Tech Insight : What Are ‘Zero-Day’ Attacks?

In this tech insight, we look at what ‘zero-day’ attacks are, then look at some recent high-profile examples and ultimately at what businesses can do to protect themselves from zero-day attacks. 

Sophisticated Attacks That Highlight Vulnerabilities 

In the ever-evolving landscape of digital threats and cyber warfare, one term often sends chills down the spines of cybersecurity professionals: Zero-Day Attacks. These sophisticated and stealthy cyber-attacks represent a significant challenge in today’s interconnected business world. They symbolise not just the advancement of cybercriminals’ tactics but also highlight the vulnerabilities that exist within our most trusted digital infrastructures. 

Exploiting Zero-Day Vulnerabilities 

Zero-day attacks are attacks by threat actors that exploit zero-day vulnerabilities. These are undisclosed software vulnerabilities (unknown to vendor or victims) that hackers can exploit to adversely affect computer programs, data, additional computers, or a network.  

Vulnerabilities targeted in zero-day attacks can be found in operating systems, web browsers, Office applications, open-source components, hardware and firmware, and the Internet of Things (IoT). 

Why “Zero-Day”? 

The term “zero-day” comes from the fact that software developers and those in charge of digital security have zero days to fix the vulnerability because it is simply not known to them until the first attack. This means that attackers can exploit the vulnerabilities before developers become aware and are able to issue any patches or remediations.  

How Big Is The Problem? 

Although zero-day vulnerabilities fell by almost a third in 2022, it was still the second highest year on record (Mandiant research) with 55 zero-day vulnerabilities exploited and products from the three largest vendors (Microsoft, Google, and Apple) were the most commonly exploited (for the third year in a row). 

What Can Happen? 

Zero-day attacks commonly result in unauthorised data access, data theft, or service disruptions. These, in turn, can result in reputational damage, lost customers, fines (e.g. legal action by those affected an/or ICO fines), plus possibly the loss of the business itself if the attack is serious enough. Secondary attacks on the business and those affected by data theft could also come from the first attack,.e.g. malware, ransomware, phishing, social engineering attacks, and more. 

Cybersecurity experts, therefore, continually work to discover these types of vulnerabilities before hackers do, to try and prevent potential attacks. 

Vulnerabilities, Exploits, Then Attacks 

After threat actors have discovered a zero-day vulnerability, the next stage is ‘zero-day exploits’ – the blueprints that outline how these hidden flaws can be taken advantage of, often traded on the dark web. The zero-day attack itself is, therefore, the act of exploiting the flaw/vulnerability, using the guidance of the exploit, before a patch can be rolled out, leaving a digital system scrambling in the wake of the unforeseen breach. 

Who? 

These under-the-radar strikes are often orchestrated by advanced cyber criminals, state-sponsored hacking groups, or unscrupulous entities with nefarious motives. The objectives are as varied as the threat actors themselves. For some, it’s about monetary gains whereas for others, it’s a tool for intellectual property theft, infiltrating state secrets, or merely sowing seeds of chaos. Corporate espionage and political machinations are just the tip of the iceberg when it comes to reasons behind these attacks. 

Recent High-Profile Examples 

Some recent, high-profile examples of Zero-Day attacks include: 

– In 2023, a critical vulnerability was uncovered in the secure managed file transfer (MFT) service provided by MOVEit, a transfer platform widely used by large companies in a variety of sectors including healthcare, government, finance, and aviation. The Russian-based Clop Ransomware group exploited the vulnerability and were able to steal data from eight UK organisations including BBC, British Airways, Aer Lingus, and Boots. 

– In 2022 the CVE-2022-30190, a.k.a. Follina vulnerability in Microsoft Diagnostics Tool (MDST), was exploited and victims were persuaded to open Word documents which enabled attackers to execute arbitrary code. The government of the Philippines, business service providers in South Asia, and organisations in Belarus and Russia were all subject to the same zero-day attack. 

– The notorious Microsoft Exchange Server hack in early 2021, widely believed to have been sponsored by a nation-state, exploited several previously unknown vulnerabilities in Microsoft’s email server software. The damage was widespread and profound, with tens of thousands of organisations worldwide left grappling with the aftermath before a security patch could be rolled out. 

– Google’s Chrome suffered a series of zero-day threats in 2021, causing Chrome to issue updates. The vulnerability was a bug in the V8 JavaScript engine used in the web browser. 

– A zero-day attack on video conferencing platform Zoom in 2020 where hackers accessed a user’s PC remotely if they were running an older version of Windows. The hackers targeted the administrator, allowing them to completely take over their machine and access all files. 

– In 2020, the Apple iOS was attacked twice with zero-day vulnerabilities and one zero-day bug allowed attackers to compromise iPhones remotely. 

How Businesses Can Protect Themselves 

So, how can businesses protect themselves against the threat of zero-day attacks? Given their nature, these attacks pose a formidable challenge, but protective measures that can be taken include: 

– Regularly updating software updates and staying up to date with patching. 

– Employing advanced threat detection tools that utilise behaviour-based detection techniques to pinpoint anomalies and unusual activity in network traffic (often the first sign of a zero-day attack). 

– Conducting regular penetration tests and vulnerability assessments. These proactive practices can unearth previously unknown vulnerabilities within systems, allowing businesses to patch them before they are exploited. Following the principle of least privilege – limiting user access rights to the bare minimum needed for their work – can also help reduce the extent of potential damage should an attack occur. 

– Beyond technological defences, investing in comprehensive cybersecurity awareness training for employees is crucial. An informed team acts as the human firewall against cyber threats, understanding the risks, recognising signs of possible attacks, and knowing how to respond swiftly and effectively. 

What Does This Mean For Your Business? 

In the face of the ominous threat of zero-day attacks, businesses must adopt a proactive and comprehensive approach to digital security. A robust defence strategy isn’t a luxury but an absolute necessity in today’s digital age. It involves a constant balancing act of risk management, regular system updates, advanced threat detection, routine penetration testing, and vulnerability assessments, regular system audits, and maintaining a culture of security vigilance throughout the organisation. 

A multi-layered security approach and a zero-trust model could, therefore, provide a solid foundation for defence although, because some vulnerabilities may still not be known until it’s too late, zero-day attacks remain an ever-present threat. 

The potential devastation of zero-day attacks and their aftermath is unquestionable, but it is not an insurmountable challenge. By being as vigilant and proactive in defence measures as is realistically possible, businesses can steer through the murky waters of the cyber threat landscape, securing their digital assets, and upholding the trust of their customers and partners. The world of cybersecurity may be akin to a never-ending arms race, but with the right preparation and resilience, staying one step ahead must be an achievable goal.