The Makings of a Zero-Day Attack
Ransomware attacks and Zero-Day Attacks have been and are becoming an even larger problem today for businesses regardless of their size. Security researchers are constantly on their toes to identify critical bugs in their IT, websites, and products.
With the increasing technological advancement and introduction of new software and applications, security flaws have become a glaring issue for the IT industry.
Unfortunately, not every organization is prepared to defend itself. Zero-Day vulnerabilities aren’t the principal cause of data breaches but can lead to harming the organization in numerous ways. They often occur without the organization’s knowledge and ultimately lead to data loss, system shutdown, password leaks, and loss of reputation.
What is a Zero-day Attack?
All software, firmware, and hardware run by an organization can be vulnerable to Zero-Day attacks due to unintentional technological flaws. It is the vendors’ job to identify, patch, and release updates for those vulnerabilities. Unfortunately, malicious actors eagerly wait to take advantage of such flaws to intrude into your organization.
Vendors have zero days to develop a patch until the hackers turn it into an exploit; hence ‘Zero-Day.’ When the malicious actor exploits the Zero-Day vulnerability, it’s a Zero-Day attack. Since it is an unknown flaw, there is a considerable chance for the organization to be at risk.
Another component and oft-confusing term is “Zero-Day Malware.” As malicious actors develop new malware variants, signature-based detection & protection vendors have zero days to produce a signature and incorporate it into their databases to protect their clients.
A Zero-Day vulnerability goes undetected even by an updated anti-virus software until the release of a patch. Then, the security researchers discover the exploit and add it to the Common Vulnerability and Exposures (CVEs) list. When the patch is released publicly, it is no longer called a Zero-Day vulnerability. As soon as the patch is available, the clock starts ticking as the organization races to update the unpatched systems to keep them secure from threats.
This attack can target all types of businesses, but high-value organizations like government bodies, military research, hardware, and software developers are their expected targets. By targeting these organizations, attackers can leverage confidential information for their benefit.
It’s tricky to protect your organization against Zero-Day flaws as they are even unknown to the security experts looking to fix them. They could be unidentified threats, unapproved access, or be a new malware like ransomware or any other malicious software.
The anatomy of a Zero-Day Attack
When software developers create and release software, they can unknowingly create a vulnerability attracted by hackers. When the hacker finds the vulnerability:
- They will create a Zero-Day exploit to take advantage of the vulnerability by deploying it using an attack when the code still has the vulnerability.
- Usually, the security researchers and the organization’s security teams discover the vulnerability or detect it because of an attack.
- The security teams don’t have the opportunity to fix it immediately. Therefore, the vulnerability is publicly disclosed, and we are warned against potential threats.
- After the public warning, the antivirus signatures are released. This allows the security vendors to protect against Zero-Day malware.
- Once the organization gets the opportunity to create a fix for the vulnerability, they release security patches.
- Once the patch is deployed and available to everyone, users can update their software.
Indicators of Compromise
IoCs act as forensic evidence to prove a likely intrusion on a host system or the network. These IoC provide security experts and system administrators to detect any attempt of intrusion or any malicious activity. Security experts usually look for the following abnormalities:
- Check for any irregular action in administrator or privileged accounts.
- If there is any unusual traffic flowing in and out of the network
- Check for any unknown files or folders, software, or any running processes in the system.
- Look for abnormal activities like noticing traffic coming from or going to countries that the organization doesn’t work with.
Examples of Zero-Day Attacks
REvil attacked the US-based Kaseya before the 4th of July weekend 2021, holding more than 2000 organizations’ ransom. The ransomware was installed using a malicious patch through Kaseya’s VSA server on 2nd July. This compromised and encrypted thousands of devices in hundreds of companies. The attack was initiated because of an authentication bypass vulnerability.
This vulnerability provided the ransomware attackers the platform to upload the malicious payload into the VSA server that they later executed using SQL injection. This is how the REvil ransomware payload was installed into the systems managed by the compromised VSA server, which started the ransomware portion of the attack.
SonicWall VPN Vulnerability
The SonicWall Network Security Appliance (NSA) devices are widely used as firewalls and SSL VPN portals to filter, control, and allow workers to access internal and private networks. The researchers identified that SonicOS contained a bug in a component that handled custom protocols. SonicOS is the operating system used by SonicWall, which affected its SSL VPN login page.
It created vulnerabilities in multiple versions of the Sonic OS, including Gens 5, 6, and 7. This affected component is exposed on the public network interface, allowing the attacker to exploit it by conducting firewall management admin username enumeration depending on the response received from the server if they have access to the device’s IP. He could also open a backdoor for other malicious actions.
After this incident, nearly 800,000 internet-dependent SonicWall VPN devices were required to be updated and patched for a significant new vulnerability that the company disclosed. To date, this vulnerability is only getting severe as the researchers are discovering more vulnerabilities in the SonicWall VPN. Although there is no evidence of exploiting the zero-day vulnerabilities into the wild, they had released a critical firmware update.
MSRPC Printer Spooler Relay (CVE-2021-1678)
In January 2021, Microsoft released a patch for a significant vulnerability CVE-2021-1678, which CrowdStrike researchers discovered. With the help of this vulnerability, an attacker can relay NTLM authentication sessions to the victim machine and then operate a printer spooler MSRPC interface to execute a code remotely on the remote victim’s PC. The NTLM relay attacks are similar to MITM attacks that allow attackers to illegally intercept authenticated traffic between a client and a server and forward the validated authentication requests to access network services.
