In this article

Zero-Day Exploits: Examples, Prevention and Detection


February 28, 2022
Last Updated: January 15, 2024
Share on:

Zero-Day Definitions 

The term “zero-day” refers to a cybersecurity threat that is unknown to the makers of a system, its owners, or the general public. It can be a vulnerability, exploit, or attack that poses a real threat by the time it is discovered. Zero-day refers to the number of days the vulnerability has been known and has been open to exploitation by attackers. 

  • Zero-day vulnerabilities are software weaknesses that have yet to be discovered or addressed. 
  • Zero-day exploits are malicious attacks that take advantage of these unknown vulnerabilities. 
  • Zero-day attacks are the actual utilization of these exploits to cause harm, such as data theft or disruption of service. 

These zero-day threats pose a significant risk because they can be used before the vendor has a chance to patch the vulnerability, making them particularly challenging to defend against.

NIST CSF Mapping Made Easy with

The Cyber Defense Matrix

  • Align your security strategy with NIST CSF
  • Find & fix holes in your security program
  • Identify gaps and overlaps in your security stack

Why are Zero-Day Exploits Dangerous?

A zero-day exploit is a technique cyber criminals use to attack systems containing a zero-day vulnerability. There are many exploit methods for launching and carrying out a zero-day attack. The malicious payload might perform code execution, credential theft, ransomware, denial-of-service (DoS), and more.

Zero-day vulnerabilities can remain undetected for extended periods

Because zero-day vulnerabilities are unknown, potential vulnerabilities typically remain undiscovered. A zero-day vulnerability can be used to compromise organizations for months before the organization detects and mitigates the vulnerability.

The longer a vulnerability remains undetected, the longer a cybercriminal can exploit it. A cybercriminal can use unknown zero-day vulnerabilities to exfiltrate large volumes of data. Typically, they will exfiltrate data slowly to prevent detection. An organization might only identify the compromise once millions of records are lost.

An advanced persistent threat (APT) can use a zero-day exploit

An APT using a zero-day exploit can be a global risk to data and computing systems. APTs are sophisticated threat actors who can do major damage to organizations. Via zero-day exploits, an APT can gain access to a large number of computing systems at high profile organizations.

A prominent example was the SolarWinds supply chain attack, in which an organized cybercrime group exploited a zero-day vulnerability to breach to US government agencies and a majority of the Fortune 500.

Related content: Read our guide to zero day malware

Who Are the Targets for Zero-Day Exploits? 

Zero-day exploits can target individuals, organizations, and governments. Some common targets include:

  • Financial institutions: To steal sensitive financial information or carry out fraudulent transactions.
  • Government agencies: To steal classified information or disrupt critical infrastructure.
  • Healthcare organizations: To steal sensitive medical records or disrupt medical systems.
  • Technology companies: To steal trade secrets or disrupt their operations.
  • Individuals: To steal personal information or gain unauthorized access to their devices and accounts.
  • Critical infrastructure: To disrupt power grids, transportation systems, and other vital services.

Anyone using technology or connected to the internet can potentially be a target of zero-day exploits, making it important for individuals and organizations to take steps to protect themselves.

How Are Zero-Day Exploits Delivered to Target Devices?

Here are a few common ways attackers can deliver a zero-day exploit to a target device possessing a zero-day vulnerability:

  • Spear phishing—sophisticated threat actors can carefully design a phishing attack against a privileged individual in the targeted organization. By compromising a privileged account, they can deliver zero-day exploits to high-value systems in an organization.
  • Spam and phishing—an attacker can send a message to many recipients in different organizations. Even if only a small percentage responds to the phishing message and clicks a malicious link or opens an attachment, the attacker can deploy the zero-day exploit to their local device. The exploit will often attempt to infect other machines in the network or spread itself via the victim’s contact list.
  • Malvertising and malicious sites—an attacker can compromise a website and inject a zero-day exploit via a script. When a user visits the website, the script runs in their browser and deploys the zero-day exploit.
  • Unauthorized access—attackers can attempt brute force attacks or exploit other, known vulnerabilities to compromise a system, network, or server. After penetrating the system, they can deploy the zero-day vulnerability.

How to Prevent Zero-Day Exploits 

Preventing zero-day exploits requires a multi-layered approach:

  • Keep software up-to-date: Install security patches as soon as they become available to fix known vulnerabilities.
  • Use software from trusted sources: Avoid downloading and installing software from untrusted sources, as it may contain zero-day exploits.
  • Implement network segmentation: Divide your network into smaller segments to limit the spread of any potential attack.
  • Use anti-virus software: Anti-virus software can help detect and prevent the execution of malicious software.
  • Educate employees: Train employees to be aware of social engineering tactics and how to identify suspicious email attachments and links.
  • Use a firewall: A firewall can block unauthorized access to your network and help prevent zero-day exploits.
  • Conduct regular security assessments: These can help identify vulnerabilities in your systems before they can be exploited.

