Zero Day Vulnerability<\/h3>\n\n\n\n
A zero day vulnerability<\/strong> is a chink or weakness in your armor that you may or may not yet know exists. This is something that could be exploited<\/em> in an attack if someone chose to do so, but it\u2019s not actually about the attack itself. A zero day vulnerability may have been publicly disclosed by researchers or vendors, but it\u2019s something that hasn\u2019t yet been patched.<\/p>\n\n\n\n Yeah, it’s tricky. A zero day vulnerability is something that you can often find in software, firmware, or hardware and can include examples like:<\/p>\n\n\n\n Now, once an update or patch has been issued for the vulnerability, Trend Micro says that it\u2019s no longer considered a zero day vulnerability<\/a> and instead becomes known as an \u201cn-day\u201d vulnerability. However, some sites and organizations lump zero day attacks and n-day attacks together because they\u2019re both something that threat actors can use to their advantage.<\/p>\n\n\n\n A zero day attack<\/strong>, on the other hand, is a term that involves taking advantage of that unknown (or publicly disclosed) vulnerability to do something bad.<\/p>\n\n\n\n The National Institute of Standards and Technology<\/a> (NIST) succinctly defines a zero day attack as \u201can attack that exploits a previously unknown hardware, firmware or software vulnerability.\u201d Basically, it\u2019s an advanced type of cyber attack that occurs when a cybercriminal exploits<\/em> a gap in your security before you have a chance to patch it. (Hence why some people use the terms \u201czero day attack\u201d and \u201czero day exploit\u201d interchangeably.)<\/p>\n\n\n\n Trend Micro also has a great description for these types of exploits or attacks:<\/p>\n\n\n\n \u201cWhen hackers or threat actors successfully develop and deploy proofs of concept (PoCs) or an actual malware that exploits the vulnerability while the vendor is still working on rolling out a patch (or sometimes, unaware of the vulnerability\u2019s existence), it becomes a zero-day exploit or attack.\u201d<\/em><\/p><\/blockquote>\n\n\n\n Basically, the difference between these terms can be pictured in a very simple way. Imagine that you have a sturdy, reinforced concrete wall protecting your organization. A zero day vulnerability represents the existence of a crack or hole in that barrier that you haven\u2019t noticed. A zero day exploit would be when an enemy actually mounts an attack and comes through that hole or crevasse.<\/p>\n\n\n\n FireEye Mandiant Threat Intelligence research<\/a> shows that there were \u201cmore zero-days exploited in 2019 than any of the previous three years.\u201d<\/p>\n\n\n\n It\u2019s virtually impossible to prevent zero day attacks as a whole. Why? Because the definition of a zero day attack is an attack that takes advantage of vulnerabilities that you don\u2019t know exist or are newly discovered. How can you block a punch when you don\u2019t know one\u2019s coming? This is where the people mentioned in the next section can help.<\/p>\n\n\n\n But first, it\u2019s important to note that the majority of <\/strong>data breaches<\/strong><\/a> don\u2019t result from the exploitation of zero day vulnerabilities.<\/strong> Rather, most breaches (and ransomware attacks) often stem from:<\/p>\n\n\n\n Is it a little tongue-in-cheek to say \u201canyone?\u201d But, really, finding zero day vulnerabilities and identifying how to exploit them isn\u2019t something that\u2019s limited to just the \u201cgood guys\u201d or the \u201cbad guys.\u201d Even tech-savvy end users can find security issues. <\/p>\n\n\n\n In reality, there are a lot of people who search for zero day vulnerabilities in the wild that can be exploited \u2014 vendors, researchers, bug bounty hunters, individual black\/white\/grey hat hackers, and hacker groups alike. Heck, there\u2019s even a division of Trend Micro \u2014 the Zero Day Initiative (ZDI) \u2014 that\u2019s dedicated to hunting these bugs and releasing security vulnerability advisories!<\/p>\n\n\n\n Bug bounty hunting can also be very profitable. For example, in 2019 alone, ZDI reported<\/a> that it awarded more than $1.5 million in cash and other prizes to bug hunters. The contributions of everyone involved resulted in the release of 1,035 advisories in 2019. Of course, these numbers are likely to change throughout 2020 as the vulnerabilities identified in late 2019 will result in advisories in 2020. But the numbers are less than the 1,450 advisories published in 2018.