The Dreaded Zero-Day
A quick perusal of cybersecurity-related news headlines will reveal a common phrase, typically with undertones of dread and fear, that phrase being “Zero-Day.” Other than being a great title for an end of days type movie or even one about a terrible virus, looking at you COVID-19, they have shaped the cybersecurity landscape.
The first question to ask is what are they and already we will hit the first area of complication. There are at least three types of Zero-Days the public needs to be aware of. Those are zero-day vulnerabilities, zero-day exploits, and zero-day attacks. Looking at each in turn that can be defined as:
- Zero-day vulnerabilities are vulnerabilities found in software or hardware discovered by threat actors before the vendor is made aware of them. As the vendor is not aware of the vulnerability in their product no patch exists meaning that any subsequent attack is likely to succeed. This is particularly beneficial to attackers for fairly obvious reasons, meaning that discovery of a vulnerability is a task strived for by many threat actors.
- Zero-day exploits are the exact method employed by threat actors to take advantage of the discovered vulnerability.
- Zero-day attacks make use of exploits in order to carry out a malicious objective, be it to steal data, cause damage, or drop various kinds of malware onto a victim’s machine or network.
All three are so closely related that they are often referred to as the same thing on news websites. However, the distinctions made above are useful to cybersecurity researchers when it comes to the discovery and analysis of attacks.
From Vulnerability to Attack
Unfortunately, software, hardware, and even your trusted operating system cannot account for every potential flaw they may or may not experience in the future. Companies do spend a lot of time, effort, and money hunting out these bugs before they are discovered by threat actors. That is one of the main reasons why it is so important to keep systems up to date as important patches are released in updates. Patches are specifically developed to prevent exploits from being developed and subsequent attacks causing havoc.
Unfortunately, threat actors can discover the vulnerability long before the vendor can and that is where the trouble begins for the vendor and anyone that uses the product. This is the primary reason why the potential for a zero-day exploit existing causes such a stir amongst news outlets and the InfoSec community at large.
On the other side of the coin, it has become incredibly profitable for threat actors to find vulnerabilities and develop exploits then sell them to another party who will then conduct the attack. Recently, it was discovered that a hacker discovered a flaw in the popular video conferencing Zoom, and sold off the exploit for 50,000 USD. That sum is not an outlier, so hackers have even reported selling off exploits not just to other hackers but government agencies for similar amounts, with such reports dating back to 2014.
Finding Vulnerabilities and Exploiting Them
Before looking at some of the more infamous examples of zero-day exploits causing chaos it is prudent to look at how hackers go about finding vulnerabilities then creating exploits to take advantage of them for a malicious actors advantage.
Rather than going into an exhaustive list as to the many ways, that threat actors discover vulnerabilities they can broadly be classified into three categories. Namely, source code review, patch dissection, and fuzzy testing [PDF]. Looking at each in turn, they can be described as:
- Source code review requires the threat actor to have access to the software’s source code or decompiled code. The threat actor can then look for errors in the code that can be exploited.
- Patch dissection involves threat actors analyzing recent patches and updates released by a vendor. By doing this the threat actor can be made aware of vulnerabilities previously unknown to the public and can develop exploits for those flaws, sometimes in a matter of hours. These flaws tend to target those who have not updated and installed the particular patch. Given how often software remains in an unpatched state for months after a patch is released, this is still an effective tactic.
- Fuzzy testing is a method of testing software where the tester will send deliberately random, invalid, and unexpected data to the software package with the intention of breaking it to find bugs. A threat actor can apply similar methods to get the software to output unexpected responses that with the help of a tool exploits can then be developed to take advantage of a particular bug.
The Infamous Examples of Recent Zero-Days
For much of 2020, Zoom was in the headlines for security issues. One such instance was when a zero-day was discovered that allowed attackers to access machines remotely if the user was running an older version of Windows.
The operating system for mobile devices created by Apple is often praised for its high levels of security. However, in 2020 the operating system was impacted by two severe vulnerabilities, including a memory corruption flaw. The flaw would allow the attacker to escalate privileges on the machine ultimately allowing the attacker to execute code as if they had administrator privileges, the holy grail for attackers looking to install malware on a machine. The other flaw could allow an attacker to compromise iPhones remotely.
Here we have an example of when government-sponsored hacking tools land up in the wrong hands. Not that governments should be developing such tools in the first place but that would be ignoring current geopolitical realities relating to cyberspace. Briefly, EternalBlue is a tool developed by the US National Security Agency (NSA) that looked to take advantage of the SMBv1 (Server Message Block version 1) file-sharing protocol in Windows. Exploiting this protocol would allow attackers to spread laterally across a network in much the same way the worms, a type of malware, would.
EternalBlue was stolen during a hack and subsequently leaked to the public. The tool was then used by those behind the WannaCry ransomware attack, which wreaked havoc across the globe and impacted the UK’s National Health Service (NHS) in ways the public did not believe was possible. Because of the worm-like behavior programmed into EternalBlue WannaCry spread faster than wildfire. For years after the attack, hackers were still making use of EternalBlue for lateral movement.
Perhaps the most infamous example of a vulnerability being exploited in an attack. The attack showed the world how vulnerable industrial control systems are to attack and the devastation that can be caused. Kaspersky Labs summarized the attack as follows:
“One of the most famous examples of a zero-day attack was Stuxnet. First discovered in 2010 but with roots that spread back to 2005, this malicious computer worm affected manufacturing computers running programmable logic controller (PLC) software. The primary target was Iran’s uranium enrichment plants to disrupt the country’s nuclear program. The worm infected the PLCs through vulnerabilities in Siemens Step7 software, causing the PLCs to carry out unexpected commands on assembly-line machinery [this caused the machinery to fail catastrophically]. The story of Stuxnet was subsequently made into a documentary called Zero Days.”
The Problem Continues
To better show that this is not a once-a-year issue, below two major and incredibly recent zero-days made the news in the span of a little over a month.
Microsoft’s 2021 Patch
In November 2021 Microsoft released an entire host of patches for the following services provided by the tech giant: Microsoft Azure, the Chromium-based Edge browser, Microsoft Office — as well as associated products such as Excel, Word, and SharePoint — Visual Studio, Exchange Server, Windows Kernel, and Windows Defender.
The patch looked to solve six critical vulnerabilities, 15 remote code execution (RCE) bugs, information leaks, and elevation of privilege security flaws as well as flaws which if correctly exploited could result in spoofing attacks. It was further discovered that by the time of release several of these flaws were actively being exploited in the wild.
December is typically a joyous time of year, however, the development team behind Apache will not think so. In the middle of December, a vulnerability named Log4j2 was discovered which impacted the Java logging library Apache Log4j. If properly exploited the bug would allow for the attacker to execute malicious code remotely. At the time of discovery, security researchers were seeing thousands of attempts to try and exploit the flaw.
At the time of writing this article, this was still a developing story with millions of devices around the world believed to be vulnerable to this specific flaw,
This article is the first part of a series exploring the often Hollywood-like world of zero-day exploits. In subsequent articles, we will explore in greater depth specific types of zero-day exploits like those defined and memory control flaws, ICS/SCADA flaws, and the role a skilled reverse engineer plays in discovering flaws and developing exploits.