Zero-day vulnerabilities enable threat actors to take advantage of security blindspots. Typically, a zero-day attack involves the identification of zero-day vulnerabilities, creating relevant exploits, identifying vulnerable systems, and planning the attack. The next steps are infiltration and launch.
This article examines three recent zero-day attacks, which targeted Microsoft, Internet Explorer, and Sophos. Finally, you will learn about four zero-day protection and prevention solutions—NGAV, EDR, IPsec, and network access controls.
What is a zero-day vulnerability?
Zero-day vulnerabilities are critical threats that are not yet publicly disclosed or that are only discovered as the result of an attack. By definition, vendors and users do not yet know about the vulnerability. The term zero-day stems from the time the threat is discovered (day zero). From this day a race occurs between security teams and attackers to respectively patch or exploit the threat first.
Anatomy of a zero-day attack
A zero-day attack occurs when criminals exploit a zero-day vulnerability. The timeline of a zero-day attack often includes the following steps.
- Identifying vulnerabilities: Criminals test open source code and proprietary applications for vulnerabilities that have not yet been reported. Attackers may also turn to black markets to purchase information on vulnerabilities that are not yet public.
- Creation of exploits: Attackers create a kit, script, or process that enables them to exploit the discovered vulnerability.
- Identifying vulnerable systems: Once an exploit is available, attackers begin looking for affected systems. This may involve using automated scanners, bots, or manual probing.
- Planning the attack: The type of attack that a criminal wants to accomplish determines this step. If an attack is targeted, attackers typically carry out reconnaissance to reduce their chance of being caught and increase the chance of success. For general attacks, criminals are more likely to use phishing campaigns or bots to try to hit as many targets as quickly as possible.
- Infiltration and launch: If a vulnerability requires first infiltrating a system, attackers work to do so before deploying the exploit. However, if a vulnerability can be exploited to gain entry, the exploit is applied directly.
Recent examples of attacks
Effectively preventing zero-day attacks is a significant challenge for any security team. These attacks come without warning and can bypass many security systems. Particularly those relying on signature-based methods. To help improve your security and decrease your risk, you can start by learning about the types of attacks that have recently occurred.
In March 2020, Microsoft warned users of zero-day attacks exploiting two separate vulnerabilities. These vulnerabilities affected all supported Windows versions and no patch was expected until weeks later. There is not currently a CVE identifier for this vulnerability.
The attacks targeted remote code execution (RCE) vulnerabilities in the Adobe Type Manager (ATM) library. This library is built into Windows to manage PostScript Type 1 fonts. The flaws in ATM enabled attackers to use malicious documents to remotely run scripts. The documents arrived through spam or were downloaded by unsuspecting users. When opened, or previewed with Windows File Explorer, the scripts would run, infecting user devices.
Internet Explorer (IE), Microsoft’s legacy browser, is another recent source of zero-day attacks. This vulnerability (CVE-2020-0674) occurs due to a flaw in the way the IE scripting engine manages objects in memory. It affected IE v9-11.
Attackers are able to leverage this vulnerability by tricking users into visiting a website crafted to exploit the flaw. This can be accomplished through phishing emails or through redirection of links and server requests.
In April 2020, zero-day attacks were reported against the Sophos' XG firewall. These attacks attempted to exploit a SQL injection vulnerability (CVE-2020-12271) targeting the firewall’s built-in PostgreSQL database server.
If successfully exploited, this vulnerability would enable attackers to inject code into the database. This code could be used to modify firewall settings, granting access to systems or enabling the installation of malware.
Protection and prevention
To properly defend against zero-day attacks, you need to layer advanced protections on top of your existing tools and strategies. Below are a few solutions and practices designed to help you detect and prevent unknown threats.
Next-generation antivirus (NGAV) expands upon traditional antivirus. It does this by including features for machine learning, behavioral detection, and exploit mitigation. These features enable NGAV to detect malware even when there is no known signature or file hash (which traditional AV relies on).
Additionally, these solutions are often cloud-based, enabling you to deploy tooling in isolation and at scale. This helps ensure that all of your devices are protected and that protections remain active even if devices are affected.
Endpoint detection and response
Endpoint detection and response (EDR) solutions provide visibility, monitoring, and automated protections to your endpoints. These solutions monitor all endpoint traffic and can use artificial intelligence to classify suspicious endpoint behaviors, like, for example, to frequent requests or connections from foreign IPs. These capabilities enable you to block threats regardless of the attack method.
Additionally, EDR features can be used to track and monitor users or files. As long as the tracked aspect behaves within normal guidelines, no action is taken. However, as soon as behavior deviates, security teams can be alerted.
These capabilities require no knowledge of specific threats. Instead, capabilities leverage threat intelligence to make generalized comparisons. This makes EDR effective against zero-day attacks.
IP Security (IPsec) is a set of standard protocols used by Internet engineering task forces (IETFs). It enables teams to apply data authentication measures, and to verify integrity and confidentiality between connection points. It also enables encryption and secure key management and exchange.
You can use IPsec to authenticate and encrypt all of your network traffic. This enables you to secure connections and to quickly identify and respond to any non-network or suspicious traffic. These abilities enable you to increase the difficulty of exploiting zero-day vulnerabilities and decrease the chance that attacks are successful.
Implement network access controls
Network access controls enable you to segment your networks in a highly granular way. This allows you to define exactly which users and devices can access your assets and through what means. This includes restricting access to only those devices and users with the appropriate security patches or tooling.
Network access controls can help you ensure that your systems are protected without interfering with productivity or forcing complete restriction of external access. For example, the type of access needed when you host software as a service (SaaS).
These controls are beneficial for protecting against zero-day threats because they enable you to prevent lateral movement in your networks. This effectively isolates any damage a zero-day threat may cause.
Recent zero-day attacks show that more and more threat actors find an easy mark in endpoint users. The zero-day attack on Microsoft exploited ATM vulnerabilities to trick users into opening malware. When threat actors exploited an Internet Explore zero-day vulnerability, they tricked users into visiting malicious sites. The zero-day attack on Sophos could potentially grant user access to threat actors.
However, while zero-day attacks are difficult to predict, it is possible to prevent and block these attacks. EDR security enables organizations to extend visibility into endpoints, and next-generation antivirus provides protection against malware without having to rely on known signatures. IPsec protocols enable organization to authenticate and encrypt network traffic, and network access controls provide the tools to deny access to malicious actors. Don’t let threat actors have the upper hand. By utilizing and layering several of these tools and approaches, you can better protect your employees, your data, and your organization.