While businesses have always had many threats to contend with, cyber attacks are becoming increasingly worrying. A zero-day exploit is one of the severest malware threats.
Cyber attacks can have severe consequences for businesses, as hackers can steal money, data, or intellectual property that compromises your operations. And no companies are immune. They impact traders, local businesses, national chains, and even global giants like Google (in fact, Google has at least 22 unforeseen attacks every year).
But that’s not to say that cyber attacks are inevitable. There are steps we can take to protect ourselves.
In this article, we’ll tell you everything you need to know about zero-day exploits, why they’re dangerous, and how you can identify and prevent them.
What Is a Zero-Day Exploit?
A zero-day exploit is a previously undiscovered security flaw in your software or hardware that hackers can exploit to breach your systems. Zero-day exploits have many different names, including “zero-hour exploits” or “day0 exploits.”
No matter the name, the origin of “zero-day” is the same. The term “zero-day” stresses the seriousness of the problem. After someone discovers a zero-day vulnerability, developers have zero days to fix the error before it becomes an urgent issue.
When learning about zero-day exploits, you may hear them called “zero-day vulnerabilities” or “zero-day attacks.” There’s an essential distinction between these terms:
- “Zero-day exploit” refers to the method hackers use to attack software
- “Zero-day vulnerability” refers to the undiscovered flaw in your system
- “Zero-day attack” refers to the action hackers take when they use the vulnerability to breach your system
The term “undiscovered” is crucial when discussing zero-day vulnerabilities, as the vulnerability must be unknown to the system’s creators to be considered a “zero-day vulnerability.” A security vulnerability stops being a “zero-day vulnerability” once developers know about the problem and have released a patch.
Many different groups of people carry out zero-day attacks, including:
- Cybercriminals: Criminal hackers with a financial motivation
- Hacktivists: People looking to hack into systems to further a political cause or agenda
- Corporate hackers: Hackers who are looking to learn information about a competitor
- For-profit hackers: People who find vulnerabilities to sell them to companies (but don’t intend to exploit the vulnerability themselves)
How a Zero-Day Attack Works
While every attack is different, most attacks generally work like this:
- Step 1: Your developers create a system. This system contains a zero-day vulnerability that developers don’t know about.
- Step 2: After the system is live, the hacker (sometimes called a “threat actor” or “malicious actor”) discovers a vulnerability in the system.
- Step 3: The hacker writes and executes malicious code to exploit the vulnerability and breach your system.
- Step 4: Either the public or developers notice a severe problem, and developers fix the problem with a patch.
Sometimes, the hacker who discovers your zero-day threat and the hacker who attacks your system are different people.
Some hackers sell information to other hackers through the black market. The black market exists on the dark web — a section of the internet you can’t reach with search engines like Google, Yahoo, and Bing. People access the dark web through anonymous browsers like Tor.
Some cybersecurity companies also look for exploits to sell that information to the system’s owners.
These companies sell that data over the “white” or “gray” markets (though the distinctions between the white, grey, and black markets vary depending on your local cybersecurity laws).
Now that you know how zero-day exploits work, you’re probably wondering how hackers breach your system.
While there is no tried-and-true method, many hackers use:
Fuzzing (or “fuzz testing”) is a brute-force technique hackers use to find holes in your system.
When a hacker fuzzes a target, they use software that enters random data into your system’s input boxes (text boxes where people enter information). Then, the hacker watches for crashes, memory leaks, or failed assertions that indicate a hole in your code.
Many fuzzing techniques focus on spamming input boxes with random, nonsensical, or invalid answers. For example, if you had a text box for someone to enter their age in years, a hacker would test to see how your system responds when they put “-94” or “@45.”
Social engineering is a manipulation technique hackers use to gain access to a system through its users.
There are many types of social engineering, including:
- Pretexting: When someone uses pretexting, they try to gain your trust by creating a believable scenario. For example, they may pretend to be from your IT department and say they need your password.
