Originally written for A.

Zero-day exploit: an advanced cyber attack defined

A zero-day vulnerability, at its core, is a flaw. It is an unknown exploit in the wild that exposes a vulnerability in software or hardware and can create complicated problems well before anyone realizes something is wrong. In fact, a zero-day exploit leaves NO opportunity for detection ... at first.

Vulnerability Timeline

A zero-day attack happens once that flaw, or software/hardware vulnerability, is exploited and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability—hence “zero-day.” Let’s break down the steps of the window of vulnerability:

• A company’s developers create software, but unbeknownst to them it contains a vulnerability.
• The threat actor spots that vulnerability either before the developer does or acts on it before the developer has a chance to fix it.
• The attacker writes and implements exploit code while the vulnerability is still open and available
• After releasing the exploit, either the public recognizes it in the form of identity or information theft or the developer catches it and creates a patch to staunch the cyber-bleeding.

Once a patch is written and used, the exploit is no longer called a zero-day exploit. These attacks are rarely discovered right away. In fact, it often takes not just days but months and sometimes years before a developer learns of the vulnerability that led to an attack.

Why Zero-Days ?

Zero day vulnerabilities and exploit codes are extremely valuable and are used not only by criminal hackers but also by nation-state spies and cyber warriors, like those working for the NSA and the U.S. Cyber Command.

Zero day vulnerabilities used to be extremely rare. Out of more than a million pieces of malware security firms discovered and processed each month, only about one or two were zero-day exploit code. These days, however, more zero days are being used and discovered. That’s in part due to the emergence of a large market for buying and selling zero-day vulnerabilities and exploits, driven largely by the demand from government intelligence agencies.

The zero-day market has three parts. These include the black underground market where criminal hackers trade in exploit code and vulnerability information to break into systems and steal passwords and credit card numbers; the white market, which encompasses the bug bounty programs where researchers and hackers disclose vulnerability information to vendors, in exchange for money, so the holes can be fixed—this market includes security companies that purchase zero-day exploits to use in their penetration-testing products to determine if a customer’s system is vulnerable to attack; and the “gray” market, where researchers and companies, some of them military defense contractors, sell zero-day exploits and vulnerability information to militaries, intelligence agencies and law enforcement to use for surveillance and offensive computer operations.

Famous attacks that used zero-day exploits

Stuxnet—a virus/worm that targeted computers in Iran’s uranium enrichment plant at Natanz and used five zero-day exploits to spread and gain privileged access on systems. Though one of the vulnerabilities was patched by Microsoft before the attackers could unleash their code, so technically, at the time Stuxnet was discovered, it was using only four zero-days.

Aurora—in 2010 hackers believed to be from China broke into Google, Adobe, and more than a dozen other companies using a zero-day vulnerability found in several versions of Microsoft’s Internet Explorer browser software. The attackers were targeting, at least in part, Google’s source code—possibly to study it and discover additional zero-day vulnerabilities for future use. The group behind those attacks is still active and has been caught using at least eight other zero-day exploits since then.

RSA hack—attackers, believed to be the same that targeted Google, used a zero-day exploit in Adobe’s Flash player in a spear-phishing attack against employees working for the security firm. The intruders succeeded in stealing information related to the company’s SecurID two-factor authentication products.

Zero-day Prizes

The price of zero-day vulnerabilities can vary greatly—anywhere from $5,000 to several hundred thousand dollars—depending on a number of factors. A vulnerability that exists in multiple versions of the Windows operating system will be much more valuable than one that exists in only a single version of the software. But one that targets the Apple iOS, which is more difficult to crack than other phones, can be even more valuable. Exploits that bypass built-in security protections—for example sandboxes built into browsers to keep malware from breaking out of the browser and affecting a computer’s operating system—will also bring more than an exploit targeting a standard browser hole.

Controversy over the U.S. government’s use of zero days has been growing since Stuxnet was discovered in 2010 and has increased in the wake of the Edward Snowden revelations about the government’s hacking activities. Earlier this year, the White House announced a new policy indicating that it will disclose zero-day vulnerabilities that the National Security Agency discovers in software so that they can be patched, but any flaws that have “a clear national security or law enforcement” can still be kept secret to be exploited.

Elmalla A. (@elmalla) is Chief Sales Officer at i-AWCS, which focuses on web application security solutions.