what are zero-days

Written By puxnet

And how do we exploit them?

Zero-days refers to a vulnerability found in a system before the before the developers find the vulnerability. Zero-days are pretty dangerous as the developer has not had a chance to fix the exploit first.

A Zero-day attack occurs when an attacker exploits a vulnerability before a patch or fix has been released for this vulnerability. As soon as a zero-day is discovered by the manufacturer it stops being a zero-day.

we can liken the usage of zero-days to the CyberKill Chain (which I also have a blog post about). The process of exploiting these vulnerabilities is the same where the vulnerability is discovered, an exploit is created, an attack is carried out etc.

how do attackers find zero-day vulnerabilities?

There are many different ways to find zero-days as most software has some vulnerability even if it isn’t huge. I have used the house or castle analogy often in my blog, let’s go back to it. Imagine a software system as a castle, it’s big and has plenty of defenses, however, there’s probably some part of the castle where maybe a brick is missing, or there are vines growing up the side that could be climbed by someone small. discovering these vulnerabilities isn’t easy but it can be done if you understand the castle architecture, maybe what types of materials were used and maybe you understand about common vulnerabilities within this type of material. It’s similar to software systems, it’s difficult to make a perfect software system.

Some common techniques used are:

  • fuzzing- This is when attackers send abnormal data to an application to see how it reacts. essentially throwing random data at software to see if it breaks or if there are vulnerabilities present.

  • reverse engineering- essentially analyzing components of the code and how it interacts with each other. It allows attackers to find weak points that potentially can be exploited. It starts with the machine code being disassembled into code more readable by humans normally achieved using tools such as IDA Pro, Ghidra, and Hopper. Then there is a decompilation stage where the attackers will attempt to convert the assembly code into a programming language such as C or Java, which can be difficult as information is lost during compilation. Then dynamic analysis where the code is run in a controlled environment, to observe behavior and identify any vulnerabilities.

  • Automated scanning tools- SAST (static application security testing) which examines source code without executing it for vulnerabilities such as buffer overflows, SQL injection, and cross-site scripting. Or DAST (dynamic application security testing) which simulates real-world attacks to discover web application flaws.

  • social engineering- attackers can use social engineering techniques to convince employees to give up information.

    well-known zero-day attacks

  • Stuxnet computer worm

  • 2022 chrome attacks

  • wannacry, eternalblue exploit

  • log4shell

how can we protect against zero day attacks?

  • patch management / updating software and applying patches regularly

  • threat intelligence feeds, stay updated on external threat intelligence.

  • zero trust architecture, use constant authentication and least privilege access to prevent lateral movement across a network.

  • penetration testing, deploy ASM tools as well as hire penetration testers to hunt for vulnerabilities.

puxnet
Previous

NMAP- NETWORK MAPPER
Next

network vulnerability testing