Among the many cybersecurity risks organizations face on a daily basis, zero-day vulnerabilities are particularly dangerous because – until they are patched – they are unknown to technology vendors and their users. In practical terms, because the software or device vendor has no advance warning of the risks they can create, they have zero days to develop a fix – hence the phrase ‘zero-day vulnerability’.
These weaknesses can exist within operating systems, applications or devices and can go undetected for days, weeks or even years before being found. When discovered and exploited by threat actors, they can be used to gain unauthorized access to networks and sensitive data or act as a starting point to cause severe disruption to technology infrastructure, services and system availability.
Until vendors make a patch available and users install it, the security blindspot can remain wide open – even when the risks have been publicly shared.
How common are zero-day vulnerabilities?
According to a report published by Google in March, almost 100 zero-day vulnerabilities were exploited ‘in the wild’ (i.e., spread to unsuspecting devices or users) in 2023 – a 50% increase from the previous year. While this may not seem like a particularly high number compared to the scale of other security risks, it’s important to remember that a single zero-day vulnerability can potentially impact thousands of systems and millions of individuals.
The risks are very real, and as the Google report says, “Zero-day exploitation is no longer just a niche capability accessible to only a handful of actors, and we anticipate that the growth we have seen across the last few years will likely continue.”
How are they discovered?
Zero-day vulnerabilities can be discovered in a number of ways. Ideally, they are found by security professionals and organizations who want to ensure the security gaps are closed before being exploited. This can include security companies, researchers and government organizations who find them using a variety of methods such as software testing, security audits or even by accident.
In addition, many software vendors run bounty programs that encourage software experts to share potential vulnerabilities in return for financial rewards. Problems arise, however, when vulnerabilities are discovered by threat actors, who will move quickly to exploit them to gain access to networks and data. For many, the motivation is purely financial.
Examples of zero-day attacks
Over the last decade, there have been a range of extremely damaging and costly cyber-attacks that have exploited zero-day vulnerabilities. These include:
- MoveIT attack - exploited a vulnerability in the MoveIT file transfer app used by organizations around the world, including three of the UK’s most well-known brands – the BBC, British Airways and Boots. Attackers injected SQL commands to access the databases of MOVEit customers and steal data. Estimated financial impact: up to $12.5 billion.
- Petya and NotPetya - described as “one of the most devastating cyber attacks in history”, Petya and NotPetya used zero-day vulnerabilities to deliver ransomware and encrypt data. Estimated financial impact: up to $10 billion.
- WannaCry - exploited the EternalBlue Windows vulnerability to deliver crypto-ransomware. Even though Microsoft created a patch before the WannaCry attack began, users who didn’t implement the update were left vulnerable. Infecting between 200,000 - 300,000 devices worldwide including those operated by the NHS, Honda and FedEx, its estimated financial impact is around $4 billion.
- Heartbleed - exploited a zero-day vulnerability in OpenSSL (a cryptographic package). An error in a single line of code enabled threat actors to read the memory of vulnerable systems, leaving no evidence of a compromise. Estimated financial impact: c.$500 million.
Protecting Against Zero-Day Vulnerabilities
Across the cybersecurity ecosystem, organizations are working very hard to identify and patch vulnerabilities before they can be exploited. For example, ‘Patch Tuesday’ has been a monthly fixture in the global cybersecurity calendar for nearly two decades. On the second Tuesday of every month, Microsoft and other software vendors release a range of software fixes - some of which deal with critical vulnerabilities. As such, it’s a regular opportunity to address emerging risks for IT and security professionals the world over.
As important as Patch Tuesday has become, it has also given rise to the regular emergence of new risks and vulnerabilities as quickly as 24 hours later. Known as ‘Exploit Wednesday,’ this has become the ideal time for cybercriminals to develop further exploits for systems that haven’t been updated.
The story doesn’t end there. Part of the challenge with fixes and updates is that they can cause critical performance issues for some of the users who have downloaded them. As these issues are identified, IT teams use ‘Uninstall Thursday’ as the time to remove the components in question to get their systems running normally again. In general, vendors will quickly release additional ‘hot fixes’ for these problems so users can close any security blindspots without impacting their software infrastructure.
Glasswall Content Disarm and Reconstruction
Despite these efforts, protecting against zero-day vulnerabilities can be extremely challenging. A major part of the problem lies in the way many cybersecurity strategies are built to react to security risks. In doing so, they are the ideal targets for zero-day attacks, when even a few hours or days can prove catastrophic. This leaves organizations scrambling to fix blindspots and vendors under pressure to release software patches as quickly as possible.
With two-thirds of malware delivered through PDFs as malicious email attachments – effectively making it invisible to reactive cybersecurity technologies – security teams need to be given advanced tools so they can take a proactive posture to the risks posed by zero-day vulnerabilities.
A reliance on detection also means that no matter how complex a security solution may be, it can still only protect its users against what has been seen before – falling short when protecting against zero-day threats. For example:
- “Next-generation” AV and firewalls use detection-based solutions that can only protect against risks already known to them. This leaves organizations at risk, as bad actors constantly evolve their techniques and find new vulnerabilities to exploit.
- Sandbox solutions. These can offer some protection, but cyber criminals now use clever tactics to evade them. Malicious content can be fitted with a delayed ‘detonator’, meaning malware lays dormant and undetected by the sandbox, detonating once it passes through.
- Machine learning and AI technologies. These rely on algorithms to detect known signs and patterns of malicious content. While offering a more effective approach than traditional solutions, machine learning and AI on their own cannot offer absolute, zero-trust protection and still leave organizations at risk from new (zero-day) threats.
Glasswall’s zero-trust file protection is different. Instead of looking for malicious content, our advanced Content Disarm and Reconstruction (CDR) process treats all files as untrusted, validating, rebuilding and cleaning each one against their manufacturer’s ‘known-good’ specification. Only safe, clean, and fully functioning files enter and leave an organization, allowing users to access them with full confidence. Unlike reactive or detection-based systems, Glasswall CDR is a proactive solution that enhances an organization's security posture by working as a preventative measure.
Security teams can embed our cloud-native CDR across their infrastructure, utilizing either an out-of-the-box CDR solution called Glasswall Halo, which comes ready to implement with its own UI and reporting dashboards. Alternatively, for organizations that want to build Glasswall CDR into their existing systems, our embedded SDK enables teams to implement zero-trust file protection into their software applications and network deployments.