Zero-day definition and meaning
The phrase “zero-day” refers to newly found security flaws that hackers may exploit to attack systems. The phrase “zero-day” alludes to the notion that the vendor or developer has just recently discovered the vulnerability—and therefore has “zero days” to patch it. A zero-day attack occurs when hackers take advantage of a vulnerability before engineers have a chance to patch it.
Zero-day is sometimes abbreviated as “0-day.” The terms “vulnerability,” “exploit, and “attack” are often used in conjunction with zero-day vulnerabilities, and it’s important to grasp the distinction:
- A zero-day vulnerability is one that has been identified by attackers before the vendor is aware of it. Due to manufacturers’ ignorance, no fix for zero-day vulnerabilities exists, making assaults more likely to succeed.
- A zero-day exploit is a technique used by hackers to target systems that have a previously unknown vulnerability.
- A zero-day attack is the use of a zero-day exploit to compromise or steal data from a system that has been compromised due to a vulnerability.
What are zero-day attacks and how are they carried out?
Often, software has security flaws that hackers may exploit to wreak damage. Software engineers are always on the lookout for vulnerabilities to “patch”—that is, provide a fix for them in a new version.
However, hackers or bad actors may discover a vulnerability ahead of software engineers. While the vulnerability is active, attackers may create and execute code to exploit it. This is referred to as an “exploit code.”
The exploit code may result in the victimization of software users—for example, via identity theft or other types of cybercrime. Once an attacker discovers a zero-day vulnerability, they need a means of gaining access to the susceptible system. They often do this through socially engineered emails—an email or other communication that seems to originate from a known or genuine correspondent but originates from an attacker. The message attempts to persuade the user to take action, such as opening a file or visiting a malicious website. By doing so, the attacker’s virus is downloaded, infecting the user’s files and stealing sensitive data.
When a vulnerability is discovered, developers work to fix it to prevent an attack. However, security flaws are often not immediately detected. It is very uncommon for developers to spend days, weeks, or even months discovering the vulnerability that enabled the assault. And even when a zero-day vulnerability is discovered, not all users immediately apply the patch. Hackers have become more adept at exploiting weaknesses in recent years.
On the dark web, exploits may be sold for huge amounts of money. Once an exploit has been identified and fixed, it is no longer considered a zero-day threat.
Zero-day assaults are particularly hazardous since they are unknown to anybody but the perpetrators. Once thieves have gained access to a network, they may either attack immediately or wait for the most opportune moment to strike.
Who is responsible for zero-day attacks?
Malicious actors that conduct zero-day attacks may be classified according to their motives. For instance:
- Cybercriminals — hackers who are often motivated by financial gain.
- Hacktivists — hackers who are motivated by a political or social purpose and want visibility for their assaults to bring attention to their cause.
- Corporate espionage — hackers who conduct surveillance on businesses in order to get information about them.
- Cyberwarfare — countries or political entities spying on or assaulting the cyberinfrastructure of another country.
Who are the targets for the zero-day exploits?
A zero-day attack may make use of vulnerabilities in a wide range of systems, including the following:
- Operating systems
- Web browsers
- Office applications
- Open-source components
- Hardware and firmware
- Internet of Things (IoT)
As a result, the prospective victims are diverse:
- Individuals who make use of a potentially susceptible system, such as a browser or an operating system. Hackers may use security flaws to infiltrate devices and create huge botnets.
- Individuals who have access to critical company information, such as intellectual property.
- Hardware devices, firmware, and the Internet of Things.
- Businesses and organizations of a certain size.
- Governmental organizations.
- Political targets and/or risks to national security.
It’s instructive to consider targeted vs untargeted zero-day attacks:
- Zero-day attacks are directed at potentially valuable targets, such as major businesses, government agencies, or prominent people.
- Zero-day attacks that are not targeted are usually directed at users of vulnerable systems, such as an operating system or browser.
