Zero Day Exploits in business software - How to Prepare for, React to and Prevent Disaster

In this article, we look at Zero Day Exploits - cyber attacks that target software vulnerabilities that are unknown to the software or antivirus vendors.

What is a Zero Day Exploit?

A Zero Day Exploit refers to a technique or approach employed by malicious actors to target systems that possess an unidentified vulnerability.

Zero day exploits or attacks are called ‘zero day’ or ‘0day’ because the targeted organization or the software vendor literally has zero days to prepare and defend against the attack. The zero day vulnerability is unknown to the software developer or vendor, meaning that no mitigation or patch is available at the time the vulnerability is exploited, exposed, or made public, making it difficult to defend against when the attack takes place. 

Operating systems, web browsers, applications, and any other software or hardware can all have zero day vulnerabilities. Before the software vendor is aware of the defect and provides a patch or update to fix it, a zero trust exploit could take place - attackers who identify such vulnerabilities can develop and deploy malicious malware to exploit them.

To mitigate the risk of zero day attacks, organizations need to apply a multi-faceted approach, combining security measures such as intrusion detection and prevention systems, network monitoring, regular patching, and user awareness training to minimize the impact of potential zero day attacks.

Understanding Zero Day Exploits

• Weaknesses in developed code are known as zero day vulnerabilities.
• Zero-day exploits use malware and viruses to take advantage of certain vulnerabilities.
• If hackers take advantage of a zero day exploit, they may launch a zero day attack and compromise the system before a patch has been created or applied.
• While known malware is usually blocked by anti-virus software, zero day malware is new, and therefore its signature may prevent detection.

Examples of Zero Day Exploits

• MOVEIT Transfer, a managed file transfer solution (MFT) that allows an organization to securely transfer files between business partners and customers using SFTP, SCP, and HTTP-based uploads. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. This vulnerability was announced on May 31, 2023 and has been assigned CVE-2023-34362 with a critical scoring of 9.8.

^{_{CVE (Common Vulnerabilities and Exposures) Scoring Explained: The severity of vulnerabilities identified in software systems is quantified and ranked using the CVE (Common Vulnerabilities and Exposures) method. The scoring system provides a standardized and reliable method to assess the potential impact of a vulnerability. The scoring is based on the Common Vulnerability Scoring System (CVSS), which is the industry-standard framework for vulnerability assessment. It takes into account a variety of factors, such as the attack vector, user interaction or exploit maturity, A CVSS score can be between zero and 10, with 10 being the most severe.}}

Multiple organizations have been compromised and their data stolen, although it is unknown when the exploitation took place and which threat actors are responsible for the attacks.

• SolarWinds. This critical zero day vulnerability was used by attackers to deliver malware, dubbed Supernova, to take control of affected systems in a major attack on software provider SolarWinds.

SolarWinds’ Orion system provides centralized monitoring across an organization’s entire IT stack. Orion is used by 33,000 customers, among them US government agencies and major private corporations. The vulnerability could allow an attacker to bypass authentication and execute API commands, which may potentially result in a compromise of the SolarWinds instance. This vulnerability has been assigned CVE-2020-10148 with a critical scoring of 9.8

• Microsoft’s Netlogon process. Zerologon is a vulnerability in the cryptography of Microsoft’s Netlogon process that allows an attack against Microsoft Active Directory domain controllers. Zerologon makes it possible for a hacker to impersonate any computer, including the root domain controller. 

Microsoft released a security update including a patch for a critical vulnerability in the NETLOGON protocol (CVE-2020-1472) discovered by Secura researchers. Despite having a maximum CVSS score of 10, the CVE in the security update attracted little attention because no initial technical details were made public.

Keeping your Organization out of the Line of Fire - Zero Day Threat Mitigation

Preventing zero day attacks entirely is challenging since they exploit unknown vulnerabilities. However, preparation is possible through several proactive and defensive measures to minimize the risk and protect systems.

Best Practices for protection against Zero Day Exploits:

1. Every organization should have a patch management strategy. Check the vendor's communication around this topic - website updates, emails etc. Are there security patches to install that fix the error?

