What Is a Zero-Day Attack?

What Is a Zero-Day Vulnerability?

The number in "N-day" indicates the number of days after such a vulnerability is disclosed but no patch has been developed, which in the case of "zero-day" indicates that a patch is not developed the day such a vulnerability is disclosed. In most cases, a patch cannot be developed on the same day when a vulnerability is disclosed. If no patch is available after N days, it is called an N-day vulnerability. "Zero-day" can also refer to an attack that exploits such a vulnerability the day it is disclosed. This is called a zero-day attack.

"Zero-day" is no longer used to indicate how many days the vulnerability has existed as hackers may have discovered the vulnerability a long time ago but not yet disclosed it. Only when such a vulnerability is disclosed can it be detected by software vendors and the public and called a zero-day vulnerability. Therefore, "zero-day" often means the vulnerability is unknown to software vendors and the public but known to hackers or traders on the dark web.

How Does a Zero-Day Vulnerability Lead to a Zero-Day Attack?

Typically, when someone finds a potential security issue in a piece of software, he or she will notify the software supplier or release it to the public, and the software supplier will start to repair the vulnerability and develop a corresponding patch. If a hacker discovers a vulnerability, it takes time for him or her to develop malware. During this period, network administrators implement measures to mitigate the zero-day vulnerability, for example, disabling some services until a patch is released.

In most cases, hackers are the first to discover a zero-day vulnerability. Hackers usually use automated test tools and reverse engineering to search for such vulnerabilities. After discovering such a vulnerability, the hackers can exploit them to quickly and easily get round strict network protection measures, penetrate the network, and launch zero-day attacks. In short, a zero-day attack is a network attack that exploits a zero-day vulnerability to attack a system or software application.

Common types of zero-day attacks are as follows:

• Account Takeover (ATO) Attack

  In an ATO attack, an attacker uses malware to take unauthorized control over a compromised system and perform a series of malicious operations through the victim. For example, an attacker installs malware in a system, sends phishing messages or emails to the victim's contacts, or steals money from the victim's banking account.

• Watering Hole Attack

  A watering hole attack is named after the way predators in the wild wait at the watering hole where many animals go to drink to find and attack their prey.

  Similarly in the cyber world, attackers in the cyber world first analyze the websites frequently visited by target groups and then implant malicious programs into these websites. Then, when members of the target group visit these websites, they are highly susceptible to the malicious programs and then spread such programs to other members.

• Zero-Day Wednesday

  Microsoft usually releases updates for system patches on the second Tuesday of every month. This is unofficially called "Patch Tuesday". However, if a vulnerability (such as a zero-day vulnerability) is discovered, Microsoft will release an emergency patch instead of waiting for the patch day. Some hackers choose to launch new attacks on the day after Patch Tuesday in an attempt to exploit the attack time window. Therefore, such attacks are called zero-day Wednesday attacks.

  Nowadays, "Patch Tuesday" refers to the day when Microsoft, Adobe, and other software vendors periodically release patches. Hackers take advantage of the period between releases to launch attacks. Software vendors do not frequently release emergency patches for all vulnerabilities. That means hackers will have sufficient time to compromise the system.

Why Is a Zero-Day Attack Dangerous?

Zero-day vulnerabilities are usually of high severity, so they are often very destructive. Research shows that 30% of malware is based on zero-day vulnerabilities. The related forms of malware include viruses, worms, and Trojan horses. Zero-day attacks are generally designed to spread quickly to infect as many hosts and systems as possible. Zero-day attacks have evolved from passively and slowly spreading files and macro viruses to more proactive self-propagating email worms and hybrid threats, greatly shortening the threat propagation time and expanding the scope of impact.

If a zero-day attack occurs, software or security vendors usually need several days or even months to analyze attack information. Hackers can obviously obtain substantial benefits during this period.

Zero-day attacks are targeted at the following types of victims:

• High-Value Targets

  Such targets include financial and healthcare institutions, government, and military agencies. Successful attacks on such targets would have huge economic or political implications. Zero-day vulnerabilities of such targets are often the most expensive on the dark web.

• Targets with a Large Impact Scope

  Such targets include browser software, operating system software, common application software, and so on. According to statistics on zero-day vulnerabilities in recent years, the majority of attacks are launched against Microsoft software (such as Windows OS, Internet Explorer, and Office software). This is because Microsoft products are the most widely used.

