“Zero-day” is a broad term that describes recently discovered security vulnerabilities that hackers can use to attack systems. The term “zero-day” refers to the fact that the vendor or developer has only just learned of the flaw – which means they have “zero days” to fix it. A zero-day attack takes place when hackers exploit the flaw before developers have a chance to address it.
Zero-day is sometimes written as 0-day. The words vulnerability, exploit, and attack are typically used alongside zero-day, and it’s helpful to understand the difference:
A zero-day vulnerability is a software vulnerability discovered by attackers before the vendor has become aware of it. Because the vendors are unaware, no patch exists for zero-day vulnerabilities, making attacks likely to succeed.
A zero-day exploitis the method hackers use to attack systems with a previously unidentified vulnerability.
A zero-day attack is the use of a zero-day exploit to cause damage to or steal data from a system affected by a vulnerability.
Software often has security vulnerabilities that hackers can exploit to cause havoc. Software developers are always looking out for vulnerabilities to “patch” – that is, develop a solution that they release in a new update.
However, sometimes hackers or malicious actors spot the vulnerability before the software developers do. While the vulnerability is still open, attackers can write and implement a code to take advantage of it. This is known as exploit code.
The exploit code may lead to the software users being victimized – for example, through identity theft or other forms of cybercrime. Once attackers identify a zero-day vulnerability, they need a way of reaching the vulnerable system. They often do this through a socially engineered email – i.e., an email or other message that is supposedly from a known or legitimate correspondent but is actually from an attacker. The message tries to convince a user to perform an action like opening a file or visiting a malicious website. Doing so downloads the attacker’s malware, which infiltrates the user’s files and steals confidential data.
When a vulnerability becomes known, the developers try to patch it to stop the attack. However, security vulnerabilities are often not discovered straight away. It can sometimes take days, weeks, or even months before developers identify the vulnerability that led to the attack. And even once a zero-day patch is released, not all users are quick to implement it. In recent years, hackers have been faster at exploiting vulnerabilities soon after discovery.
Exploits can be sold on the dark web for large sums of money. Once an exploit is discovered and patched, it’s no longer referred to as a zero-day threat.
Zero-day attacks are especially dangerous because the only people who know about them are the attackers themselves. Once they have infiltrated a network, criminals can either attack immediately or sit and wait for the most advantageous time to do so.
Malicious actors who carry out zero-day attacks fall into different categories, depending on their motivation. For example:
A zero-day hack can exploit vulnerabilities in a variety of systems, including:
As a result, there is a broad range of potential victims:
It’s helpful to think in terms of targeted versus non-targeted zero-day attacks:
Even when attackers are not targeting specific individuals, large numbers of people can still be affected by zero-day attacks, usually as collateral damage. Non-targeted attacks aim to capture as many users as possible, meaning that the average user’s data could be affected.
Because zero-day vulnerabilities can take multiple forms – such as missing data encryption, missing authorizations, broken algorithms, bugs, problems with password security, and so on – they can be challenging to detect. Due to the nature of these types of vulnerabilities, detailed information about zero-day exploits is available only after the exploit is identified.
Organizations that are attacked by a zero-day exploit might see unexpected traffic or suspicious scanning activity originating from a client or service. Some of the zero-day detection techniques include:
Using existing databases of malware and how they behave as a reference. Although these databases are updated very quickly and can be useful as a reference point, by definition, zero-day exploits are new and unknown. So there’s a limit to how much an existing database can tell you.
Alternatively, some techniques look for zero-day malware characteristics based on how they interact with the target system. Rather than examining the code of incoming files, this technique looks at the interactions they have with existing software and tries to determine if they result from malicious actions.
Increasingly, machine learning is used to detect data from previously recorded exploits to establish a baseline for safe system behavior based on data of past and current interactions with the system. The more data which is available, the more reliable detection becomes.
Often, a hybrid of different detection systems is used.
Examples of zero-day attacks. Some recent examples of zero-day attacks include:
One of the most famous examples of a zero-day attack was Stuxnet. First discovered in 2010 but with roots that spread back to 2005, this malicious computer worm affected manufacturing computers running programmable logic controller (PLC) software. The primary target was Iran’s uranium enrichment plants to disrupt the country’s nuclear program. The worm infected the PLCs through vulnerabilities in Siemens Step7 software, causing the PLCs to carry out unexpected commands on assembly-line machinery. The story of Stuxnet was subsequently made into a documentary called Zero Days.
For zero-day protection and to keep your computer and data safe, it’s essential for both individuals and organizations to follow cyber security best practices. This includes:
Within organizations, educate users. Many zero-day attacks capitalize on human error. Teaching employees and users good safety and security habits will help keep them safe online and protect organizations from zero-day exploits and other digital threats.