‘Zero-day’ in its broad sense means that an attacker found an app or device vulnerability before the software developer, i.e., vendor.
Imagine a timeline with four points: an app was developed, the app was reviewed and a vulnerability was found, the developer patched the vulnerability, and users received the patch.
If it is the developer who finds the vulnerability, he or she acts proactively and delivers a patch to users.
Otherwise, a developer has zero days to fix the vulnerability, which gives the attacker a head start.
Zero-day attacks can last for months or even years, while the attacker exploits the vulnerability.
For example, the Stuxnet worm was discovered months after the first exploitation of its four vulnerabilities in Windows components:
The worm attacked devices connected to controllers of the specific vendors only. All those vulnerabilities are now fixed.
Zero-day attacks market is a part of the darknet economy, where hacking groups, IT enthusiasts and geeks, instead of using, prefer selling these–sometimes six-figure–exploits.
The jeopardy of a zero-day is that you never know which system components or app would be attacked. The developer finds a vulnerability after it has already been exploited.
The vulnerability type defines what hackers will attack—companies or users. Large financial organizations, security agencies, and defense contractors are often targeted for espionage and infrastructure attacks.
In the mid-2010’s, admins struggled to keep MS Office macros turned off because the Dridex trojan could harm only if they were on. The admins also told users not to open .doc, .xls and .ppt attachments from unknown senders, as Dridex exploited the MS Office zero-day vulnerability to steal business data and banking information unknowingly to users.
Mobile apps users are also at risk: the vulnerabilities in operating systems or apps combined with social engineering may end up locking some functions and demanding a ransom to unlock.
Another story is about IoT devices—’smart’ light bulbs, IP cameras, cheap routers, and budget smartphones—which can be hacked unknowingly to you. Even if the vulnerability becomes public, vendors will not necessarily patch it, because they are saving a lot by cutting corners on manufacturing and maintaining these devices.
In 2020, 19 vulnerabilities, dubbed Ripple20, were discovered in the TCP/IP Treck’ low-level library, designed for IoT devices. Malware could control millions of home and industrial devices from various vendors—HP, Intel, Dell, or Cisco—to steal data from a printer or to change a machine’s settings.
Now the developers have patches for all the vulnerabilities, but most Treck-compatible devices won’t be tracked—and hence patched—as their supply chains are too complicated.
The largest botnets are global networks of such smart devices that are used for DDOS-attacks or anonymization.
For example, one version of Mirai botnet infiltrates Huawei HG532 routers through a vulnerability in messaging protocol implementation.
There is an IT term ‘universal Turing machine’, which means a computer abstraction—or, in fact, a set of commands using which you can program any algorithm. Think of a magnetic tape with commands written as zeros and ones on it, which the processor reads and consecutively executes.
Scientists invented several physical implementations of the Turing machine. In one of them, invented by Marvin Minsky in 1967, a zero-day vulnerability was discovered in 2021. The inventor had not expected that the header of magnetic tape could contain anything but zeros and ones, and the computer would start executing the attacker’s code inside the universal Turing machine. Even so, it is just a computer abstraction and there is no risk someone can take the advantage of this vulnerability.
Three things will work: using an ML-based-WAF, following digital hygiene rules, and initiating up a bug bounty program. Let’s get into the details.
WAF, or web application firewall, is a firewall that protects an app from attacks using both signature and non-signature analysis methods. Signature-based methods help find widespread attacks, while ML methods discover zero-day attacks with no signature in the database.
Let’s see how our WAF discovers vulnerabilities:
Once a WAF detects a vulnerability, it immediately alerts you, so that you can quickly patch it.
To save your devices from the attacks, follow these rules:
Large enterprises use the same rules and also protect their data through the firewalls that allow authorized connections only. System administrators install monitoring software to discover anomalies in local network activities and isolate network segments where business-critical data is processed.
Many vendors launch bug bounty programs to reward researchers who discover these vendors’ apps or website vulnerabilities. Once a vulnerability is found, the researcher notifies the vendor, gets the bounty, and the vendor starts making a fix.
For example, with our bug bounty program, you can get up to $1,500 depending on the type of identified vulnerability.
A zero-day uses a “hole”—yet unknown to the vendor—in an app or a device configuration. The main danger of these attacks is that the developer finds vulnerability when it was already exploited.
To protect against zero-days, you can: