[BreachExchange] Zero days explained: How unknown vulnerabilities become gateways for attackers

[Destry Winant]

https://www.csoonline.com/article/3284084/zero-days-explained-how-unknown-vulnerabilities-become-gateways-for-attackers.html#tk.rss_news

Zero day definition

A zero day is a security flaw for which the vendor of the flawed
system has yet to make a patch available to affected users. The name
ultimately derives from the world of digital content piracy: if
pirates were able to distribute a bootleg copy of a movie or album on
the same day it went on sale legitimately (or maybe even before), it
was dubbed a "zero day."

Borrowed into the world of cybersecurity, the name evokes a scenario
where an attacker has gotten the jump on a software vendor,
implementing attacks that exploit the flaw before the good guys of
infosec are able to respond. Once a zero day attack technique is
circulating out there in the criminal ecosystem—often sold by their
discoverers for big bucks—the clock is ticking for vendors to create
and distribute a patch that plugs the hole.

Zero day vulnerability vs exploit vs attack

There are three words — vulnerability, exploit, and attack — that you
often see associated with zero days, and understanding the distinction
will help you get a grasp on the zero day lifecycle.

A zero day vulnerability is a software or hardware flaw that has been
discovered and for which no patch exists. The discovery part is key to
this—there are no doubt any number of flaws out there that literally
nobody knows about, which raises some "What if a tree fell in the
forest but nobody heard it?"-style philosophical questions. But the
question of who knows about these flaws is crucial to how security
incidents play out. White hat security researchers who discover a flaw
may contact the vendor in confidence so that a patch can be developed
before the flaw's existence is widely known. Some malicious hackers or
state-sponsored hacking groups, meanwhile, may want to keep knowledge
of the vulnerability secret so that the vendor remains in the dark and
the hole remains open.

At any rate, a vulnerability by itself is a tempting target, but
nothing more. In order to use that vulnerability to gain access to a
system or its data, an attacker must craft a zero day exploit—a
penetration technique or piece of malware that takes advantage of the
weakness. While some attackers design these exploits for their own
use, others sell them to the highest bidder rather than get their
hands dirty directly.

Once armed with an exploit, a malicious hacker can now carry out a
zero day attack. In other words, a vulnerability only represents a
potential avenue of attack, and an exploit is a tool for performing
that attack; it's the attack itself that's truly dangerous. This can
be a point of contention within the security research community, where
vulnerabilities are often uncovered—and occasionally publicized—with
the intent of raising awareness and getting them patched more quickly.
However, vendors whose vulnerabilities are exposed sometimes treat
that exposure as tantamount to an attack itself.

Why are zero day exploits dangerous?

Because zero day exploits represent a means to take advantage of a
vulnerability that has yet to be patched, they are a sort of "ultimate
weapon" for a cyberattack. While almost innumerable systems around the
world are breached every year, the sad truth is that most of those
breaches make use of holes that are known to security pros and for
which fixes exist; the attacks succeed in part due to poor security
hygiene on the part of the victims, and organizations that are on top
of their security situation—which, at least in theory, should include
truly high value targets like financial institutions and government
agencies—will have applied the needed patches to prevent those sorts
of breaches.

RECOMMENDED WHITEPAPERS

Four Key Tips From Incident Response Experts

Maximize Your Threat Intelligence: Four Proven Steps to Integrating
Threat Intelligence for Higher-Fidelity Detection and Response

The Characteristics of Your Future Technology Capabilities: Rapid,
Successive and at Scale

But a zero day vulnerability, by definition, cannot be patched. If the
vulnerability hasn't been widely publicized, potential victims may not
be paying to attention to the vulnerable system or software and so
could miss signals of suspicious activity. The advantage this gives to
attackers means that they may try to keep knowledge of the
vulnerability relatively secret and use zero day exploits only against
high value targets, since the secret won't last forever.

It's worth reiterating that the category of "attackers" here includes
not just cybercriminals but state-sponsored groups as well. Both
Chinese and U.S. intelligence agencies are known to collect
information on zero day vulnerabilities that they can use for the
purposes of espionage or cybersabotage. One particularly famous
instance of this was a vulnerability discovered in the SMB protocol in
Microsoft Windows by the U.S. National Security Agency; the NSA
crafted the EternalBlue exploit code to take advantage of this, which
was eventually stolen by malicious hackers who used it to create the
WannaCry ransomware worm.

When affected organizations do learn about a zero day vulnerability,
they may find themselves in a quandary, especially if the
vulnerability is in an operating system or other widely used piece of
software: they must either accept the risk of attack or shut down
crucial aspects of their operations.