- When someone baits you, they try to breach your system by enticing you to interact with corrupt material. For example, in 2018, a Chinese hacker sent a mysterious CD to several U.S. state and local authorities. The goal was to trick them into opening the CD’s contents out of curiosity.
- Phishing: When someone phishes you, they impersonate someone you know to convince you to give them confidential information, open a malicious file, or click a corrupted link. For example, if you were expecting an email from “[email protected],” a hacker may use the email address “[email protected]” to phish you. As 38% of cyber attacks on U.S. companies in 2019 used phishing, many companies protect themselves from phishing with fraud prevention tools like FraudLabsPro or Simility.
Once a hacker uses social engineering to breach a system, they use the user’s account to hunt for zero-day vulnerabilities from the inside.
You don’t need to be a multibillion-dollar banking company for a hacker to target you. Hackers will target any organization, individual, or entity they can profit from, especially:
- Organizations with poor cybersecurity
- Organizations that handle personal data (especially addresses, Social Security numbers (SSNs), customer’s full legal names, and customer’s birthdates)
- Government agencies
- Organizations that have confidential information
- Organizations that create software or hardware for customers (as they can use the technology to hack customers)
- Organizations that work in the defense field
When choosing who to hack, many hackers look for easy targets that will yield a high reward, as they want to make the most money with the least effort and risk.
Though every hacker works differently, most target:
- Operating systems
- Web browsers
- Hardware and firmware
- Software applications
- Internet of Things (IoT) devices
Although you may not think about cyberattacks regularly, they happen more often than you may realize. As of 2020, individuals and organizations have detected over 677 million pieces of malware. This is a 2,317.86% increase from 2010, when people had only detected over 28 million pieces of malware.
According to research from the Ponemon Institute, nearly 48% of organizations have experienced a data breach in the last two years. 62% of these organizations were unaware of the vulnerability before the attack (meaning they were zero-day attacks).
Though most organizations don’t make details of their attacks public, we know of many large attacks from the past few years. These include:
The 2021 Google Chrome Hack
In April 2021, Google released an update for its Google Chrome browser on Windows, Linux, and Mac devices. Among other things, this update fixed a zero-day vulnerability that a hacker exploited. They called the vulnerability “CVE-2021-21224.”
Though Google didn’t share the full details of the attack, CVE-2021-21224 allowed someone to run code in a sandbox through a crafted HTML page.
The 2020 Zoom Hack
In July 2020, cybersecurity company 0patch reported that an anonymous person had identified a zero-day vulnerability in Zoom. The vulnerability allowed a hacker to run code remotely in Zoom once they gained entry by getting a user to click a link or open malware. The vulnerability only existed on computers running Windows 7 or earlier versions of Windows.
After learning about the vulnerability, 0patch took the information to Zoom, and Zoom’s developers released a security patch for the issue within a day.
The 2016/2017 Microsoft Word Attack
In 2016, Ryan Hanson (a security researcher and consultant from Optiv) identified a zero-day vulnerability within Microsoft Word. The vulnerability (known as “CVE-2017-0199”) allowed an attacker to install malware on a user’s computer after the user downloaded a Word document that ran malicious scripts.
According to Reuters, hackers exploited CVE-2017-0199 to steal millions from online bank accounts before Microsoft developers patched it in 2017. Interestingly, Hanson wasn’t the only person to discover CVE-2017-0199 — in April 2017, researchers at McAfee and FireEye both reported finding the vulnerability.
The 2010 Stuxnet Attack
In 2010, Stuxnet targeted several facilities (including nuclear facilities) in Iran. Stuxnet was a computer worm that infected Windows computers through USB sticks that contained malware.
The Stuxnet malware then attacked machines by targeting their Programmable Logic Controllers (PLCs). These PLCs automate machine processes, meaning Stuxnet could interfere with its target’s machinery.
