Zero-Day Threats: Vulnerability, Exploit, and Attack (With Examples)

A zero-day threat is an attack that exploits a mostly unknown security vulnerability. The unknown vulnerability is discovered and exploited by attackers before the software vendor is even aware of it, leaving systems vulnerable during this critical window of time.

We call it zero-day because that's how much time the developer or organization has "zero days" to fix the problem once it is discovered.

The term "zero-day" or “0day” is often interchangeably used with "vulnerability," "exploit," and "attack," but it's important to understand the differences:

• Zero-day vulnerability: An unknown security vulnerability or software flaw, often stemming from unintentional programming errors or improper configuration. It can remain undetected for extended periods — days, months, or even years.
• Zero-day exploit: Code written to exploit the vulnerability, potentially compromising a system. Ideally, security researchers find the vulnerabilities before threat actors do. However, if malicious actors find it first, they will develop a workable zero-day exploit to launch an attack.Timely detection and management of vulnerabilities, ensuring proactive security measures
• Zero-day attack: The phase where malicious code (malware or ransomware) is released to exploit the unknown vulnerability.Continuous assessments, eliminating the limitations of periodic pen testing

The Zero-Day Lifecycle

The zero-day lifecycle typically starts with the release of the software, when it becomes available to the public. No software is completely secure; even the world's most sophisticated software is only secure to a certain degree. And even now, as you read this, someone (an ethical hacker or a malicious attacker) might be trying to find a new vulnerability in your favourite app or operating system.

When hackers discover a zero-day vulnerability, it gives the software vendor zero days to fix it. It becomes a race against time: will the vendor find and patch the vulnerability before it's exploited on a larger scale, or will hackers exploit this vulnerability before anyone else even knows about it?

Hackers, exhilarated by their discovery, might circulate the threat within their circles (including the deep web and dark web), and researchers can learn about it from monitoring cybercriminal activity. Some vendors might keep a vulnerability secret until a patch is developed, but this is also risky. If hackers find the flaw first, organizations could be left not only vulnerable but highly accountable.

Examples of zero-day attacks

A zero-day threat can strike any organization at any time, often without them realizing. Notable examples of high-profile zero-day attacks include:

Stuxnet

Stuxnet was a highly sophisticated computer worm that exploited four different zero-day software vulnerabilities in Microsoft Windows operating systems. It became known to the public when it wreaked havoc on Iran's nuclear program in 2010.

Once this intrusive worm breached the nuclear plant’s computer systems, it sent malicious commands to the centrifuges used to enrich uranium. This forced the centrifuges into a destructive overdrive, causing them to spin so fast that they broke down. In total, Stuxnet, managed to infect more than 20,000 devices in 14 Iranian nuclear facilities and damaged over 1000 centrifuges.

iOS Bypass Kernel Security

Apple, in March 2024, released emergency security updates to address multiple zero-day vulnerabilities actively exploited against iPhones. These vulnerabilities, found in the iOS kernel and RTKit, could allow attackers to bypass kernel security protections.

The kernel manages all operating system operations and hardware interactions. And in it, a vulnerability that allows arbitrary access can enable malicious attackers to bypass security mechanisms, potentially leading to a complete system compromise, data breaches, and unauthorized access.

2022 Chrome attacks

In early 2022, Google pushed an emergency Chrome update to fix a zero-day vulnerability exploited by North Korean hackers. This was the 8th such vulnerability in Chrome. Hackers used phishing emails to lead victims to fake sites, exploiting the vulnerability to install spyware and remote access malware on their machines. Though the vulnerability was quickly patched, the hackers covered their tracks well, and researchers are unsure what data was stolen.

How to Protect Against Zero-Day Threats

Zero-day threats are extremely dangerous due to their intrinsic nature and are highly likely to succeed because defenses are not in place. This is a nightmare scenario for security managers.

However, there are several ways to make detection easier and mitigation faster.

Patch management

Once zero-day attacks begin, patches often follow in a few days because vendors use information from the attacks to identify and fix the flaw. But hackers can often create exploits faster than security teams can develop patches.
It's estimated that 56% of vulnerabilities were exploited within seven days of public disclosure, with the median time to exploitation being just one day in 2022, according to a report by Help Net Security. This prevailing trend, further supported by research from Unit 42, underscores the urgency for organizations to strengthen their security posture.
There has to be a strategy to deploy software patches as soon as possible for newly discovered software vulnerabilities. Though zero-day attacks are unavoidable, quickly applying patches and software upgrades can significantly mitigate the risk of an attack.