Notable Zero-Day Attack Events

• Stuxnet

  Stuxnet may be the first cyberweapon in the world that has ever been put into use. This malware exploited multiple zero-day vulnerabilities for penetration and spreading, eventually manipulating centrifuges to wreak destruction on them at an Iranian nuclear power plant.

• Sony Zero-Day Attack

  The Sony zero-day attack targeted Sony Pictures. Hackers exploited a zero-day vulnerability to penetrate into Sony's network and quickly accessed all important information. Then, hackers began to release the stolen confidential information and files, including copies of new movies that had not yet been released, business transaction details, and business plans, which caused great losses to Sony.

• Operation Aurora

  Operation Aurora is a typical APT attack. Hackers leveraged social engineering to investigate Google employees' information and then enticed these employees to click on malicious website links. By exploiting the zero-day vulnerability and implanting malware, the hackers finally attacked Google.

Methods Used to Reduce Zero-Day Attack Risks

Currently, there is no security product or solution that can completely mitigate zero-day attacks. To effectively reduce the probability of being attacked by zero-day attacks and minimize the loss caused by such attacks, build a complete defense system and improve individuals' awareness of cyber security.

The following measures can be taken to prevent zero-day attacks:

• Enhance employees' cyber security awareness: Organize cyber security training for all employees to master basic cyber security knowledge, and prevent hackers from initiating internal attacks.
• Reinforce computer systems: Computers are usually the weakest part of an entire network. Harden security of the terminal systems to effectively reduce zero-day attacks.
• Update software in real time: Common software, such as browsers, antivirus software, and office software, must be updated in real time.
• Promptly fix vulnerabilities: Periodically scan for vulnerabilities of network devices and promptly fix existing vulnerabilities to reduce attack risks.
• Strengthen the construction of network security facilities: Deploy the necessary security devices and software (such as the big data security analysis system, NGFW, vulnerability scanning device, and antivirus software) on the network to reduce the impact scope and severity of zero-day attacks.
• Enhance permission authentication and review: Implement the zero-trust security solution to enhance user operation authorization and user identity review.
• Work out an emergency response solution: As the threats of zero-day attacks cannot be completely eliminated, the emergency response solution helps enterprises quickly prevent attacks and minimize losses.

How Does Huawei Help You Defend Against Zero-Day Attacks?

In most cases, it is difficult to discover or detect zero-day vulnerabilities in advance. Unlike hackers who launch zero-day attacks, others can confirm that such attacks are initiated by exploiting zero-day vulnerabilities only after obtaining detailed information about the attacks. The only way to eliminate zero-day vulnerabilities is to ask software vendors to provide patches, usually taking a long time. Therefore, software vendors usually provide functions to prevent zero-day attacks in the latest patches. Actually, this method does not completely resolve such vulnerabilities.

To adapt to increasingly complex network environments and cope with advanced threats (such as APTs), Huawei provides various security solutions and products to help you promptly detect security risks and reduce related impact.

• Anti-APT and Big Data Security Solution effectively prevents APT attacks from threatening enterprises' core information assets and implements various functions, such as threat detection, threat source tracing, evidence collection, and network-wide collaborative defense. This solution applies to scenarios such as finance, government, energy, and Internet enterprises.

• HiSec Insight Advanced Threat Analytics System

  The HiSec Insight uses big data technology and intelligent detection algorithms to perform multi-dimensional relation analysis on mass data, detect various threat events in real time, and restore the entire APT kill chain model. In addition, it displays the security situation of an entire network to provide users with an overview of the network security status.

  The HiSec Insight supports behavior analysis technologies. By comparing differences between individual behaviors and standard behavior patterns, the HiSec Insight can detect signs of zero-day attacks in advance.

• FireHunter6000 Series Sandbox

  The FireHunter can accurately identify unknown malicious file penetration and C&C-based malicious external connections. By restoring file data from network traffic and analyzing them in a virtual environment, the FireHunter can detect and defend against unknown malicious files.

• USG6000E Firewall

  In addition to providing NGFW capabilities, the USG6000E can interwork with other security devices to enhance border detection capabilities and effectively mitigate advanced threats. The USG6000E also supports heuristic detection (signature analysis technology). It leverages machine learning to analyze suspicious features in files and dig out potential malware. It then automatically generates new signatures for subsequent zero-day vulnerability detection.

Related Concepts