Even when attackers do not specifically target individuals, huge numbers of people may be impacted by zero-day assaults, often as collateral damage. Non-targeted assaults are designed to compromise as many people as possible, which means that the typical user’s data may be compromised.
How to determine the existence of zero-day attacks
Because zero-day vulnerabilities may manifest in a variety of ways—including missing data encryption, missing authorizations, faulty algorithms, flaws, and issues with password security—they can be difficult to identify. Due to the nature of zero-day exploits, comprehensive information about them is only accessible once the vulnerability is discovered.
When an organization is attacked by a zero-day exploit, it may notice unusual traffic or suspicious scanning activities coming from a client or service. Several zero-day detection methods include the following:
- Using current malware datasets and their behavior as a guide. Although these databases are updated often and may serve as a helpful reference point, zero-day vulnerabilities are by definition novel and unknown. As a result, there is a limit on how much information a current database can provide.
- Alternatively, other methods search for features of zero-day malware based on how it interacts with the target system. Rather than analyzing the source code of incoming files, this method examines their interactions with existing software to identify whether they are the product of malicious activity.
- Machine learning is increasingly being used to identify data from previously recorded exploits in order to create a baseline for safe system behavior based on data from prior and current system interactions. The greater the amount of data available, the more reliable the detection gets.
Often, a combination of several detecting methods is utilized.
Examples of zero-day attacks
Recent instances of zero-day attacks include the following:
2021: Chrome zero-day vulnerability
A vulnerability has been discovered in a widely used video conferencing platform. In this zero-day assault, hackers gained remote access to a user’s PC if they were running an earlier version of Windows. If the victim was an administrator, the hacker might gain full control of their computer and access all of their data.
2020: Apple iOS
Apple’s iOS operating system is often referred to as the most secure of the main smartphone platforms. However, in 2020, it was compromised by at least two sets of iOS zero-day vulnerabilities, including one that enabled attackers to remotely hack iPhones.
2019: Microsoft Windows, Eastern Europe
The assault exploited a vulnerability in Microsoft Windows’ local escalation rights and targeted government entities in Eastern Europe. The zero-day attack made use of a Microsoft Windows local privileged vulnerability to execute arbitrary code, install programs, and view and modify data in affected applications. After the attack was discovered and reported to Microsoft’s Security Response Center, a fix was created and distributed.
2017: Microsoft Word
This zero-day vulnerability allowed for the compromise of personal bank accounts. The victims were individuals who inadvertently opened a malicious Word document. The document had a prompt to “load remote content,” which showed a pop-up window requesting external access from another application. When victims click “yes,” the document installs malware on their device, capturing banking log-in information.
Stuxnet is one of the most well-known zero-day attacks. The dangerous computer worm was found in 2010, but has roots dating back to 2005. It targeted manufacturing machines using programmable logic controller (PLC) software. Iran’s uranium enrichment facilities were the main target for impeding the country’s nuclear program. Through weaknesses in Siemens Step7 software, the worm infiltrated the PLCs, leading them to execute unexpected instructions on assembly-line equipment. Stuxnet’s narrative was later adapted into a documentary titled Zero Days.
How to guard against zero-day attacks
To avoid zero-day attacks and to keep your computer and data secure, both people and businesses must adhere to cyber security best practices. This includes the following:
- Maintain current versions of all software and operating systems. This is because manufacturers provide security fixes in new versions to address newly discovered vulnerabilities. Keeping yourself current guarantees your security.
- Utilize just the necessary apps. The more software you have, the greater the number of possible vulnerabilities. By using just the apps that you need, you may minimize the danger to your network.
- Use a firewall. Firewalls are critical to safeguarding your system from zero-day attacks. You may guarantee optimum security by setting it up to allow just the transactions that are absolutely required.
- Educate users inside organizations. Numerous zero-day attacks take advantage of human mistakes. Instilling excellent safety and security practices in workers and users can assist in keeping them secure online and prevent businesses from zero-day attacks and other digital dangers.
- Utilize an all-encompassing antivirus software solution. Heimdal Security protects your device from known and unknown dangers.