“Zero-day” is a broad term that describes recently discovered security vulnerabilities that hackers can use to attack systems. The term “zero-day” refers to the fact that the vendor or developer has only just learned of the flaw – which means they have “zero days” to fix it. A zero-day attack takes place when hackers exploit the flaw before developers have a chance to address it.
Zero-day is sometimes written as 0-day. The words vulnerability, exploit, and attack are typically used alongside zero-day, and it’s helpful to understand the difference:
A zero-day vulnerability is a software vulnerability discovered by attackers before the vendor has become aware of it. Because the vendors are unaware, no patch exists for zero-day vulnerabilities, making attacks likely to succeed.
A zero-day exploitis the method hackers use to attack systems with a previously unidentified vulnerability.
A zero-day attack is the use of a zero-day exploit to cause damage to or steal data from a system affected by a vulnerability.
What are zero-day attacks and how do zero-day attacks work?
Software often has security vulnerabilities that hackers can exploit to cause havoc. Software developers are always looking out for vulnerabilities to “patch” – that is, develop a solution that they release in a new update.
However, sometimes hackers or malicious actors spot the vulnerability before the software developers do. While the vulnerability is still open, attackers can write and implement a code to take advantage of it. This is known as exploit code.
The exploit code may lead to the software users being victimized – for example, through identity theft or other forms of cybercrime. Once attackers identify a zero-day vulnerability, they need a way of reaching the vulnerable system. They often do this through a socially engineered email – i.e., an email or other message that is supposedly from a known or legitimate correspondent but is actually from an attacker. The message tries to convince a user to perform an action like opening a file or visiting a malicious website. Doing so downloads the attacker’s malware, which infiltrates the user’s files and steals confidential data.
When a vulnerability becomes known, the developers try to patch it to stop the attack. However, security vulnerabilities are often not discovered straight away. It can sometimes take days, weeks, or even months before developers identify the vulnerability that led to the attack. And even once a zero-day patch is released, not all users are quick to implement it. In recent years, hackers have been faster at exploiting vulnerabilities soon after discovery.
Exploits can be sold on the dark web for large sums of money. Once an exploit is discovered and patched, it’s no longer referred to as a zero-day threat.
Zero-day attacks are especially dangerous because the only people who know about them are the attackers themselves. Once they have infiltrated a network, criminals can either attack immediately or sit and wait for the most advantageous time to do so.
Who carries out zero day attacks?
Malicious actors who carry out zero-day attacks fall into different categories, depending on their motivation. For example:
- Cybercriminals – hackers whose motivation is usually financial gain
- Hacktivists – hackers motivated by a political or social cause who want the attacks to be visible to draw attention to their cause
- Corporate espionage – hackers who spy on companies to gain information about them
- Cyberwarfare – countries or political actors spying on or attacking another country’s cyberinfrastructure
Who are the targets for zero-day exploits?
A zero-day hack can exploit vulnerabilities in a variety of systems, including:
- Operating systems
- Web browsers
- Office applications
- Open-source components
- Hardware and firmware
- Internet of Things (IoT)
As a result, there is a broad range of potential victims:
- Individuals who use a vulnerable system, such as a browser or operating system Hackers can use security vulnerabilities to compromise devices and build large botnets
- Individuals with access to valuable business data, such as intellectual property
- Hardware devices, firmware, and the Internet of Things
- Large businesses and organizations
- Government agencies
- Political targets and/or national security threats
It’s helpful to think in terms of targeted versus non-targeted zero-day attacks:
- Targeted zero-day attacks are carried out against potentially valuable targets – such as large organizations, government agencies, or high-profile individuals.
- Non-targeted zero-day attacks are typically waged against users of vulnerable systems, such as an operating system or browser.
Even when attackers are not targeting specific individuals, large numbers of people can still be affected by zero-day attacks, usually as collateral damage. Non-targeted attacks aim to capture as many users as possible, meaning that the average user’s data could be affected.
How to identify zero-day attacks
Because zero-day vulnerabilities can take multiple forms – such as missing data encryption, missing authorizations, broken algorithms, bugs, problems with password security, and so on – they can be challenging to detect. Due to the nature of these types of vulnerabilities, detailed information about zero-day exploits is available only after the exploit is identified.
Organizations that are attacked by a zero-day exploit might see unexpected traffic or suspicious scanning activity originating from a client or service. Some of the zero-day detection techniques include:
Using existing databases of malware and how they behave as a reference. Although these databases are updated very quickly and can be useful as a reference point, by definition, zero-day exploits are new and unknown. So there’s a limit to how much an existing database can tell you.
Alternatively, some techniques look for zero-day malware characteristics based on how they interact with the target system. Rather than examining the code of incoming files, this technique looks at the interactions they have with existing software and tries to determine if they result from malicious actions.
Increasingly, machine learning is used to detect data from previously recorded exploits to establish a baseline for safe system behavior based on data of past and current interactions with the system. The more data which is available, the more reliable detection becomes.
Often, a hybrid of different detection systems is used.
Zero day threats
Examples of zero-day attacks. Some recent examples of zero-day attacks include:
- 2020: Zoom: A vulnerability was found in the popular video conferencing platform. This zero-day attack example involved hackers accessing a user’s PC remotely if they were running an older version of Windows. If the target was an administrator, the hacker could completely take over their machine and access all their files.
- 2020: Apple iOS: Apple’s iOS is often described as the most secure of the major smartphone platforms. However, in 2020, it fell victim to at least two sets of iOS zero-day vulnerabilities, including a zero-day bug that allowed attackers to compromise iPhones remotely.
- 2019: Microsoft Windows, Eastern Europe: This attack focused on local escalation privileges, a vulnerable part of Microsoft Windows, and targeted government institutions in Eastern Europe. The zero-day exploit abused a local privilege vulnerability in Microsoft Windows to run arbitrary code and install applications and view and change the data on compromised applications. Once the attack was identified and reported to the Microsoft Security Response Center, a patch was developed and rolled out.
- 2017: Microsoft Word: This zero-day exploit compromised personal bank accounts. Victims were people who unwittingly opened a malicious Word document. The document displayed a “load remote content” prompt, showing users a pop-up window that requested external access from another program. When victims clicked “yes,” the document installed malware on their device, which was able to capture banking log-in credentials.
One of the most famous examples of a zero-day attack was Stuxnet. First discovered in 2010 but with roots that spread back to 2005, this malicious computer worm affected manufacturing computers running programmable logic controller (PLC) software. The primary target was Iran’s uranium enrichment plants to disrupt the country’s nuclear program. The worm infected the PLCs through vulnerabilities in Siemens Step7 software, causing the PLCs to carry out unexpected commands on assembly-line machinery. The story of Stuxnet was subsequently made into a documentary called Zero Days.
How to protect yourself against zero-day attacks
For zero-day protection and to keep your computer and data safe, it’s essential for both individuals and organizations to follow cyber security best practices. This includes:
- Keep all software and operating systems up to date. This is because the vendors include security patches to cover newly identified vulnerabilities in new releases. Keeping up to date ensures you are more secure.
- Use only essential applications. The more software you have, the more potential vulnerabilities you have. You can reduce the risk to your network by using only the applications you need.
- Use a firewall. A firewall plays an essential role in protecting your system against zero-day threats. You can ensure maximum protection by configuring it to allow only necessary transactions.
Within organizations, educate users. Many zero-day attacks capitalize on human error. Teaching employees and users good safety and security habits will help keep them safe online and protect organizations from zero-day exploits and other digital threats.