If you’ve read or listened to reports about hacks – whether it’s a phishing attack, brute force attack, or malware – you’ve likely seen or heard the phrase “zero-day vulnerability”. But, what is it?
A “zero-day vulnerability” is a flaw in a piece of software that is unknown to the software developer and doesn’t yet have a fix.
For hackers – who are always studying software – these are like unlocked doors.
When they find one, they can use malware or hacking techniques to take advantage of it with a zero-day exploit.
A “zero-day exploit” is a cyberattack that exploits a zero-day vulnerability.
Once the software developer knows about a zero-day vulnerability, they must develop an update — known as a “patch” — to fix the problem. For example, Microsoft releases a list of patches once a week. They call it “Patch Tuesday”.
But, as we’ll see, patches often come too late.
By definition, a zero-day vulnerability is a security flaw that the developer doesn’t know about. That means that, until a patch is distributed, everyone using the software is vulnerable.
Zero-day vulnerabilities pose a big problem because there is no obvious way to prevent them from being exploited. And, even once a zero-day vulnerability is reported to the developer, users could be waiting for weeks, months, or even years for a security fix.
Meanwhile, hackers are crafting sophisticated attacks – again, known as zero-day exploits – to take advantage of the vulnerability.
Zero-day exploits can circumvent anti-malware software that relies on lists of known security issues. Even though most modern anti-malware products use more sophisticated detection techniques, some zero-day exploits can get around these, too.
We’re going to look at some high-profile zero-day vulnerabilities that have caused serious trouble in the past — and see what you can learn from them.
EternalBlue was a powerful zero-day exploit developed by the US National Security Agency (NSA) sometime around 2011. EternalBlue exploits a vulnerability in Windows’ Server Message Block (SMB) protocol and allows attackers to run code on target computers.
The NSA knew about this Windows vulnerability for around five years, and allegedly only warned Microsoft about the exploit once EternalBlue had fallen into the wrong hands. Microsoft released a patch for the vulnerability, but many users have failed to update their systems.
Since escaping the NSA, the EternalBlue exploit has been used in many high-profile cyberattacks, starting when hackers used it to spread the notorious WannaCry ransomware in 2016.
In 2017, an attack known as “NotPetya” used EternalBlue to target Ukraine’s banks, public services, and power suppliers. The NotPetya attack is widely considered the most devastating cyberattack of all time, causing an estimated $10 billion in damage.
The lesson from EternalBlue is clear — always keep your devices patched and up-to-date.
In 2016, the US Democratic National Convention (DNC) fell victim to a spear phishing campaign, carried out by a Russian hacking syndicate known as Strontium. Strontium’s spear phishing emails contained a zero-day exploit that targeted vulnerabilities in Microsoft Windows and Adobe Flash.
Google first revealed the vulnerabilities on October 31, 2016, when they were still being “actively exploited.”According to Microsoft, these security flaws allowed hackers to control a device’s browser, escape its security “sandbox,” and install a backdoor into the device.
Strontium allegedly intended to use data stolen from Democratic Party officials to influence the 2016 US election campaign. You can read more about the importance of information security in political campaigns on our blog.
While the software vulnerabilities allowed Strontium to exfiltrate data from its targets, the exploit was made possible by spear phishing emails. It’s crucial to ensure that all your organization’s devices are protected by email security software that can detect advanced impersonation attacks.
On January 15, 2019, Google’s virus-hunting team, VirusTotal, announced its discovery of a zero-day vulnerability within Windows, later named CVE-2020-1464.
The vulnerability allowed attackers to exploit how Windows authenticates file signatures. File signatures are created when a developer “code signs” a file, to prove a third party has not edited it.
Using this vulnerability, attackers could sneak a malicious file past Windows’ security by appending it to a file that had been code-signed by a trusted developer such as Google or Microsoft.
Despite reportedly being aware of the CVE-2020-1464 vulnerability, Microsoft did not release a patch for it until August 11, 2020 — nearly 20 months later. Throughout this period, Windows users were vulnerable to phishing attacks designed to spread vulnerability exploits.
This is yet another reminder that it’s better to defend employees’ email accounts than to rely on patches and fixes.
Cybercriminals use different methods to exploit zero-day vulnerabilities, which means organizations need a comprehensive cybersecurity program to defend against these threats.
Unlike spam filters and Secure Email Gateways (SEGs) which can stop bulk phishing attacks, Tessian Defender can detect and prevent the most advanced threats.
How? Tessian’s machine learning algorithms learn from historical email data to understand specific user relationships and the context behind each email. When an email lands in your inbox, Tessian Defender automatically analyzes millions of data points, including the email address, Display Name, subject line, and body copy.
If anything seems “off”, it’ll be flagged – keeping zero-day exploits out.