A Primer on Zero-Day Vulnerabilities

Dec 01, 2022

It seems terribly unfair: Companies and organizations can do nearly everything right from a defensive perspective, but still become victims of intrusions and data breaches. How is that possible?

The answer: zero-day vulnerabilities. These are software flaws that have been discovered by threat actors before vendors have developed patches. Often, attacks are already under way before anyone is aware of them. These types of vulnerabilities are potent ways to compromise companies as defensive teams don’t know there is new risk. Software vendors prioritize engineering patches for high severity zero-day vulnerabilities, but in the meantime, there’s a dangerous window of risk that organizations face.

Once a zero-day vulnerability is found, attackers begin to develop what’s known as an exploit. An exploit is attack code that leverages the software flaw in order to gain access to a system. The attack code is known as a zero-day exploit, and it can then be deployed against a target. Zero-day vulnerabilities and exploits can offer huge opportunities for attackers. The flaws can be leveraged to hit hardened targets that the attackers may have not had success at previously compromising.

Software vulnerabilities are discovered all of the time that haven’t been fixed. Some are not necessarily that risky. But the riskiest zero-day vulnerabilities are ones that can allow remote code execution on systems without authentication. In that scenario, attackers can search for internet-facing systems that have a software flaw and then launch an attack, gaining initial access to systems.

Case study: Microsoft Exchange’s “ProxyLogon”

In early 2021, tens of thousands of organizations around the world were attacked with startling speed as the result of zero-day vulnerabilities. It started with the discovery of four zero-day vulnerabilities in on-premises versions of Microsoft’s Exchange Server 2013, 2016 and 2019. Security researchers disclosed the flaws to Microsoft in January 2021. But as Microsoft was developing patches, attackers discovered the flaws. What ensued was one of the largest mass attacks in recent memory leveraging zero-day vulnerabilities.

Microsoft was close to releasing patches when in late February 2021 threat actors launched powerful sneak attacks. The attacks, which were largely automated, resulted in the compromise of tens of thousands of internet-facing Exchange servers. The attackers placed small bits of code called webshells on Exchange servers, which then allowed persistent access to the email servers. The webshells also provided footholds for attackers to begin moving deeper into compromised organizations’ systems.

Microsoft released patches on March 2, 2021. But it meant that thousands of organizations that had Exchange servers facing the internet needed to check if they’d been compromised. It wasn’t the fault of those organizations that threat actors gained initial access. There simply were no patches available for the ProxyLongon flaws when the attackers pounced. Microsoft said in late March 2021 it detected the Exchange flaws were being exploited to install the DearCry ransomware.

Microsoft attributed the mass attacks to a group called Hafnium, which the company said was assessed to be state sponsored and operating out of China. It’s unknown how Hafnium discovered the flaws. But it’s not unheard of for security researchers and threat actors to discover vulnerabilities around the same time. It’s also possible that information about the software vulnerabilities somehow leaked. For software vulnerabilities that are considered highly dangerous, it’s often a race between attackers and vendors developing patches. Unfortunately, the attackers sometimes win.

Defending Against Zero-Days

Defending against a zero-day attack, or at least mitigating the possibility of a successful attack, is possible. By definition, a zero-day vulnerability doesn’t have a patch. But the use of new exploit code might be flagged by web application firewalls. Webshells or other backdoors that are planted after exploit code is used may be detected by antivirus or endpoint detection and response software. Also, security tools that detect abnormal behavior may catch attackers trying to move from their foothold to other parts of a company’s network.

In the hours after a severe, zero-day flaw has been disclosed, software vendors will usually issue mitigation advice to their customers to blunt the chance of a successful attack while a patch is under development. These mitigations are defensive steps that can stop attempts to exploit a vulnerability. However, these mitigations may impact the functionality of the affected system.

Occasionally, the impact of a flaw may be so severe and risky that a system should be taken offline immediately. If it’s a critical business system, then the security team may need to brief business leaders to fully understand the risks of keeping a system online. This risk decision will vary depending on the severity of the vulnerability. Once a patch is released, the usual advice applies: Install it as soon as possible to close the window of attack. It’s also recommended that organizations turn on automatic updates if possible so newly released patches are quickly applied.

Vulnerabilities in the Cyber Underground

How can security teams learn as soon as possible that a high-impact zero-day vulnerability may be exploited soon? Because dangerous software vulnerabilities can allow attackers to easily infiltrate systems, they’re highly valuable and sought after. Vulnerabilities and full working exploits are offered for sale in underground marketplaces and forums. It’s not illegal to sell information about software flaws, but it is illegal to subsequently use that information to attack organizations. Studying these underground marketplaces or forums for vulnerability intelligence can give clues about what zero-days may surface next and also help alert security teams about what systems may be targeted.

Threat intelligence platforms that specialize in watching threat actor activity as well as areas of the cyber underground where software vulnerabilities are sold can help in defense. This type of intelligence is important because it can close the gap between when threat actors begin to launch attacks and when defensive teams begin to spot signs of potentially malicious activity. Minutes are precious as an attack begins, and early warning could be critical. It could mean the difference between dismissing a security event versus having to launch an incident response.

Future of Zero-Day Flaws

As long as humans are developing software, there will be zero-day software flaws. But software vendors recognize the importance of 1) developing secure code and 2) remedying serious vulnerabilities as quickly as possible. And recent findings from Google can help guide software vendors on how to prevent spin-off zero-day vulnerabilities.

In June, Google’s Project Zero released statistics on flaws that were used in the wild by attackers during the first six months of 2022. Nine of the 18 vulnerabilities Project Zero studied were closely related to flaws that had already been patched. In some cases, the patches that were developed were insufficient, leading attackers to find variations that allowed for exploitation. Google concluded that it shows attackers will take the least path of resistance and capitalize on if vendors haven’t comprehensively patched.

As vendors more comprehensively patch, security teams can prepare: Use threat and vulnerability intelligence to minimize the windows of exposure, monitor for abnormal behavior, mitigate quickly when a vulnerability emerges and eventually, patch.