Zero-day exploits leverage relatively unknown security vulnerabilities in software.
Vulnerabilities are open doors that enable installation of malware on a system, application, browser, operating systems, and even games. Software companies usually issue a security advisory and patch when they discover a vulnerability. But more often than not, cybercriminals exploit this weakness before the vendor is aware of it or before a patch is released to the public.
It may take weeks or months before the flaws are discovered or before organizations remediate them, leaving open a window of opportunity for exploitation that can range from one day to several months. Commonly used software like browsers, browser plug-ins like Java and Adobe Flash products seem particularly subject to vulnerabilities and compromise.
History of Zero-Day Exploits
One of the first damaging vulnerabilities that was exploited was the Morris Worm, which appeared in the mid-1970s and persisted through the late 1980s. The code was originally written to gauge Web traffic, but because of a flaw, it replicated itself and infected and disabled approximately 10% of Internet-connected Unix computers. Since that time, zero-day vulnerabilities and exploits have increased rapidly. According to a recent article in PCWorld, the number of vulnerabilities discovered in 2014 was 15,435—in 3,870 applications from 500 vendors. This represents a 55% increase over five years.
A strong market for buying and selling zero-day vulnerabilities and exploits has emerged. Rapid growth of this market is fueled by bad actors looking for a way to obtain valuable data from organizations, security companies, and ethical hackers who use this information for penetration testing and research, and the military, law enforcement, and government intelligence agencies that use this information for surveillance and other strategic cyber campaigns.
How Zero-Day Exploits Work
The software vulnerability is discovered, sometimes by the vendor and sometimes by another source. In the meantime, cybercriminals develop exploits to take advantage of the security flaw.
The vendor announces the vulnerability and releases a patch.
Organizations try to deploy patches within one to 30 days of patch release.
In the meantime, cybercriminals find the window of opportunity to do damage—between discovery of the vulnerability and patching. Antivirus is rendered ineffective against this type of threat.
How Zero-Day Exploits Work
Community Health Systems (2014)
A cybercriminal ring used sophisticated malware to bypass the security measures and transfer Social Security numbers and other personal information outside the company in an act of economic espionage. The Heartbleed Open SSL vulnerability was blamed for the breach. Attackers were able to eavesdrop on communications, steal data from services and users, and disguise themselves as services and users.
Operation Aurora (2010)
A targeted campaign originating in the Far East used spear phishing; zero-day vulnerabilities in Adobe Flash Player, Internet Explorer, and Microsoft XML Core Services; and a Trojan to steal intellectual property, including source code, from Google, Adobe, and 20 other companies.
The Stuxnet Worm invaded and crippled 14 industrial sites in Iran, including a uranium-enrichment plant. Stuxnet used three zero-day exploits and spied on and compromised Microsoft Windows computers using specialized software that controlled physical equipment, such as centrifuges.