What are zero-day attacks, and how to prevent them?

What are zero-day attacks?

‘Zero-day’ in its broad sense means that an attacker found an app or device vulnerability before the software developer, i.e., vendor.

Imagine a timeline with four points: an app was developed, the app was reviewed and a vulnerability was found, the developer patched the vulnerability, and users received the patch.

If it is the developer who finds the vulnerability, he or she acts proactively and delivers a patch to users.

Otherwise, a developer has zero days to fix the vulnerability, which gives the attacker a head start.

1. The attacker finds a vulnerability before a yet-unaware developer. This vulnerability could be a ‘hole’ in an app or a device configuration, a bug in the code, or an unexpected use case.
2. The attacker creates a zero-day exploit—a piece of code or an app—which accesses a system through a vulnerability to steal data or to perform actions on elevated privilege—as an administrator, for example.
3. Finally, the attacker launches and spreads the exploit on devices.

Zero-day attacks can last for months or even years, while the attacker exploits the vulnerability.

For example, the Stuxnet worm was discovered months after the first exploitation of its four vulnerabilities in Windows components:

• a vulnerability in shortcuts processing service to spread invisibly from USB to any computer,
• a vulnerability in the print queue service to connect to local networks, and
• two other vulnerabilities to gain admin privileges, which could be then used from ordinary accounts.

The worm attacked devices connected to controllers of the specific vendors only. All those vulnerabilities are now fixed.

Zero-day attacks market is a part of the darknet economy, where hacking groups, IT enthusiasts and geeks, instead of using, prefer selling these–sometimes six-figure–exploits.

Why are zero-day attacks dangerous?

The jeopardy of a zero-day is that you never know which system components or app would be attacked. The developer finds a vulnerability after it has already been exploited.

The vulnerability type defines what hackers will attack—companies or users. Large financial organizations, security agencies, and defense contractors are often targeted for espionage and infrastructure attacks.

In the mid-2010’s, admins struggled to keep MS Office macros turned off because the Dridex trojan could harm only if they were on. The admins also told users not to open .doc, .xls and .ppt attachments from unknown senders, as Dridex exploited the MS Office zero-day vulnerability to steal business data and banking information unknowingly to users.

Mobile apps users are also at risk: the vulnerabilities in operating systems or apps combined with social engineering may end up locking some functions and demanding a ransom to unlock.

Another story is about IoT devices—’smart’ light bulbs, IP cameras, cheap routers, and budget smartphones—which can be hacked unknowingly to you. Even if the vulnerability becomes public, vendors will not necessarily patch it, because they are saving a lot by cutting corners on manufacturing and maintaining these devices.

In 2020, 19 vulnerabilities, dubbed Ripple20, were discovered in the TCP/IP Treck’ low-level library, designed for IoT devices. Malware could control millions of home and industrial devices from various vendors—HP, Intel, Dell, or Cisco—to steal data from a printer or to change a machine’s settings.

Now the developers have patches for all the vulnerabilities, but most Treck-compatible devices won’t be tracked—and hence patched—as their supply chains are too complicated.

The largest botnets are global networks of such smart devices that are used for DDOS-attacks or anonymization.

For example, one version of Mirai botnet infiltrates Huawei HG532 routers through a vulnerability in messaging protocol implementation.

Is a zero-day attack on the universal Turing machine dangerous?

There is an IT term ‘universal Turing machine’, which means a computer abstraction—or, in fact, a set of commands using which you can program any algorithm. Think of a magnetic tape with commands written as zeros and ones on it, which the processor reads and consecutively executes.

Scientists invented several physical implementations of the Turing machine. In one of them, invented by Marvin Minsky in 1967, a zero-day vulnerability was discovered in 2021. The inventor had not expected that the header of magnetic tape could contain anything but zeros and ones, and the computer would start executing the attacker’s code inside the universal Turing machine. Even so, it is just a computer abstraction and there is no risk someone can take the advantage of this vulnerability.

How to protect from zero-days attacks?

Three things will work: using an ML-based-WAF, following digital hygiene rules, and initiating up a bug bounty program. Let’s get into the details.

ML-Based-WAF

WAF, or web application firewall, is a firewall that protects an app from attacks using both signature and non-signature analysis methods. Signature-based methods help find widespread attacks, while ML methods discover zero-day attacks with no signature in the database.

Let’s see how our WAF discovers vulnerabilities:

1. It intermittently sends various malicious test requests to check the app’s response. These harmless requests help understand how an app would respond to a real attack.
2. In case of a real attack, WAF blocks it, copies the attack request, cuts the malicious part and cookies, and sends this request to the app to check its response.

Once a WAF detects a vulnerability, it immediately alerts you, so that you can quickly patch it.

Digital hygiene rules

To save your devices from the attacks, follow these rules:

• Never open files or links from unknown sources: a malicious code does not come to your device out of the blue—it can be embedded into a JPG receipt emailed to you from an online store.
• Never download pirated software, it may be intentionally infected.
• Keep your system apps and antivirus updated so that the yet unknown vulnerabilities can be addressed by the latest code.
• Keep your IoT devices in isolated network segments. In this case, you should connect to your smart home subnet only to send commands to your devices. In addition, keeping your devices isolated will prevent your “smart” bulb from quietly getting a part of a botnet.

Large enterprises use the same rules and also protect their data through the firewalls that allow authorized connections only. System administrators install monitoring software to discover anomalies in local network activities and isolate network segments where business-critical data is processed.

Bug bounty programs

Many vendors launch bug bounty programs to reward researchers who discover these vendors’ apps or website vulnerabilities. Once a vulnerability is found, the researcher notifies the vendor, gets the bounty, and the vendor starts making a fix.

For example, with our bug bounty program, you can get up to $1,500 depending on the type of identified vulnerability.

Short summary

A zero-day uses a “hole”—yet unknown to the vendor—in an app or a device configuration. The main danger of these attacks is that the developer finds vulnerability when it was already exploited.

To protect against zero-days, you can:

• reduce the risk of being attacked, follow the above digital hygiene rules on the use of the Internet and devices;
• start your bug bounty program—a public offer to pay a bounty to anyone who discovers a new vulnerability in your system and informs you about it. Here is our bug bounty program;
• use a ML-based-WAF—a firewall that blocks all application attacks, including zero days attacks.