Defense against zero day attacks

While zero day vulnerabilities and attacks are thus extremely serious
matters, that doesn't mean that mitigating against them is impossible.
Ways to fight against such attacks can be grouped into two broad
categories: what individual organizations and their IT departments can
do to protect their own system, and what the industry and security
community as a whole can do to make the overall environment safer.

Let's start by discussing what you and your organization can do to
protect yourself. Hopefully, you're already practicing good security
hygiene; the good news is that even if there's no patch available for
a specific zero day vulnerability, tight security practices can still
reduce your chance of being seriously compromised. The Cybriant blog
breaks it down into these steps:

- Practice defense in depth. Remember, many breaches are the result of
a chain of attacks exploiting multiple vulnerabilities. Keeping your
patches up to date and your staff aware of best practices can break
that chain. Your datacenter servers may be afflicted with a zero day
vulnerability, for instance, but if an attacker can't breach your
up-to-date firewall or convince your users to download a trojan
attached to a phishing email, they won't be able to deliver their
exploit to that vulnerable system.
- Keep an eye out for intrusions. Because you might not know the form
a zero day attack will take, you need to keep an eye out for
suspicious activity of all kinds. Even if an attacker enters your
systems through a vulnerability unknown to you, they'll leave telltale
signs as they begin moving across your network and possibly
exfiltrating information. Intrusion detection and prevention systems
are designed to spot this kind of activity, and advanced antivirus may
similarly peg code as malware based on its behavior, even if it
doesn't match any existing signatures.
- Lock down your networks. Any device or server in your company could
theoretically be harboring a zero day vulnerability, but it's not very
likely that all of them do. A network infrastructure that makes it
difficult for attackers to move from computer to computer and easy to
isolate compromised systems can help limit the damage an attack can
do. In particular, you'll want to implement role-based access controls
to ensure that infiltrators can't get to your crown jewels easily.
- Be sure to back up. Despite your best efforts, it's possible that a
zero day attack will be able to knock some of your systems offline, or
damage or erase your data. Frequent backups will ensure that you can
bounce back from such worst-case scenarios quickly.

But fighting off zero day attacks isn't something that you need to do
on your own. In fact, the broader security ecosystem—which consists of
everyone from independent white-hat hacker researchers to security
teams at big software and hardware vendors—has an interest in
uncovering and fixing zero day vulnerabilities before malicious
hackers can exploit them.

It's true that individual actors within this ecosystem sometimes butt
heads, as we've noted. If an independent security researcher contacts
a vendor with information about a vulnerability, the vendor might see
them as a threat rather than a help, especially if the researcher is
unknown to the vendor's security team. On the flipside, researchers
may grow frustrated if a vendor drags its feet on patching a hole
they've been informed about, and will thus release information about
the zero day vulnerability before a patch is ready for it, in order to
light a fire under the vendor's feet.

Efforts have been made to help these various actors work together
better, collaborating and sharing information in a responsible way
rather than pointing fingers at one another. One important way this
can be achieved is through bounty programs like Trend Micro's Zero Day
Initiative, which pay cash rewards to security researchers who report
security flaws in a responsible way. While these programs probably
can't match the amounts criminal cartels will shell out for zero day
exploits, they provide an incentive to keep researchers on the
straight and narrow, as well as an institutional structure that
mediates between white hat hackers and vendors and keeps lines of
communications open on progress towards patches.

One thing vendors and researchers do generally agree on is that
state-sponsored groups that keep information on zero day
vulnerabilities to themselves for espionage purposes do not help the
cause of security. In the wake of the revelations about the NSA and
the EternalBlue exploit, Microsoft put out a pointed statement that
called for an end to governments "stockpiling" vulnerabilities and for
better information sharing.

Zero day attack examples

We've already discussed EternalBlue, an instance of the U.S.
government keeping a zero day exploit secret for quite some time.
Strictly speaking, though, the wave of attacks that began with
WannaCry weren't zero day attacks, because Microsoft did release a
patch for its SMB vulnerability not long before they began, though
many systems remained vulnerable.

The march of zero day vulnerabilities and attacks is relentless. Here
are a few of the most prominent in late 2020 and early 2021:

- Security vendor SonicWall urged its customers to take preventative
actions after its own systems were attacked through previously unknown
vulnerabilities.

- A vulnerability in Microsoft Exchange Server enabled a series of
attacks tied to Hafnium, a Chinese hacking group

- A vulnerability in the widely used Chrome browser was exploited in
the wild before Google was able to make a patch available

- Google's Project Zero bug-hunting team discovered hackers exploiting
zero day vulnerabilities in Windows, iOS, and Android; attacks were
chained together to breach the systems.