<\/p>\n\n\n\n According to the FireEye Mandiant Threat Intelligence research we mentioned a little bit ago:<\/p>\n\n\n\n \u201cWhile not every instance of zero-day exploitation can be attributed to a tracked group, we noted that a wider range of tracked actors appear to have gained access to these capabilities. Furthermore, we noted a significant increase over time in the number of zero-days leveraged by groups suspected to be customers of companies that supply offensive cyber capabilities, as well as an increase in zero-days used against targets in the Middle East, and\/or by groups with suspected ties to this region. Going forward, we are likely to see a greater variety of actors using zero-days, especially as private vendors continue feeding the demand for offensive cyber weapons.\u201d<\/em><\/p><\/blockquote>\n\n\n\n You\u2019ve likely noticed that vulnerabilities are usually identified by long numbers that start with CVE. (For example, CVE-2020-1234, CVE-2019-12345, etc.) But what do these names actually mean? And, moreover, who\u2019s coming up with them?<\/p>\n\n\n\n There\u2019s a group of organizations that, together, are known as CVE Numbering Authorities<\/a> (CNAs). These organizations have been given the ability to metaphorically rubber stamp common vulnerabilities and exposures (CVEs) by assigning them ID numbers. These numbers are used to identify the vulnerabilities in their first-time public announcements and are used by a variety of individuals including vendors, researchers, and vulnerability disclosers.<\/p>\n\n\n\n As of May 28, 2020, the MITRE website reports that there are 128 organizations from 21 countries that are CNAs. The overwhelming majority of them \u2014 77 \u2014 exist within the United States alone.<\/p>\n\n\n\n Let\u2019s break down the naming convention of these vulnerabilities for CVE-2020-1234:<\/p>\n\n\n\n CVE products include:<\/p>\n\n\n\n If it\u2019s just one product that\u2019s affected, it\u2019s considered a single vulnerability. If multiple products have vulnerabilities, then they would be considered separate vulnerabilities However, many products nowadays tend to share code \u2014 in this case, if multiple products share the same vulnerable code, that means that they\u2019d all be lumped under one shared vulnerability ID.<\/p>\n\n\n\n Of course, if a CNA isn\u2019t sure about whether multiple products share the same code, it\u2019s best to err on the side of caution and list them as separate vulnerabilities. <\/p>\n\n\n\n You can search the CVE list on the MITRE website<\/a> for any specific CVE entries or IDs. You can also find CVEs on the National Vulnerability Database<\/a> (NVD) page of the NIST website.<\/p>\n\n\n\n Now that you know what a zero day vulnerability is and how it works, let\u2019s explore three examples of some critical zero day vulnerabilities.<\/strong><\/p>\n\n\n\n Earlier this year, the NSA disclosed a critical vulnerability<\/a> (CVE-2020-0601<\/a>) within their public key infrastructure that would affect the cryptographic function of 32- and 64-bit Windows 10 operating systems and specific versions of Windows Server.<\/p>\n\n\n\n This specific type of vulnerability<\/a> exists in the process of how Windows CryptoAPI validates elliptic curve cryptography (ECC). The risk here is that a bad guy could use a spoofed code signing certificate to exploit this vulnerability and sign an executable to make it believable to unsuspecting users. Of course, attackers can\u2019t pull this off entirely on their own \u2014 they\u2019d need a victim to actually engage with it to activate it.<\/p>\n\n\n\n The end result? The signed file would appear to come from a trusted and reputable source. Thankfully, Microsoft was quick to move forward with putting out an advisory and patching the vulnerability.<\/p>\n\n\n\n In January 2020, ZDI researchers informed Netgear about an unpatched zero day vulnerability in the firmware of their routers. Initially thought to affect only the R7000 router series, it was later discovered by Grimm<\/a> cybersecurity firm researcher Adam Nichols to affect \u201c79 Netgear devices and 758 firmware images that included a vulnerable copy of the web server.\u201d<\/p>\n\n\n\n In his blog post on SOHO device exploitation<\/a>, Nichols says about the vulnerability:<\/p>\n\n\n\n \u201cIn most modern software, this vulnerability would be unexploitable. Modern software typically contains <\/em>stack cookies<\/em><\/a> which would prevent exploitation. However, the R7000 does not use stack cookies. In fact, of all of the Netgear products which share a common codebase, only the D8500 firmware version 1.0.3.29 and the R6300v2 firmware versions 1.0.4.12-1.0.4.20 use stack cookies. However, later versions of the D8500 and R6300v2 stopped using stack cookies, making this vulnerability once again exploitable. This is just one more example of how SOHO device security has fallen behind as compared to other modern software.