, devices, and the broader network. These exploitable flaws lead to various bad outcomes for a business, including ransomware infection, data theft, and financial losses.

What is a Zero-Day Exploit and Why is it Called a Zero-Day?

We are all used to regularly patching our mobile devices and laptops, and the patches fix security issues. However, not all security flaws are spotted quickly. When this happens, and a security vulnerability remains unpatched by the vendor, it becomes known as a zero-day or 0-day. Zero-Day refers to a vendor having had 0 days to fix the flaw before an attacker can exploit it.

Zero-Day vulnerabilities are a gateway for cybercriminals. Cyberattacks may use phishing to initiate an attack, but rely on a zero-day vulnerability to finalize it. Zero-Days are continuing to be an essential element in a cyberattack. The recent Data Breach Investigations Report (DBIR) from Verizon identified a 180% increase in breaches that exploit vulnerabilities.

Hackers share and sell vulnerabilities on the dark web. A Kaspersky report found that half of the dark web posts related to the buying and selling of exploits involved zero-day or one-day vulnerabilities. Most of the vulnerabilities were used to gain unauthorized access and steal data.

Zero-Day malware exploits zero-day flaws in software or systems. It can evade detection because antivirus databases do not recognize its signature.

Zero days have been behind some of the most devastating cyberattacks. A recent example was the MOVEit zero-day vulnerability. MOVEit data transfer software is used widely by companies of all sizes worldwide. The zero-day flaw used an SQL injection attack that affected over 2,600 companies, with over 2000 in the USA. Almost 90 million individual customers and clients of those companies were impacted.

This single zero-day vulnerability caused a ripple effect that affected companies across the supply chain. The culprits were identified as the notorious ransomware/data theft hacking gang known as CLOP.

Vendors use the security community to help them identify zero-day vulnerabilities using "bug bounty programs". These initiatives encourage white hat hackers to explore new software releases, testing them to locate vulnerabilities before hackers do. Companies like Microsoft run regular bug bounty programs, offering cash rewards to security researchers who find bugs that could be exploited as zero-day vulnerabilities.

The Costs to Business of Zero-Day Vulnerabilities

Zero-Days lead to many types of cyberattacks, opening the door to sensitive parts of a network:

Entire Control of Systems

A zero-day remote code execution (RCE) vulnerability can affect an entire web server or compromise an app. A Kaspersky report found that the average cost of remote code execution (RCE) vulnerabilities to businesses was around $100,000.

Advanced Persistent Threats (APTs) + Zero-Days

APTs are highly targeted attacks that use stealth to evade detection, often over many months. The APT malware then exfiltrates data over that period. APT is usually behind industrial espionage and financial crime. When an APT uses a zero-day, it becomes even more deceptive and dangerous. A recent APT + zero-day attack exploited a vulnerability in the Chrome browser. The goal of the attackers was espionage. The cost to businesses of APT depends on what type of data is stolen.

Credential Theft

Zero days can lead to credential theft. A recent example is Zoom's zero-day, which allowed the credentials of conference attendees to be stolen. Credential theft can lead to data theft.

Security Breach and Data Theft

In general, IBM found that 95% of cybersecurity incidents at small businesses cost between $826 and $653,587.

Ransomware Infections

The average ransom is around $2 million. But ransomware costs are more than just the ransom. Costs include operational downtime, which costs $25,620 for SMBs and $540,000 for enterprises per hour. Recovery costs and the cost of reputational damage add a further financial burden.

Data Loss and Operational Disruption

The Spring4Shell vulnerability was a critical flaw that compromised many businesses. Critical flaws like this can lead to threat actors taking full control of systems, exposing sensitive data, and disrupting operations. The Spring4Shell zero-day allowed malicious actors to weaponize and execute the Mirai botnet malware: Botnets cause DDOS attacks, which cost an SMB $6,000 per minute, with attacks lasting 39 minutes on average. Therefore, the average cost per DDoS incident is $234,000.

How Can You Protect Your Company from Zero-Day Threats?

Protecting your company from dangerous zero-day attacks requires a defense in depth / multi-layered approach that uses measures including the following:

Robust IAM Measures (Least Privilege, PAM, and MFA)

Zero-Day attacks often center around credential theft. Once a cybercriminal has a set of credentials, they can carry out cyberattacks such as ransomware and data theft. Robust identity management must include Privileged Access Management (PAM) to enforce the principle of least privilege, i.e., only allowing access rights on a need-to-know basis. Added to access privilege controls is multi-factor authentication (MFA) for an extra layer of security.

Encrypt Sensitive Data, Including Login Credentials

All sensitive data must be encrypted both during transfer and when stored.

Protect Against SQL Injection Attacks

SQL Injection bugs are often behind some of the most high-profile zero-day attacks, like MOVEit. Measures include the use of a web application firewall (WAF) and sanitizing and validating web form inputs to prevent special characters from being used.

Dark Web Monitoring

In addition to buying and selling zero-day vulnerability intelligence on the dark web, attackers can purchase attack kits from dark web services. The dark web is renowned for collating company intelligence for threat actors looking to carry out a cyberattack. Using a dark web monitoring service, like Sentinex, an SMB can look deeply into dark web forums and marketplaces to see if its company details are being sold to attackers. Knowing if your organization is at risk helps protect against those attacks.

Keep Patching and Updating Software and Systems

Patch maintenance is an essential aspect of zero-day attack prevention. While a zero-day patch may not be released, ensuring that other vulnerabilities are patched helps mitigate attacks and ensures that the flaw will be fixed on your systems as soon as the zero-day patch is released.

Network Monitoring

Abnormal network traffic patterns could indicate that a malicious actor is exploiting a zero-day vulnerability. By using software that monitors network traffic, an organization can identify unusual traffic patterns in real time, allowing it to respond quickly to security threats before a full-blown incident occurs.

FAQs

Is Phishing Used With Zero-Day Vulnerabilities?

Yes, phishing is sometimes used to initiate an attack that relies on a zero-day vulnerability to execute a security breach. For example, a zero-day phishing attack that targeted the European Government and media exploited an XSS (cross-site scripting) vulnerability in the Zimbra email platform. The result was that anyone clicking the malicious link initiated the zero-day vulnerability exploit that led to attackers stealing the entire victim's email inbox.

How Should a Business React to a Zero-Day Attack?

A company should create an incident response plan that has a step-by-step guide to handling a cyberattack. Incident response activities should include an analysis of the exploit and where security gaps allowed the zero-day attack to occur. The incident response plan should also contain recommendations on a post-breach approach and mitigative measures.

Why do Zero-Day Flaws Occur?

The software development process involves testing and iterative fixes before being released. However, software often depends on various elements, including other system APIs (application programming interface) and open-source code. These external elements and missed bugs during testing can introduce flaws into a software or service.

If these flaws are not found when a piece of software or service is promoted into production, they may be found by a hacker who then uses the lack of vendor knowledge about the vulnerability to exploit it during a cyberattack.