According to McAfee, Stuxnet destroyed several water treatment plants, power plants, gas lines, and centrifuges in Iran’s Natanz uranium enrichment facility. Stuxnet also spawned many descendants, including Duqu (a piece of malware that steals data from the computers it targets).
Why Zero-Day Attacks Are Dangerous
The financial, operational, and legal impact of a zero-day attack can be devastating. According to Verizon’s 2021 Data Breach Investigations Report, 95% of organizations targeted by hackers lost:
- Between $250–$984,855 in Business Email Compromise (BEC) attacks
- Between $148–$1,594,648 in Computer Data Breach (CDB) incidents
- Between $69–$1,155,755 in ransomware incidents
However, zero-day attacks are still devastating even if you don’t lose money. Here’s why:
They Can Go Undetected for Days, Months, or Even Years
As zero-day vulnerabilities are unknown to developers, many organizations don’t know when an attacker has breached their systems until long after the attack. Unfortunately, this means hackers may repeatedly abuse your system before you can stop them.
Vulnerabilities Can Be Difficult to Fix
Once your business learns that a hacker has compromised your system, you’ll need to figure out where the vulnerability is. As many organizations use multiple systems, it could take a while to locate and patch the hole.
Hackers Can Use Them to Steal Financial Data or Banking Information
Many attackers enter systems to steal financial data or banking information. Some hackers sell this data to a third party, while others will use your financial information to steal money from you.
Criminals Can Use Them to Hold Your Company for Ransom
While many hackers use zero-day attacks to steal data, others hold your company for ransom through Distributed Denial of Service (DDoS) attacks and other ransom techniques. DDoS attacks spam your website with requests until it crashes.
If you’d like to learn how to stop a DDoS attack, you can read our case study: “How To Stop a DDoS Attack in its Tracks.”
Criminals Can Target Your Customers
If you sell software or hardware with a dedicated user base, hackers could breach your system and use it to attack your customers.
We recently saw a devastating example of this when criminals breached Kaseya’s software and used their system to attack 800–1,500 of Kaseya’s customers with ransomware.
How to Identify a Zero-Day Attack
As each zero-day attack works differently, there’s no perfect way to detect them. However, there are many common ways organizations identify attacks. Here are six of them.
1. Conduct Vulnerability Scanning
Vulnerability scanning is the process of hunting for zero-day vulnerabilities in your system. Once you find a vulnerability, you work to patch it before hackers can exploit it.
Vulnerability scanning can be an independent activity or a regular part of your development process. Many organizations also choose to outsource their vulnerability scanning to specialized cybersecurity firms.
2. Collect and Monitor Reports From System Users
As your system users interact with your system regularly, they may spot potential problems before you do. Naturally, you should track your user reports for reports about suspicious emails, pop-ups, or notifications about password attempts.
3. Watch Your Website’s Performance
According to Verizon’s 2021 Data Breach Investigations Report, over 20% of cyber attacks target web applications. While you won’t always be able to tell if hackers have breached your web application or website, someone may have attacked your website if:
- You can’t log in
- Your website’s appearance has changed
- Your website redirects visitors to an unknown website
- Your website performance unexpectedly tanks
- Your website is showing browser warnings, like this one:
4. Utilize Retro Hunting
Retro hunting is the process of looking for reports of significant cyber-attacks and checking if your organization was affected. To get the most from retro hunting, make sure you:
- Direct all emails from your software vendors to a central inbox, and check it regularly for notifications about security flaws
- Scan the news daily to check for new attacks on organizations in your industry
- Read the details of recent attacks and ask your developers to check if your systems could withstand a similar attack
5. Watch for Reduced Network Speed
When a hacker gains access to a system through malware, the increase in network traffic sometimes slows down the victim’s internet connection. So, if you keep an eye on your network speeds, you could identify an attack as it happens.
6. Track Your Software’s Performance
When someone gains access to your system through a vulnerability, the code they inject into your software could slow down your program, alter its functions, or take features offline. Naturally, you could identify a zero-day attack by watching for significant or unexplained changes in your system.
