The danger of zero-day attacks, and how to defend against them.

All software has flaws. In some cases, these flaws go beyond minor bugs and become full-on vulnerabilities. This refers to flaws which can be exploited by an attacker in a way that can be harmful to users.

The good news is that, in many cases, these vulnerabilities are plugged before you even hear about them. Developers and software companies are frequently warned about potential software holes, which they can then rectify before they have the chance to affect users. So long as users keep their systems updated, they should be protected from the majority of disclosed vulnerabilities.

Unfortunately, zero-day vulnerabilities play by different rules. A zero-day vulnerability is a security related software flaw that has not yet been patched. The words “zero-day” refer to a newly discovered vulnerability that developers have not previously been aware of, and therefore had the chance to rectify. While such vulnerabilities may be discovered by security researchers fighting on the side of good, they could equally be discovered by malicious actors who use them to exploit the security hole in what is known as a zero-day attack. In some cases, the vulnerability may only become known as a result of an attack.

For those without proper security measures, such as Web Application Firewalls (WAF), the results of such zero-day attacks can be devastating.

Methodology of a zero-day attack

Zero-day attacks begin with would-be attackers identifying a vulnerability. These are discovered by cybercriminals testing code for potential vulnerabilities. In some cases, the vulnerability or vulnerabilities may be found by another person and then sold on a black market.

Next, the cybercriminals have to figure out a way to exploit the vulnerability. This is done by writing a script or other process which allows them to use the vulnerability to compromise a system. After this, the attackers will identify a system to compromise with this exploit, a process that may involve manual inspection or automated bots. Following this, the attackers plan the attack, and then finally carry it out.

Developers try their hardest to stay ahead of such exploits. However, by their very nature, zero-day attacks are difficult to keep ahead of. Although developers have an obvious security incentive to make sure their systems are patched and safe, cyberattackers do as well — due to the potential damage, often with financial benefits, that a zero-day attack can cause.

Zero-day attacks in action

There is no shortage of examples of attempted zero-day attacks. One such illustration, taking place in April 2020, involved Sophos’ XG firewall, and an SQL injection vulnerability (Common Vulnerabilities and Exposure 2020-12271) that could have allowed attackers to inject malicious code into the firewall’s PostgreSQL database server. This, in turn, would allow attackers to change firewall settings to allow access to systems or to enable malware to be installed.

More recently, Microsoft patched some zero-day vulnerabilities which had been used by hackers in targeted attacks, beginning in early January 2021. These vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) involved Microsoft’s Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.

The exploit meant that attackers could access email accounts belonging to users in order to steal mailbox information without requiring authentication. All the attackers needed to know in order to carry out this exploit was the server running Exchange and the email account they wanted to target.

Protecting against zero-day attacks

Protecting against zero-day attacks can be tough. Nonetheless, there are measures that businesses and organizations can put into place to help safeguard against these attacks.

For starters, it’s important that users keep their systems updated. This will not protect against wholly new vulnerabilities being exploited by attackers. However, frequently attackers will continue to target users with vulnerabilities even after they have been patched — knowing that a certain percentage of users will not have installed the necessary patch.

Because of the large number of patches that are issued, users may need to be selective about which they prioritize installing. To help make this call, make sure to monitor open source vulnerability databases such as the U.S. government’s National Vulnerability Database (NVD) and the OSVDB/VulnDB Open Source Vulnerability Database. These can alert you to potentially dangerous vulnerabilities you then can take proactive steps to prioritize and combat.

Use a Web Application Firewall

Perhaps the smartest move, however, is to use cybersecurity tools like Web Application Firewalls (WAF) and other such firewalls. A WAF sits on the network edge and monitors all incoming and outbound traffic to web applications, instantly identifying and blocking harmful behavior when it is found. In doing so, it can help protect against zero-day attacks and other vulnerabilities that there are not yet patches to protect against.

There is no way that all vulnerabilities are ever completely erased from software. The bigger and more complex the software, the more potential flaws it will contain. Of those flaws, it is inevitable that a certain number can be harnessed to inflict damage.

But by taking the right precautions, you can protect yourself and your organization — even in scenarios in which the attack vector or vulnerability is still not fully understood or patched.

Anurag Choudhari is the co-founder of Geekenized Technologies LLP, a web development & digital marketing agency that helps various SMBs & SMEs in developing & maintaining their online presence.