Zero-day vulnerability
A zero-day vulnerability is a hole in software (or hardware) that has not been publicly disclosed. This means that the manufacturer or developer of the product does not know about it. In other words, it is a security flaw that is unknown to the vendor.
The name comes from the fact that there are zero days between when the vulnerability is discovered and when the vendor becomes aware of it.
Examples of zero-day vulnerabilities are unpatched software flaws, hardware design flaws, and undocumented features that can be exploited. And that’s the fact: cybercriminals can take advantage of these vulnerabilities for many malicious activities.
Zero-day vulnerability, zero-day exploit, and zero-day attack
These terms sound similar but they are related but distinct concepts.
As Kaspersky explains:
- A zero-day vulnerability is a software vulnerability discovered by attackers even before the vendor. Since vendors are unaware, there are no security patches and therefore cyber attacks are likely to be successful.
- A zero-day exploit is a method by hackers to attack systems with a previously unidentified vulnerability. Usually, while the vulnerability is still open, hackers can write and implement a malicious code to take advantage of it. This is the exploit code.
- A zero-day attack is the use of a zero-day exploit to damage or steal data from a system affected by a vulnerability.
Another term worth knowing is zero-day malware. It is a virus that is not publicly known because it is totally new or it is a new version of an existing virus. Being unknown, this malware easily escapes the scrutiny of antivirus software.
Now, let’s see the relationship between zero-day vulnerability, zero-day exploit, and zero-day attack.
In order for a hacker to carry out a zero-day attack, they need to have access to a zero-day exploit. The zero-day exploit is the key that unlocks the zero-day vulnerability.
There are three main ways that zero-day exploits end up in the hands of cybercriminals:
- Developing them: Some cybercriminals have the skills to develop their own zero-day exploits.
- Stealing them: Cybercriminals can also steal zero-day exploits from companies or individuals that have developed them.
- Buying them on the black market: Just like any other commodity, zero-day exploits can be bought and sold on.
How does the black market work?
Zero-day vulnerabilities are often discovered by security researchers who then report them to the vendor. In some cases, the researcher may sell the zero-day to a third party, such as a zero-day broker.
There are different types of zero-day markets:
- Direct markets: They are managed by the vendors themselves. One example is Google’s Chrome Vulnerability Reward Program, which offers a bug bounty program to identify vulnerabilities in its systems and receive cash compensation;
- Indirect markets: Brokers act as intermediaries between buyers and sellers. These markets are legal and cyber security researchers are paid for their discoveries.
- Black markets: These are illegal markets where cybercriminals can buy and sell zero-day vulnerabilities and the corresponding exploits. This underground market is full of actors that are willing to pay top dollar for zero-days. In some cases, zero-days are sold to nation-states for use in cyber warfare. In other cases, they are used by criminals to commit cybercrime. The prices for zero-days vary depending on the type of vulnerability, the ease of exploitation, and the demand from buyers. However, often hackers do not sell the vulnerability itself, but the access to the system it allows. In this way, the vulnerability is never discovered and can continue to be exploited (access-as-a-service).
What do hackers use zero-day vulnerabilities for?
Zero-day vulnerabilities are dangerous because they can be exploited before the vendor is aware of them. This gives attackers a window of opportunity to do what they want before the vulnerability is patched.
A vulnerability can be used for a variety of purposes, such as:
- Stealing data: Hackers can exploit zero-days to gain access to sensitive data, such as financial information or personal data.
- Causing havoc: Zero-days can also be used to cause damage to systems or networks. For example, zero-days have been used in ransomware attacks, where the attacker encrypts the victim’s data and demands a ransom to decrypt it.
- International or Corporate Espionage: Zero-days can be used for gaining access to classified information or stealing trade secrets.
- Cyber warfare: Zero-days can be weaponized and used in cyber warfare attacks. For example, the Stuxnet worm, which was used to attack Iran’s nuclear facilities, exploited four zero-day vulnerabilities.
How to protect yourself from zero-day attacks
Zero-day attacks are often highly sophisticated and difficult to defend against because the vulnerabilities they exploit are unknown. This is why zero-day vulnerabilities are so dangerous and you need to take steps to protect yourself.
Here are some things you can do to reduce your risk:
- Keep your software up to date: This is one of the best ways to protect against zero-day attacks. Through software updates, vendors fix vulnerabilities as they discover them. By keeping your software up to date, you can close the vulnerabilities that attackers are trying to exploit.
- Use security software: Security software can help defend against zero-day attacks by identifying and blocking suspicious activity.
- Be cautious about email attachments: One of the most common ways that zero-day exploits are delivered is through email attachments. Be cautious about email attachments, even if they come from someone you know.
- Keep an eye out for unusual activity: If something doesn’t seem right, it probably isn’t. If you see anything out of the ordinary, report it to the IT department or security team.