The use of an automated patch management solution is recommended for larger organizations. Automated solutions source patches from vendors, identifying systems that require updates, testing patch-related changes, and deploying the patch to production without the need for human intervention. 

2. Check for which business processes the software is used for and implement a strong data backup system. A secure data backup system ensures that an organization is likely to recover from attacks more quickly. Additionally, it raises the likelihood that the organization will avoid severe cyber damage.

3. Evaluate the sensitivity of the data involved in business processes. Protecting sensitive data is of paramount importance to prevent unauthorized access, data breaches, and privacy violations. Essential practices for safeguarding sensitive data include:

• Encryption - Implement strong encryption methods to protect sensitive data both at rest (stored on devices or servers) and in transit (during communication).
• Access Control - Implement strict access controls to limit data access to authorized individuals only. Use strong passwords, multi-factor authentication, and role-based access control (RBAC) to ensure that only authorized personnel can access sensitive data.
• Data Classification - Classify your data based on its sensitivity level and consider a Zero Trust approach. Categorize data into different tiers (e.g., public, internal, confidential) and apply appropriate security controls based on the classification. This helps focus security efforts on the most critical data.
• Regular data backups: Perform regular backups of sensitive data and store backups in secure locations. This ensures that data can be recovered in case of accidental loss, hardware failure, or a security incident.
• Employee training and awareness: Train employees on data security best practices, such as avoiding phishing emails, using strong passwords, and recognizing social engineering attempts. Regularly update employees on emerging threats and provide ongoing security awareness training.

4. Check whether you need to inform your customers, stakeholders and partners. Data breaches can be very expensive for both businesses and individuals, both in terms of direct costs (remediation, investigation, etc.) and indirect costs (reputational damages, emotional damage). The General Data Protection (GDPR) framework, which applies to all organizations within the EU or doing business with EU customers, lays out rules and criteria both for notification and compensation requirements, as do other regulatory frameworks.

5. Switch to a secure alternative. Once a vendor learns about a zero day vulnerability, releasing a timely patch becomes a priority given the risk of zero day exploits. The threat of software vulnerabilities remains large, particularly for firms that rely on mission-critical applications and handle sensitive information.

A technology vendor must make two decisions for patching when it becomes aware of a zero day vulnerability in any of its products. First, based on a risk assessment of the vulnerability, a vendor ranks the vulnerabilities and prioritizes the patch development process. Second, based on the initial assessment, a vendor determines whether to accelerate the patch release time and schedules a release date. 

If your organization is uncertain as to whether your vendor is able to release timely patches, is difficult to contact, or does not communicate appropriately, consider switching to an alternative.

6. Prepare your infrastructure with encryption and hardware security for your keys. Encryption keys are vital for securing sensitive data, and protecting them requires both proper encryption practices and robust hardware security. 

Store encryption keys in secure locations. Consider hardware-based key storage options such as Hardware Security Modules (HSMs). These dedicated hardware devices provide secure key storage and perform cryptographic operations, keeping the keys isolated and protected from unauthorized access.

7. Ensure cryptographic agility. Due to the accelerated development of cryptographic technology and the necessity to address new threats and weaknesses, crypto agility has become more crucial than ever. It involves designing systems and applications in a way that allows for the seamless replacement or upgrade of cryptographic algorithms or protocols without causing significant disruptions to operations. By implementing crypto agility, organizations can proactively address potential cryptographic vulnerabilities, adapt to changing security requirements, and maintain the confidentiality, integrity, and availability of their sensitive data and communications.

With Zero Trust, the concept of a "safe network" is eliminated, and strong identity verification needs to be implemented along with data encryption to ensure confidentiality. Zero Trust relies on the use of cryptographic keys to maintain the security level of identity management and data encryption. 

Zero Trust is a proven strategy for mitigating the risk of Zero Day exploits and the damage associated with it. Short of preventing Zero Day attacks - a contradiction in terms - it is the best way to ensure business resilience.

For more information on Zero Trust security, see our series of articles.

Utimaco’s security solutions enable organizations to implement robust Zero Trust Architectures.