\u201d<\/em><\/p><\/blockquote>\n\n\n\n Netgear recently released hotfixes<\/a> for some of their routers to address some of the vulnerabilities. However, they also state that \u201cUntil a firmware fix is available for your product, NETGEAR recommends that you follow the workarounds and best practices in this advisory.\u201d<\/p>\n\n\n\n Here\u2019s a breakdown of the timeline from when Netgear was first notified until the date when the vulnerability advisory was made public:<\/p>\n\n\n\n In February 2020, Brian Krebs of Krebs on Security reported that both network attached storage (NAS) devices and firewalls from Zyxel<\/a> had critical flaws that resulted in zero day vulnerabilities.<\/p>\n\n\n\n The NAS flaw, labeled CVE-2020-9054<\/a>, took advantage of a pre-authentication command injection vulnerability within specific firmware versions. Essentially, the flaw would allow hackers to remotely execute arbitrary code on affected devices by using an OS command injection.<\/p>\n\n\n\n According to Zyxel\u2019s updated security advisory<\/a>, the exploit affected UTM, ATP and VPN firewalls running firmware versions ZLD V4.35 Patch 0 through ZLD V4.35 Patch 2. The firmware versions prior to the ZLD V4.35 Patch 0 remained unaffected.<\/p>\n\n\n\n The problem, however, would be that while they had patches available for affected models that fell within warranty and support periods, they weren\u2019t as helpful with legacy systems:<\/p>\n\n\n\n \u201cFor affected NAS products that reached end-of-support in 2016 or earlier, firmware updates are no longer provided. We strongly recommend that users follow the workaround procedure [\u2026] to remediate the vulnerability.\u201d<\/em><\/p><\/blockquote>\n\n\n\n Now that you\u2019ve seen some examples of zero day vulnerabilities, let\u2019s take a look at some of the biggest zero day attacks that have been carried out in recent years:<\/p>\n\n\n\n This critical zero day vulnerability, known as CVE-2019-3568<\/a>, was discovered as being used to facilitate the spread of malware to specific target devices in 2019. Basically, it was a buffer overflow vulnerability that was used to distribute spyware via affected versions of the WhatsApp mobile app for Windows, iOS and Android. this exploit allowed them to remotely execute code that they\u2019d send to those target phone numbers via RTCP packets.<\/p>\n\n\n\n In a federal lawsuit<\/a> against Israeli mobile surveillance firm NSO Group, WhatsApp claimed that the group exploited an audio-calling vulnerability to send government-grade spyware to \u201capproximately 1,400 mobile phones and devices.\u201d The idea here is that since WhatsApp is end-to-end encrypted, they had to find a workaround to obtain message data. So, instead of trying to hack the messages directly, they\u2019d go after the devices instead.<\/p>\n\n\n\n Although WhatsApp was quick to patch the vulnerability, others followed behind it<\/a>, making 2019 a really tough year for the Facebook-owned company.<\/p>\n\n\n\n Buhtrap, a hacker group that\u2019s known for cyber bank robbery initiatives, exploited a Windows OS vulnerability to carry out zero day attacks<\/a> against Eastern European government institutions in June 2019. Cybersecurity writer Davey Winder<\/a> explains that the hacker group carried out their attack by exploiting a vulnerability that affected older versions of Windows OSes and Windows Server 2008.<\/p>\n\n\n\n The flaw, identified as CVE-2019-1132<\/a>, was a privilege escalation issue relating to Win32k memory objects. It was one of the vulnerabilities that Microsoft addressed in a July 9, 2019 patch Tuesday update.<\/p>\n\n\n\n According to a report by SecurityWeek<\/a>:<\/p>\n\n\n\n \u201cThe group used decoy documents to deliver a piece of malware designed to steal passwords from email clients and browsers, and send them to a command and control (C&C) server. The malware also gave attackers full access to the compromised device.\u201d<\/em><\/p><\/blockquote>\n\n\n\n 2017 marked a bad year for IT administrators and businesses worldwide. It was the year in which EternalBlue, one of several exploits that was developed by the NSA and released by a hacker collective known as the Shadow Brokers, was deployed as part of the WannaCry ransomware attacks.