What is a Zero-Day Vulnerability? 3 Real-World Examples

  • 24 November 2020

If you’ve read or listened to reports about hacks – whether it’s a phishing attack, brute force attack, or malware – you’ve likely seen or heard the phrase “zero-day vulnerability”. But, what is it?

For hackers – who are always studying software – these are like unlocked doors.

When they find one, they can use malware or hacking techniques to take advantage of it with a zero-day exploit.

Once the software developer knows about a zero-day vulnerability, they must develop an update  — known as a “patch” — to fix the problem. For example, Microsoft releases a list of patches once a week. They call it “Patch Tuesday”. 

But, as we’ll see, patches often come too late.

Why Are Zero-Day Vulnerabilities Such a Big Problem? 

By definition, a zero-day vulnerability is a security flaw that the developer doesn’t know about. That means that, until a patch is distributed, everyone using the software is vulnerable. 

Zero-day vulnerabilities pose a big problem because there is no obvious way to prevent them from being exploited. And, even once a zero-day vulnerability is reported to the developer, users could be waiting for weeks, months, or even years for a security fix.

Meanwhile, hackers are crafting sophisticated attacks – again, known as zero-day exploits – to take advantage of the vulnerability.

Zero-day exploits can circumvent anti-malware software that relies on lists of known security issues. Even though most modern anti-malware products use more sophisticated detection techniques, some zero-day exploits can get around these, too. 

Three Examples of Zero-Day Vulnerabilities

We’re going to look at some high-profile zero-day vulnerabilities that have caused serious trouble in the past — and see what you can learn from them. 

Cybercriminals Unleash NSA Zero-Day Exploit

EternalBlue was a powerful zero-day exploit developed by the US National Security Agency (NSA) sometime around 2011. EternalBlue exploits a vulnerability in Windows’ Server Message Block (SMB) protocol and allows attackers to run code on target computers.

The NSA knew about this Windows vulnerability for around five years, and allegedly only warned Microsoft about the exploit once EternalBlue had fallen into the wrong hands. Microsoft released a patch for the vulnerability, but many users have failed to update their systems.

Since escaping the NSA, the EternalBlue exploit has been used in many high-profile cyberattacks, starting when hackers used it to spread the notorious WannaCry ransomware in 2016.

In 2017, an attack known as “NotPetya” used EternalBlue to target Ukraine’s banks, public services, and power suppliers. The NotPetya attack is widely considered the most devastating cyberattack of all time, causing an estimated $10 billion in damage.

The lesson from EternalBlue is clear — always keep your devices patched and up-to-date.

Windows and Flash Zero-Day Vulnerabilities Expose DNC Data

In 2016, the US Democratic National Convention (DNC) fell victim to a spear phishing campaign, carried out by a Russian hacking syndicate known as Strontium. Strontium’s spear phishing emails contained a zero-day exploit that targeted vulnerabilities in Microsoft Windows and Adobe Flash. 

Google first revealed the vulnerabilities on October 31, 2016, when they were still being “actively exploited.”According to Microsoft, these security flaws allowed hackers to control a device’s browser, escape its security “sandbox,” and install a backdoor into the device.

Strontium allegedly intended to use data stolen from Democratic Party officials to influence the 2016 US election campaign. You can read more  about the importance of information security in political campaigns on our blog.

While the software vulnerabilities allowed Strontium to exfiltrate data from its targets, the exploit was made possible by spear phishing emails. It’s crucial to ensure that all your organization’s devices are protected by email security software that can detect advanced impersonation attacks.

Windows Vulnerability Goes Unpatched for 20 Months

On January 15, 2019, Google’s virus-hunting team, VirusTotal, announced its discovery of a zero-day vulnerability within Windows, later named CVE-2020-1464.

The vulnerability allowed attackers to exploit how Windows authenticates file signatures. File signatures are created when a developer “code signs” a file, to prove a third party has not edited it.

Using this vulnerability, attackers could sneak a malicious file past Windows’ security by appending it to a file that had been code-signed by a trusted developer such as Google or Microsoft.

Despite reportedly being aware of the CVE-2020-1464 vulnerability, Microsoft did not release a patch for it until August 11, 2020 — nearly 20 months later. Throughout this period, Windows users were vulnerable to phishing attacks designed to spread vulnerability exploits.

This is yet another reminder that it’s better to defend employees’ email accounts than to rely on patches and fixes.

How to Defend Against Zero-Day Exploits

Cybercriminals use different methods to exploit zero-day vulnerabilities, which means organizations need a comprehensive cybersecurity program to defend against these threats.

  • Email security. Cybercriminals commonly use social engineering attacks, such as spear phishing, to get malware onto people’s devices. A crucial way to defend against zero-day exploits is to ensure your employees are protected from phishing. 
  • Network security. Hackers can use “brute force attacks” to gain access to a network and exploit zero-day vulnerabilities. Implementing network security measures such as a firewall or virtual private network (VPN) can prevent this.
  • Anti-malware software. Certain anti-malware software products notice unusual activity in files and processes and can detect some zero-day exploits before they are made public. 
  • Security patches. You should always keep all devices patched and up-to-date. While developers can’t always patch vulnerabilities on time, out-of-date software enables many exploits.

How Tessian Helps Defend Against Zero-Day Exploits

Unlike spam filters and Secure Email Gateways (SEGs) which can stop bulk phishing attacks, Tessian Defender can detect and prevent the most advanced threats. 

How? Tessian’s machine learning algorithms learn from historical email data to understand specific user relationships and the context behind each email. When an email lands in your inbox, Tessian Defender automatically analyzes millions of data points, including the email address, Display Name, subject line, and body copy. 

If anything seems “off”, it’ll be flagged – keeping zero-day exploits out. 

To learn more about how tools like Tessian Defender can prevent spear phishing attacks, read our customer stories or speak to one of our experts and request a demo today.