How to Protect Yourself From Zero-Day Exploits
As you have no choice but to sit and watch hackers steal money, data, and trade secrets while you wait for developers to patch the hole, zero-day attacks are very stressful.
Your organization’s best weapon against zero-day attacks is better preparation. Here are eight ways you can protect your systems from zero-day attacks.
1. Use Security Software
Security software protects your system against viruses, internet-based intrusions, and other security threats.
While every software offers slightly different types of protection, most software solutions can scan downloads for malware, block unauthorized users from your system, and encrypt your data.
Some security software companies also develop specialized software for websites. For example, if you use WordPress (like 40% of websites), you could protect your site with:
- File Integrity Monitoring (FIM) software
- Plugins that look for dodgy comments (like Astra Web Security and WP fail2ban)
- Plugins that protect your site against brute force attacks
- A Content Delivery Network (CDN)
Alternatively, you could use a general security plugin like Sucuri or Wordfence.
2. Install New Software Updates Often
As hackers find vulnerabilities in outdated code, updating your website, web applications, and software is key to keeping your systems safe. New updates protect your system because:
- They contain patches for known cybersecurity vulnerabilities (including zero-day exploits)
- They remove old or unused parts of programs that hackers could exploit
- They introduce new cybersecurity measures to keep users safe
- They fix minor bugs that are vulnerable to fuzzing
3. Use Secure Web Hosting
Hackers violate over 127,000 websites every day. And because hackers can breach your site through plugins, website themes, or outdated versions of WordPress core, WordPress websites are prime targets.
Thankfully, you can protect your organization by using a secure hosting provider like Kinsta. Kinsta protects your site with:
- Encrypted Secure File Transfer Protocol (SFTP) and Secure Shell (SSH) connections
- A secure connection to Google Cloud Platform
- A hack fix guarantee
- An IP Deny Tool that lets you block IP addresses from accessing your website
- Distributed Denial of Service (DDoS) protection and an enterprise-level firewall through Cloudflare
- Automatic backups every two weeks
- A malware security pledge
4. Use a Firewall
Firewalls are precisely what they sound like: digital walls between your system and the outside world. Firewalls add an extra layer of protection to your systems, as hackers need to breach the firewall before they can attack your system.
There are many types of firewalls you can choose from, including personal, packet filtering, stateful, web application, and Next-Generation (NGFW) firewalls.
5. Use the Least Access Rule
The Least Access Rule says that people in your organization should only have access to data, hardware, and software that they need to perform their regular work duties.
The Least Access Rule creates fewer entry points for hackers who use social engineering, limiting the number of people who have administrative access to each system.
6. Switch to DevOps Development
DevOps is an approach that uses a system of continuous development to update programs constantly. It can help you tighten your security against zero-day exploits, as it forces you to update and change your system constantly.
If you’d like to learn more about DevOps development, you can read our article “DevOps Tools.” But in short, DevOps development follows this life cycle:
7. Implement User Security Training
User security training teaches your employees to identify social engineering techniques and security threats in the wild.
Training your employees to spot cybersecurity threats will help them identify attacks, inform the right people quickly, and act without panicking or giving hackers information.
8. Use VPNs
Virtual Private Networks (VPNs) are intermediary servers that protect your browsing data, IP address, and connection data as you browse the internet. Using VPNs will make it harder for criminal hackers to breach your system through your web browser, as they have less information to use against you.
VPNs work like this:
Zero-day attacks are increasingly common and a natural worry for organizations across the globe. However, there are steps you can take to reduce your risk of attack, including:
- Training your staff to spot and respond to attacks
- Using cybersecurity measures like VPNs, security software, and firewalls
- Altering your development process to update systems regularly
- Carefully controlling access to data and vulnerable systems
- Using secure website hosting services (like Kinsta)
Now that we’ve shared our tips, it’s over to you. What steps do you take to mitigate the risk of a cyber attack at your organization? Please let us know in the comments below.