In this tutorial, we’ll discuss zero-day (or 0-day) attacks and what we can to do mitigate them. In general, zero-day relates to events happing before they should. The zero-day notion came from the media business when illegal media copies were available before their planned releases. Hence, the information security area uses these concepts:
- Zero-day vulnerability: an issue unknown to the developers
- Zero-day exploit: an available zero-day vulnerability exploit
- Zero-day attack: an attack using zero-day exploits
A zero-day attack is a scary thing. And it should: how we fix what we don’t know? Luckily, there are some ways to lower the risks.
2. Famous Cases
According to experts, we’re seeing a growing number of zero-day attacks. So, many well-known cyber security cases used 0-days:
2.1. Stuxnet and Iranian Nuclear Facilities
The Stuxnet is a worm targeting Siemens SCADA industrial control system. It worked by targeting zero-day Windows-based network vulnerabilities. Those vulnerabilities allowed the worm to replicate freely. As soon as it got into a host running Siemens SCADA’s level7, it was compromised. Then, after having level7 under control, Stuxnet infects the industrial program logic controllers. That way, it can drive the industrial machinery at its will. And that’s what happened in 2010 at Iran’s uranium enrichment facilities. After spreading over them, Stuxnet increased the centrifuges’ rotational speed until their breaking points. Its infection ended with a DoS (denial of service) attack. In fact, the worm had an incredible replication capacity. Besides the ability to move through vulnerable networks, it was also able to infect USB drives. Many regards this as the world’s first cyber-warfare weapon deployment.
2.2. The DNC Hack
In 2016, the Democratic National Committee hack disclosed thousands of emails. The attack started as a spear-phishing email targeting the DNC’s staff. A spear-phishing email attack is when an email is crafted to con a specific person or group. Even the 2016 presidential campaign team was on the list. The email led to a fake web page directing users to use their login credentials. Next, the attackers used these credentials to access DNC’s VPN and servers to install X-agent. A malware that employed zero-day vulnerabilities to gain privileges and to monitor keystrokes. Some wonder if this could have been avoided. The Dutch Government tipped US Government Agencies about signs of this hack back in 2015. Yet, due to bad inter-agency communication, it took months for them to notify the DNC technical team. In the meantime, the Russian groups that engaged in the attack took control of hundreds of servers and user accounts.
2.3. LinkedIn Spear-Phishing
Likewise, in 2021, we saw another nasty spear-phishing campaign. Again, it involved Russian actors. This time, the target was E.U. government officials, through LinkedIn messaging. To this end, they exploited a zero-day Apple Webkit vulnerability to steal user credentials. Thus, the targeted LinkedIn users received a message linking to a fake website. If they fell into it, the attacker would get their credentials. With the user’s login, the attackers scraped their data and their contact’s data.
2.4. Log4J Zero-Day
Again, in 2021, a zero-day was found in one of the world’s most used logging tools: Apache Log4J. Log4J is quite widespread, thus, its JNDI 0-day, described in CVE 2021-44228 (and the issues following rushed patches), exposed thousands of servers worldwide. It allowed the download and execution of malicious code from remote LDAP servers by the abuse of a JNDI bug. Still, even if many Log4J users didn’t use LDAP servers, their setups could suffer from the vulnerability. Moreover, in our Java Weekly Issue 416, we have very useful details about this attack.
As we saw, the harder part of zero-days is how to avoid issues we don’t know. What we can do is reduce the attack surface:
- Keep all software up to date: when vendors find zero-days, they rush to publish fixes
- Avoid unsupported legacy software: many of them have vulnerabilities that will never see a fix
- Disable non-vital software: less running software leads to lower risk
- Use strict firewall setup: allowing only known network traffic
- Secure devices: anti-virus, host-firewall, and endpoint security software
- Educate the users: most of the attacks take the edge from users’ lack of security awareness
- Manage incident communication: sometimes major attacks begin with simple events
Actually, those tips are among the guidelines in current security frameworks such as the Zero Trust architecture.
In this article, we’ve seen some of the concepts of zero-day attacks. Also, we saw how to reduce their risks. We can mitigate zero-day risks by using regular proactive practices.