Print Spooler is a built-in service provided by Microsoft operating systems. It comes enabled by default and runs within the SYSTEM context. The job of this service is to handle the printing by accepting requests from the computer and managing the printing resources, their availability, and queuing of jobs to be printed. If the attack is successful, it can allow the attacker to run codes on a windows machine remotely or even laterally move on the network and reach critical network objects like domain controllers by repeatedly using the NTLM credentials.
Zerologon is a cryptographic authentication bypass vulnerability found in Microsoft’s Netlogon Remote Process, effortlessly allowing an attack against Microsoft Active Directory domain controllers. Windows RPC (Remote Procedure Call) authenticates users and computers on domain-based networks designed for tasks like holding relationships between members of domains and the domain controller or even between other different domain controllers across one or multiple domains replicating the domain controller database. Zerologon is an attack that allows a hacker to mimic any system, including the root domain controller.
It is a critical privilege escalation vulnerability essential for lateral movement. It is activated by transmitting a string of zeros to the Netlogon protocol; therefore, it is called Zerologon. This flaw allows the attacker residing in the network to use the Netlogon Protocol to elevate the privileges to the domain administrator-level, further allowing the hacker to access the domain, exfiltrate data, disrupt the network, etc. This flaw is harmful to major Windows Server OS.
A recent technique called ‘PetitPotam’ executes an NTLM relay attack that doesn’t depend on the MS-RPRN API. Instead, it uses the EfsRpcOpenFileRaw option present in the MS-EFSRPC API. MS-EFSRPC is the Encrypting File System Remote Protocol in Microsoft that allows maintaining and managing the encrypted data preserved remotely and can be acquired over the network.
This flaw allows the DC to prompt authentication requests when the attacker abuses the MS-EFSRPC and shares its authentication data. This is how the attacker can trigger the NTLM relay attack and acquire all the computers on this network. If the victim’s computer is forced to initiate an authentication process to share its hashed passwords using NTLM. In that case, this attack can be used to target the Windows ADCS (Active Directory Certificate Services) to take over the entire domain.
Stuxnet is one of the famous attacks known in history, which exploited four zero-day vulnerabilities. Stuxnet was the worm that was intended to sabotage the centrifuges at Iran’s nuclear control system. Earlier, the Stuxnet virus contained an executable code that triggered an unknown security flaw in Microsoft Windows. If this infects a computer, it checks if the computer is connected to any particular programmable logic controllers (PLCs) manufactured by Siemens.
How to protect yourself against zero-day attacks
The world has seen enough impactful Zero-Day attacks that have shaken the cybersecurity industry. Although timely patching and avoiding phishing emails are essential, there are certainly more methods to detect and prevent Zero-Days. Signature and behavioral-based Zero-Day detection models are some of the popular forms. Other protection tips an organization should adopt are:
- Consider updating the organization’s infrastructure at regular intervals.
- Practice intensive phishing awareness training.
- Secure all gateways (servers, networks, email, etc.)
- Adopt a multi-layered approach as your security posture.
- Include a network monitoring solution that isn’t signature-based in your infrastructure.
Vulnerability scanning is a security assessment method to detect some zero-day exploits. Cyber Security product vendors usually offer vulnerability scanning solutions that simulate attacks on software, review application code, and attempt to find new vulnerabilities that might have been introduced after a software update.
Nevertheless, this approach is not always efficient in detecting all the zero-day exploits. This is because scanning is not always enough, as the organizations should act upon the scan results by performing code reviews to prevent the exploit. If you see the scenario today, the organizations are slow at responding to discovered threats, giving the attackers a steady opportunity to exploit a zero-day vulnerability.
Patching refers to fixing the software flaw to prevent the attackers from exploiting them, usually by releasing an update. Specific organizations regularly discover numerous vulnerabilities, making it challenging to roll out frequent patches as it is difficult to differentiate between critical and irrelevant vulnerability reports. *Project Zero by Google states that it takes nearly 15 days for an organization to patch a vulnerability. Additionally, the exponential rise in remote work has encouraged RDP usage, download of various applications, and rise in phishing scams, making it difficult for IT admins to remotely secure and maintain IT infrastructure.
Unpatched servers enable attackers to carry out ransomware attacks, install spyware, corrupt and steal organizations’ critical data. In addition, account takeover and setting up watering hole attacks are also typical after Zero-Day attacks. Timely patching keeps systems and software up to date and helps to bring down security risks. Nowadays, most organizations are depending on virtual patching due to its flexibility and to avoid unrequired downtime.
Input validation is a method that has solutions to many deficiencies that were present in vulnerability scanning and patch management. It is flexible, responds to new threats in real-time, and runs by security experts. Deploying a Web Application Firewall (WAF) on the organization’s network is one of the most effective zero-day prevention techniques. It monitors all the incoming traffic and removes malicious inputs that might seem like a threat.
It is not surprising that the Zero-Day vulnerabilities have become an alarming threat to security researchers as they don’t know what such a vulnerability might do into the wild. And it just does not end here, as it paves the way to other cyber threats like ransomware attacks. When such attacks occur on a larger scale, they ruin the company’s reputation and result in loss of data and millions of amount of money. Therefore, it is essential to develop a proactive method to secure your organization from Zero-Day threats.
Dave Gast (CEH/SEC+/ITIL 4/PMP) is an INTRUSION Sr. Threat Researcher & Info/Cyber Security Subject Matter Expert with a 26 year active duty military career and 10 year government contracting consulting role including extensive cyber intelligence and threat analysis.
Ready to get protected?
INTRUSION Shield is affordable for every business, large or small. We price per seat, per month – with no annual contract and no hardware to buy.