<\/p>\n\n\n\n Of course, the exploit was used in other malware and cyber attacks<\/a> (TrickBot, WannaMine, Coin Miner, etc.), but WannaCry was one of the first and best known variants because it\u2019s thought to have affected more than 200,000 computers in more than 100 countries.<\/p>\n\n\n\n The way the zero day exploit worked was that it allow hackers to remotely exploit a software vulnerability<\/a> that existed within Microsoft\u2019s Windows OS server message block (SMB) version 1 protocol. This access would allow them to compromise the entire network that an infected device was connected to, along with any devices associated with the network.<\/p>\n\n\n\n Part of the reason WannaCry was so successful as a cyber attack is that although Microsoft released a patch for EternalBlue the month before the WannaCry attacks began, many businesses failed to deploy the patch on their systems. One such example was the United Kingdom\u2019s National Health Service (NHS).<\/p>\n\n\n\n The UK\u2019s National Audit Office reports that the NHS was warned about security issues<\/a> relating to legacy systems in advance of the WannaCry attacks but lagged in their response. According to Amyas Morse<\/a>, the head of the NAO:<\/p>\n\n\n\n \u201cThe WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.\u201d<\/em><\/p><\/blockquote>\n\n\n\n We\u2019ll conclude this list by talking about the other best-known zero day exploit \u2014 Stuxnet<\/a>. The Stuxnet exploit wreaked havoc in Iranian nuclear facilities<\/a> by affecting its uranium enriching centrifuges back in the late 2000s before going public.<\/p>\n\n\n\n The sophisticated computer worm, developed by U.S. and Israeli governments<\/a>, eventually spread to devices in 115 countries, according to report from ZDNet<\/a>. Although Stuxnet is, by modern day standards, considered old news, this worm is still relevant in the sense that it was the first known publicly known type of cyber attack to target industrial systems<\/a> around the world.<\/p>\n\n\n\n Although we\u2019ve certainly seen enough high-impact zero day attacks that should cause the IT and security community to sit up and take notice, the fact is that patching remains a big issue. This is true for many businesses and organizations alike regardless of their sizes or locations. <\/p>\n\n\n\n But patching isn\u2019t the only thing that businesses, governments, and organizations can do to protect their IT infrastructure, networks, and data:<\/p>\n\n\n\n Although zero day attacks aren\u2019t the leading cause of data breaches, that doesn\u2019t mean that these types of attacks can\u2019t affect your organization in other ways.<\/p>\n","protected":false},"author":8,"featured_media":1155,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[91,90],"class_list":["post-1152","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-security","tag-zero-day-attack","tag-zero-day-vulnerability","post-with-tags"],"yoast_head":"\nZero Day Attack (or Zero Day Exploit, Zero Hour Attack, etc.)<\/h3>\n\n\n\n
What Makes Zero Day Attacks Such a Threat<\/h2>\n\n\n\n
Who Finds Zero Day Exploits<\/h2>\n\n\n\n
How Zero Day Exploits Are Identified<\/h2>\n\n\n\n
Who\u2019s Responsible for Naming Common Vulnerabilities and Exploits<\/h3>\n\n\n\n
What\u2019s in a Name: Let\u2019s Take a Closer Look at CVE Naming Conventions<\/h3>\n\n\n\n
![\"A](\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2020\/06\/zero-day-vulnerabilities-and-exploits-shared-code.png\")
Where to Find the List of Known CVEs<\/h3>\n\n\n\n
Examples of New or Recent Zero Day Vulnerabilities<\/h2>\n\n\n\n
1. Windows 10 Vulnerability Spoofs Authentication in Executables<\/h3>\n\n\n\n
2. Netgear Zero Day Firmware Vulnerability Leaves Routers Open to Takeover Attacks<\/h3>\n\n\n\n
![\"Screenshot](\"https:\/\/sectigostore.com\/blog\/wp-content\/uploads\/2020\/06\/netgear-zero-day-vulnerability-1024x499.png\")
3. Zyxel Vulnerabilities Within Firmware for NAS and Firewall Solutions<\/h3>\n\n\n\n
3 Real World Zero Day Attack Examples<\/h2>\n\n\n\n
1. Hackers Exploit WhatsApp Vulnerability to Distribute Spyware<\/h3>\n\n\n\n
2. Hackers Use Microsoft Windows Vulnerability to Carry Out Government Espionage in Europe<\/h3>\n\n\n\n
3. \u2018EternalBlue\u2019 Exploit Affected Hundreds of Thousands of Devices Worldwide<\/h3>\n\n\n\n
4. Stuxnet Wreaks Havoc on Iranian Nuclear Facility Before Going Public<\/h3>\n\n\n\n
Final Thoughts on Zero Day Vulnerabilities & Attacks (and How to Protect Your Organization Against Them)<\/h2>\n\n\n\n