Zero-Day” is an intriguing concept in the domain of cybersecurity. Imagine diligently following security best practices such as patching exploits and updating the systems regularly. Plus, you’re following strict risk management and governance frameworks within the organization to vet new software applications for security risk before adding them to your library.
But what happens when the security flaws are novel — and a patch does not exist? 🆘
That’s zero day, and that’s what I’ll explain here.
Understanding zero day
Cybercriminals actively search for such opportunities in the wild before typical users figure out the problem and take security measures. Most technology vendors are careful about disclosing vulnerabilities publicly if a patch is not immediately available.
Zero-day, representing the number of days for which the vulnerability has been made public, requires the defenders to take immediate action against potential attempts to exploit the vulnerability. As such, zero-day exploitation remains a coveted practice among hacking elites and sophisticated state-sponsored cybercriminals.
While most cybercriminals would exploit known vulnerabilities (that users have chosen not to fix), cybercriminals who discover zero-day attacks have also created an underground brokerage brokerage market for zero-day exploits. These exploits are sold for anywhere between $5,000 to $250,000 apiece.
(Track these security trends & gear-up at these events.)
Zero-day vulnerability vs exploit vs attack
The term zero-day is used interchangeably for vulnerabilities, exploits and attacks, but there are a few subtle differences:
- A zero-day vulnerability is a security flaw discovered before the vendor is aware of the issue; or if a security patch has not yet been issued to fix the problem.
- A zero-day exploit refers to the techniques adopted by cybercriminals to attack the zero-day vulnerability.
- A zero-day attack is the process of conducting the exploit on the zero-day vulnerability and causing damages in the form of network intrusion, data leak or compromise of the systems.
Hackers, hobbyists, cybercriminals and state-sponsored attackers frequently use zero-day exploits because it gives them an immediate and significant advantage: The flaw is already known and left without an immediate fix, so the vulnerability allows them to bypass the security defense measures that are in place.
Infamous zero-day exploits
Let’s take a look at some of the famous zero-day exploits.
Stuxnet Worm self-destructs nuclear centrifuges
Arguably one of the most famous zero-day attacks took place in 2010. A zero-day vulnerability in the SCADA system running gas centrifuges at Iran’s nuclear plants was exploited. The attack infected Siemens PLC automation system that configured and controlled the electromagnetic processes. Once infected, the gas centrifuges were made to spin at a high frequency beyond the operating range, while the systems returned normal operating values to the users monitoring motor performance. This ultimately caused the motors to self-destruct, as the present safeguards and alerts were not triggered.
It is this apparent self-destruction of the motors that clued the world into the power of such vulnerabilities. The digital is no longer limited to the digital world: it can have real-world (and disastrous) effects.
(Read about this & other historic events in our must-read security books.)
3 billion Yahoo! accounts sold for $300,000
In 2013, around 3 billion Yahoo! accounts were compromised due to a zero-day attack. Cybercriminals were able to extract personally identifiable sensitive user information including name, age, phone number and passwords. Although this data was encrypted, news suggests that the weak encryption schemes were cracked and hackers were able to fully access the compromised data.
The full extent of the damages was not discovered, but some cybercriminals reportedly paid around $300,000 for the compromised databases.
92% of LinkedIn accounts data compromised
By April 2021, over 700 million user account records on the LinkedIn platform were compromised by a zero-day attack. The exploit scrapped data from an archive that contained public identifiers including name, email address, phone numbers and professional titles. This information was available for sale on the Dark Web and was likely used for mass spamming activities, including social engineering phishing attacks that trick unsuspecting users into:
- Revealing login credentials to financial and business accounts.
- Installing malicious payload as spyware and malware.
While LinkedIn issued a fix to resolve the vulnerability, implications of the attack continued to impact the end-users over the long term.
Sony Pictures Entertainment state-sponsored attack
As one of the most popular politically motivated and state-sponsored zero-day attacks, the hacking group Guardians of Peace demanded Sony Pictures Entertainment to remove political messaging in their movie, The Interview.
The zero-day vulnerability remained undetected for months and hackers were able to access sensitive corporate data including employee emails, personal information, unreleased scripts and film project details. The exploit used the Shamoon virus, which has been behind major politically motivated attacks on government entities around the world.
(Read about ransomware families, often the culprits behind major attacks.)
Defending against Day 0 attacks
So how do you protect yourself against 0Day attacks when the vendor responsible for securing the systems has not yet discovered the vulnerability or created a working patch solution? The following best practices can help:
- Follow standard security best practices. Regularly update your systems and change passwords frequently.
- A zero-day exploit is usually associated with a thorough attack process. This involves unauthorized login attempts, data leaks and network infringements. Organizations can detect these attempts by standard rule-based or signature-based anti-malware tools. However, a sophisticated attack may yet go undetected, in which case, advanced machine learning based anomaly detection tools can help protect your systems.
- Educate employees against social engineering and spear phishing attempts. A zero-day exploit may only be a precursor to a larger attack, which can only be successful by compromising the human element.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.