4 Strategies for Detecting Zero-Day Exploits

Zero-day exploits cannot be identified by traditional signature-based anti-malware systems. However, there are a few ways to identify suspicious behavior that might indicate a zero-day exploit:

  1. Statistics-based monitoring—anti-malware vendors provide statistics on exploits they previously detected. Organizations can feed these data points into a machine learning system to identify current attacks. This type of detection has limitations when discovering new threats as it can be predisposed to false negatives and false positives.
  2. Signature-based variant detection—all exploits have a digital signature. Organizations can feed digital signatures into machine learning algorithms and artificial intelligence systems to identify variants of prior attacks.
  3. Behavior-based monitoring—malicious software uses procedures to probe a system. Behavior-based detection creates alerts when it identifies suspicious scanning and traffic on the network. Rather than analyzing in-memory or signatures activity, behavior-based detection discovers malware by looking at how it interacts with devices.
  4. Hybrid detection—a hybrid detection approach uses all three methods mentioned above. It can use all three monitoring and identification approaches to be more efficient at discovering zero-day malware.

Related content: Read our guide to zero-day attack prevention

NIST CSF Mapping Made Easy with

The Cyber Defense Matrix

  • Align your security strategy with NIST CSF
  • Find & fix holes in your security program
  • Identify gaps and overlaps in your security stack

Recent Examples of Zero-Day Exploits

Here are some recent examples of zero-day attacks. All these vulnerabilities have since been patched, but at the time they were discovered, they impacted millions of organizations and billions of users around the world.

Zerologon

Microsoft provided a security update on August 11, 2021. This update included a patch for a vulnerability in the Netlogon protocol (CVE-2020-1472), identified by researchers at Secura. Initially, they did not publish any technical details, so the CVE in the security update did not receive due attention, but later it was given a maximum Common Vulnerability Scoring System (CVSS) score of 10, the highest possible.

This vulnerability permits an unauthenticated attacker with network access to a domain controller to initiate a vulnerable Netlogon session. The attacker can then gain domain administrator privileges. The only condition for an effective exploit is establishing a connection with a domain controller, making this an extremely severe vulnerability.

Sophos

In April 2020, users reported zero-day attacks regarding the Sophos XG firewall. Cybercriminals were able to exploit a SQL injection vulnerability (CVE-2020-12271), attacking the built-in PostgreSQL database server of the firewall.

If effectively exploited, attackers could use this vulnerability to inject code into the database. Using this code, they could then change firewall settings, allowing the installation of malware or providing access to corporate systems connected to the firewall.

Internet Explorer

In 2019, Microsoft’s legacy browser, Internet Explorer (IE), experienced a vulnerability due to a flaw in the way the IE scripting engine manages objects in memory (CVE-2020-0674). It affected IE versions 9-11.

Attackers could leverage this vulnerability by prompting users to visit a website created to exploit the weakness. They could achieve this via phishing emails or malicious link redirection.

Microsoft RCE

In March 2020, Microsoft notified users of zero-day attacks exploiting two distinct vulnerabilities. The vulnerabilities impacted all supported versions of Windows, and vendors did not expect a patch for weeks. The attacks targeted remote code execution (RCE) vulnerabilities. These vulnerabilities were in the Adobe Type Manager (ATM) library, built into Windows to manage PostScript Type 1 fonts.

The weaknesses in the Adobe library permitted attackers to remotely run scripts via malicious documents. The attackers transmitted the documents via spam, or users were tricked into downloading them. The scripts would run and infect their devices when users previewed or opened the documents with Windows File Explorer.

Zero-Day Attack Protection with Cynet

The Cynet 360 Advanced Threat Detection and Response platform gives protection against threats such as zero-day attacks, advanced persistent threats (APT), advanced malware, and trojans, which may evade traditional signature-based security processes.

Block exploit-like behavior

Cynet monitors endpoint memory to find behavioral patterns that are typical of exploits, including unusual process handle requests. These patterns are features of the vast majority of exploits, whether known or new. Cynet is able to provide effective protection against zero-day exploits and more, by identifying such patterns.

Block exploit-derived malware

Cynet uses multi-layered malware protection that includes process behavior monitoring, ML-based static analysis, and sandboxing. Cynet also provides fuzzy hashing and threat intelligence. This ensures that even if a successful zero-day exploit establishes a connection with the attacker, and downloads additional malware, Cynet will stop this malware from running, thus preventing any damage.

Uncover hidden threats

Cynet uses an adversary-centric methodology to accurately identify threats throughout the attack chain. Cynet thinks like an adversary, detecting indicators and behaviors across users, endpoints, files, and networks. They supply a holistic account of the workings of an attack, irrespective of where the attack may attempt to penetrate.

Accurate and precise

Cynet uses a powerful correlation engine, and produces its attack findings free from excessive noise and with near-zero false positives. This simplifies the response for security teams so they can attend to key incidents.

You can carry out manual, or automatic remediation, so your security teams have a highly effective yet straight-forward way to disrupt, detect, and respond to advanced threats before they do harm.

Learn more about Cynet 360 Autonomous Breach Protection.

How would you rate this article?

Let’s get started!

Ready to extend visibility, threat detection and response?

Get a Demo

Search results for: