What Is a Zero-Day?
A zero-day is a vulnerability in a piece of hardware or software that was previously unknown to the vendor, meaning they have had “zero days” to mitigate or remediate the vulnerability. They won’t even have a CVE assigned to the vulnerability to begin with, let alone have a patch ready to deploy. Since no patch for the vulnerability exists, any cybercriminal who exploits the zero-day is likely to succeed. In fact, by the time the world has become aware of a zero-day vulnerability, it is already being exploited in the wild.
What Is a Zero-Day Exploit?
When cybercriminals use a zero-day vulnerability to gain access to a system, that is a zero-day exploit — and it’s a tactic that’s on the rise. In 2021 there were more zero-day exploits than in the previous four years combined.
What Is the Difference Between a Zero-Day Exploit and a Zero-Day Attack?
In a zero-day exploit, cybercriminals use a previously unknown vulnerability to gain access to a system. If, once inside, they use that access to launch malware or ransomware, to steal data, or to otherwise cause damage and chaos, that is a zero-day attack.
How Does a Zero-Day Exploit Work?
Whenever hardware or software is released or updated, there is a possibility that it is hiding an unknown vulnerability. If a cybercriminal spots the vulnerability before the developers do, they can write an exploit code to take advantage.
But an exploit code is harmless without a way to access the software or system. Cybercriminals need to pair their exploit code with another form of attack like social engineering or a remote desktop protocol attack. Often, one zero-day will be paired with another zero-day or existing vulnerability, combining to make a much more powerful, dangerous, and damaging attack. Once inside the target, the exploit code gets to work, unleashing a malicious payload or pilfering personal information.
Zero-days are most often discovered by nation-state hackers and are used by their governments to further their espionage and cyberwarfare efforts.
When non-government cybercriminals discover zero-day vulnerabilities, however, they often find it more lucrative to simply sell their exploit code on the dark web, allowing other attackers to use their tool to breach as many systems as possible before developers discover the vulnerability and provide a patch to mitigate it. Zero-days can mean paydays for those involved with Ransomware-as-a-service (RaaS) or initial access brokers.
Once a mitigation is available, however, systems can remain vulnerable if organisations are slow to apply the recommended patches or software updates, meaning zero-day vulnerabilities can remain dangerous for a long time.
Real-World Zero-Day Exploit Examples
2021 closed out with the revelation of a zero-day threat that created massive waves in the cybersecurity industry. Log4Shell Vulnerability started as a zero-day vulnerability, and Apache acted on it as soon as it was disclosed by the security researchers. This critical exploit for a remote code execution vulnerability in Log4j library, a Java logging library used in a significant number of internet applications, sent businesses worldwide scrambling to identify and mitigate the impact of the exploit, while security pros and experts released patches and scanning tools, and guided organizations on how to best protect themselves from attack.
Our top pick for 2021’s most noteworthy, high-profile, and damaging cybercrime of the year was the Fourth of July-weekend attack on Florida-based software provider Kaseya. The infamous REvil collective hit them with a ransomware attack that utilised zero-day vulnerabilities and impacted businesses across five continents — including shutting down public schools in New Zealand, closing a major grocery chain in Sweden, and disrupting operations for hundreds of businesses across the U.S.
In one of the most catastrophic data breaches during all of 2020, foreign intelligence operatives took advantage of a compromised SolarWinds program through a zero-day vulnerability, invading an estimated 18,000 private and government-affiliated networks. These data breaches granted attackers access to an abundance of identifiable information, including financial information, source code, passwords, and usernames.
In 2014 hackers exploited a previously undisclosed vulnerability during a spear-phishing email campaign to unleash a devastating attack on Sony Picture Entertainment’s computer network. The attack crippled the network while releasing the personal emails of top executives, business information, and even copies of unreleased films.
Arguably the most infamous zero-day attack, the Stuxnet worm exploited four zero-day vulnerabilities and is believed to be responsible for destroying centrifuges in Iran and drastically slowing their nuclear ambitions.
How To Protect Your Organisation Against Zero-Day Exploits
Zero-day vulnerabilities present a major challenge for cybersecurity teams, as their existence often isn’t known until they are being actively exploited by cybercriminals. However, developing a robust and proactive security posture can go a long way toward protecting your business against zero-day exploits, and minimising the damage they can do to your organisation. Here are our best-practice recommendations:
Determine if You’re Vulnerable
You can’t protect what you can’t see. That’s why the crucial first step in protecting your organisation against zero-day exploits is to ensure you have total visibility into your network, endpoints, and environments in order to determine if you are vulnerable to a zero-day once it becomes known.
Monitor and Detect Attacks
While you can’t patch an unknown vulnerability, you can detect potential attacks by monitoring your network for unusual or unprecedented activity. To do this effectively, you need 24×7 eyes-on-glass coverage of your entire environment, both your on-premises and your cloud-based resources, so you can detect attacks in real-time if they occur.
Mitigate and Recover
A fully staffed team of security experts are required if you’re going to either apply patches to mitigate the vulnerability or recover from attack should the worst-case scenario come true.
How Arctic Wolf Can Help
Arctic Wolf® Managed Risk enables you to discover, assess, and harden your environment against digital risks like zero-days by contextualising your attack surface coverage across your networks, endpoints, and cloud environments. We provide you with 24×7 continuous monitoring, and work with you to prioritise the remediation of any vulnerabilities discovered.
Arctic Wolf® Managed Detection and Response (MDR) solution provides 24×7 monitoring of your networks, endpoints, and cloud environments to help you detect, respond, and recover from modern cyber attacks like zero-day exploits.
An experienced security operations team like Arctic Wolf’s Concierge Security® Team can help you stay protected against known vulnerabilities and the unknown risks of zero-day exploits by providing the dedicated services and security experts you need to prevent, protect, and respond to threats in your environment.