What is a Zero-Day Exploit?
A zero-day exploit is an unknown security vulnerability or software flaw that attackers specifically target with malicious code. This flaw or hole, called a zero-day vulnerability, can go unnoticed for years.
The term “zero-day” is used to refer to the number of days that a software vendor has known about the exploit. Since the software developer was previously unaware of the exploit, and they’ve had zero days to work on an official patch or an update to fix the issue. But attackers may have already written malware that slips through the security hole and compromises a device or network.
If they have, that’s called a zero-day attack. It’s like a thief sneaking in through a backdoor that was accidentally left unlocked. Once a patch has been released, the exploit is no longer called “zero-day.”
Zero-day exploits are extremely valuable due to the strong demand from advanced persistent threats (APTs), security companies and government intelligence agencies, and they’re often sold for huge sums of money.
Zero-day threats are also extremely dangerous for companies because they’re very difficult to detect, making them a serious security risk.
Want to stay ahead of adversaries? Download the 2020 Global Threat Report to uncover trends in attackers’ ever-evolving tactics, techniques, and procedures that our teams observed this past year.
Zero-day Attack Vectors
Hackers exploit zero-day vulnerabilities to gain access to a device or network. The type of vulnerability determines the type of exploit that is used.
For example, if a zero-day vulnerability has been discovered in a media player, a zero-day attack could use a media file capable of using that vulnerability to execute a malicious payload. Similarly, a vulnerability in a web browser or software application like Adobe Flash can be exploited when an unsuspecting victim visits a compromised website. Security flaws in software programs can likewise be targeted when an infected Word document or pdf file is opened.
An adversary often lures victims using email phishing techniques including spoofing, where an email header is forged to make it appear to be coming from a trusted source. Email spoofing can prompt an unaware recipient to visit a malicious website or open an infected file. The danger with zero-day attacks is that they’re unknown and therefore typically undetected by standard antivirus protection.
Read our blog post to learn how CrowdStrike Discovered Hurricane Panda Using CVE-2014-4113, a 64-bit Zero-Day Escalation Exploit that wreaked havoc on Windows machines.
Zero-day Vulnerability Examples
One of the most well-known zero-day attacks is Stuxnet, the worm believed to be responsible for causing considerable damage to Iran’s nuclear program. This worm exploited four different zero-day vulnerabilities in the Microsoft Windows operating system.
In March 2018, zero-day exploits were also discovered in PDFs. These PDFs contained two zero-day vulnerabilities (CVE-2018-4990 and CVE-2018-8120) that were targeting both Acrobat Reader and Acrobat. CVE-2018-4990 was an out-of-bounds read vulnerability in Acrobat Reader and CVE-2018-8120 was an EoP (elevation of privileges) vulnerability in Win32k, which could be used to bypass Acrobat Reader’s sandbox.
Detecting and Defending Against Zero-day Attacks
To effectively detect and mitigate zero-day attacks, a coordinated defense is needed — one that includes both prevention technology and a thorough response plan in the event of an attack. Organizations can prepare for these stealthy and damaging events by deploying a complete endpoint security solution that combines technologies including next-gen antivirus (NGAV), endpoint detection and response (EDR) and threat intelligence.
Since software with vulnerabilities can be in any company’s environment, an attempted breach is inevitable, so it’s essential to have endpoint security with anti-exploit and post-exploit capabilities in place.
To optimize defense, organizations should implement the best prevention technology at the point of attack, while also having a plan for worst-case scenarios. Then, if an attacker is successful in getting into the network, the security team will have the tools, processes and technology in place to mitigate the event before real damage is done.
CrowdStrike Falcon® endpoint protection enables organizations to block zero-day exploits at the point of attack, using machine learning and behavioral analytics. The Falcon platform also includes automatic detection and prevention logic for post-exploitation activities so that security teams can gain immediate visibility into an attack, even if it bypasses other defenses.
Watch the video below to see how the Falcon platform stops a zero-day attack in its tracks:
Falcon not only detects indicators of attack (IOAs), it also includes exploit mitigation technology to prevent the successful exploitation of the underlying operating system. As a result, an adversary is prevented from using common exploitation techniques because the execution of exploit code is stopped at the endpoint, in real time, thereby blocking zero-day attacks that use previously undiscovered malware.
Falcon’s combination of IOA-based prevention technology and exploit mitigation techniques is a powerful defense against unknown, zero-day threats.
To learn more about CrowdStrike® Falcon and request a free trial, click the button below: