Zero days and counting

May 27, 2019by Geoff Nairn0
zero-day-attacks-blog-1280x720.jpg

The battle against cybercrime is a constant race against time.  Each day, new security flaws (i.e. vulnerabilities) are discovered in software and, once reported, they are (generally) fixed rapidly by the software developer.  However, whilst the identified vulnerability remains unfixed, computers running the software remain exposed to a zero-day attack.

In this type of attack, hackers write code designed to exploit the newly discovered security weakness. The code is packaged into a piece of malware (known as a zero-day exploit) and is distributed to target computers via common file sharing methods such as emails with malicious download links or USB drives handed out to unaware conference attendees.

Because of their very nature, zero-day exploits are typically not identified by anti-malware tools, since their databases will not contain the unique signature that is required to identify and block the malware.

The ThreatCloud database, which is operated by Israeli security software vendor Check Point Software Technologies, (astoundingly) claims to identify 700,000 new pieces of malware each day and continues to update and store over 11 million malware signatures.

Most commercial malware scanners are signature-based and can only block known signatures.  So if you click on the link in the bogus e-mail, the scanner may not detect the malware and the zero-day exploit will install itself on your computer, ready to wreak havoc.  For example, it might try to:

  • let criminally motivated peopletake control of your computer;
  • access contacts data on your computer to send spam;
  • steal confidential data; or
  • disable anti-virus scanners and download more malware.

White hats versus black hats

Discovering a zero-day vulnerability is like winning the jackpot for a criminally-minded “black-hat” hacker. Whilst the vulnerability remains unknown to others, there is an opportunity to design a piece of malware to exploit systems where the vulnerability is present.

Fortunately, many zero-day vulnerabilities are discovered by responsible researchers or “white-hat” hackers – security experts who specialise in searching for vulnerabilities in software.

White-hat hackers will typically report their findings directly to the associated software vendor.  However, sometimes the discoverer will report their findings publicly – probably not for malicious purposes, but more likely to obtain bragging rights within their community.  In this case, the software developer must now act very quickly as it has “zero days” to develop a fix before hackers learn about it and try to launch a zero-day attack.

Security software vendor Kaspersky Lab discovered a Windows vulnerability,  known as CVE-2019-0797, and reported it to Microsoft on 2nd Feb this year, Microsoft released a patch to fix it on 11th March (37 days later).  However, despite the best efforts of Kaspersky’s white hat researchers and Microsoft’s engineers, the vulnerability had already been discovered independently by black hat hackers and exploited by the time there weas a fix.

Needless to say, information on zero-day vulnerabilities is very valuable.

To motivate the discovery and anonymous reporting of vulnerabilities, many software vendors now run bug bounty programmes, where financial rewards are offered for the reporting new vulnerabilities in their software – take a look at our blog post on bug bounty programmes and their benefits.

For the black-hat hackers, there is also money to be made.  Information on zero-day vulnerabilities can also be sold to fellow cyber criminals via the Dark Web.  In 2007, Russian hacking group TheShadowBrokers made off with a haul of zero-day threats stolen from the US National Security Association. It launched a monthly subscription service offering information on the threats to “high rollers, hackers, security companies, OEMs, and governments” for around $20,000 a month.

A grey market for zero-day threats

As well as the black market, there is a growing “grey market” in zero-day vulnerabilities whose buyers include businesses, law enforcement agencies and nation-sponsored hackers, AKA spies.

Zerodium, a US company, specializes in buying zero-day vulnerabilities and selling them on to grey-market customers – a practice that is questionable but not, apparently, illegal.  The company says that law enforcement agencies are particularly interested in zero-day exploits that can enable them to unlock the phones of suspected criminals in order to read their encrypted messages.

Apple has long resisted requests by the Federal Bureau of Investigation (FBI) to create a “back door”for them into the iOS operating system.  As long as Apple maintains this stance, the FBI are likely to continue spending considerable sums of money to (at least temporarily) buy themselves access via the grey-market.

Zerodium clearly understand the value of zero day vulnerabilities and recently announced it was increasing the money on offer for the most sought-after hack.  A “zero-click iOS remote jailbreak”, i.e. a vulnerability that provides full access to an iPhone without the user having to click on a link, is now worth $2m. If the vulnerability requires the user to click on a link to activate the malware, then the price is (a meagre…) $1.5m.

Compared to the relatively modest bounties – $50,000 or less is typical – offered by software companies to white-hat hackers, the grey market for zero-day vulnerabilities pays much better. But a researcher who sells to Zerodium or any other third party has no idea how the vulnerability will be used – so it is morally questionable, to say the least.

How to protect yourself

What can you do to protect your computers from zero-day attacks?

The first line of defence against most malware is an anti-virus scanner. However, these products are often ineffective against zero-day exploits, because most anti-virus software can only detect known threats.

The next layer of defence to consider deploying is behaviour-based detection system.  Instead of simply “profile matching” new files and software against a database of known threats, these tools monitor activity and raise alerts for actions that appear unusual or unintended.

But, before you invest money on the latest behaviour-based machine learning system, organisations simply must get the basics right. The simplest and most effective measure to minimize the risk of zero-day threats is to ensure timely deployments of patches / updates from your software vendors.

By doing so, you reduce the window of opportunity for hackers to the short time that typically elapses between a zero-day attack being launched and the relevant software patch being distributed.

Geoff Nairn


Leave a Reply

Your email address will not be published. Required fields are marked *