However, factors like vendor response time, patch development, and organizational neglect can delay patch deployment. These can be overcome with a formal patch management program. Such an initiative can help security teams stay abreast of these critical patches, streamlining patch deployment and minimizing the window of vulnerability for potential exploitation.

Web Application Firewall (WAF)

One of the effective ways to mitigate zero-day attacks, especially before a patch is available, is to deploy a web application firewall (WAF) on the network edge. A WAF examines incoming and outgoing traffic based on preset security policies, blocking malicious inputs that could otherwise exploit security vulnerabilities.

Firewalls are fundamental security tools that sit between trusted and untrusted networks, providing essential protection for networks and systems. They can block malicious content from entering the network and prevent sensitive information from leaving. Whether implemented in hardware, software, or a combination, firewalls monitor traffic and block potentially harmful transmissions that could lead to a zero-day exploit.

Vulnerability management

Vulnerability management is the continuous process of discovering, prioritizing, and resolving security vulnerabilities in an organization's IT infrastructure and software. In-depth vulnerability scanning and manual penetration testing can proactively help companies find zero-day vulnerabilities in their systems before hackers do.

A vulnerability management platform can serve as an initial step to gain clarity into a wide array of persistent vulnerabilities in web application security, such as injection flaws, broken authentication and session management, sensitive data exposure, and more.

Input validation or data validation

Input validation, or data validation, is a crucial security measure that protects against various threats. It involves verifying and sanitizing data inputted into a system, ensuring it conforms to expected formats and parameters. While it can be automated, input validation should also be managed by security experts to adapt and respond to new threats in real time.

A penetration test, which often incorporates input validation testing, can provide a more in-depth analysis of how well the system handles invalid or malicious input. Even with the most up-to-date patches, a system can still be vulnerable if the input validation is weak. This process helps prevent malicious code execution and unauthorized actions, bolstering the system's security posture.

Zero day initiative

Zero-day initiatives, such as bounty programs, incentivize security researchers to responsibly disclose vulnerabilities rather than selling them on the black market. These programs encourage a community of researchers who proactively discover software problems before malicious actors can exploit them.

Organizations also offer bug bounty programs on third-party platforms to compensate individuals for reporting vulnerabilities. This approach is often more effective due to its wider reach, higher rewards, and streamlined reporting processes.

Threat intelligence feeds

A less common but nevertheless viable alternative that can help delivery of early warnings of potential zero-day attacks can be to monitor threat intelligence sources. This move can help organizations gain valuable insights that can serve as early warning signals of potential zero-day attacks. That's part of why security researchers are often the first to identify zero day vulnerabilities, and organizations actively monitoring threat intelligence sources can proactively implement protective measures before widespread exploitation occurs.

Staying informed about the latest risks in the threat landscape is essential for preventing zero-day attacks. This proactive approach also involves educating employees about safe online practices and ensuring proper configuration of security settings for browsers and systems.

Siemba’s Solution to Zero-Day Vulnerabilities

Effectively detecting and mitigating zero-day threats requires a multi-layered defense strategy that combines preventive technologies with a robust incident response plan.

Organizations can become highly prepared for these stealthy and damaging events through penetration testing. Penetration tests are designed to simulate what a real attacker could do, not merely catalog a list of known vulnerabilities.

You first have to adopt the mindset that your web applications can be exploited, whether through unintended use or malicious intent. And even with all the security tools, vendor patches, and layered security available, a vulnerability will inevitably be found and exploited in at least one of your applications.

Siemba provides automated and manual penetration testing delivered via a cutting-edge PTaaS platform to help detect security vulnerabilities in web applications while they are running—taking an outsider's perspective to find possible entry points that an attacker might exploit. Our platform interacts with the application through the front end, testing applications in their running state, and is thus uniquely suited to mimicking the actions of a potential attacker.

The PenTesting Center of Excellence at Siemba leverages a mix of cutting-edge tools, technologies, and advanced expertise to find vulnerabilities which may prevent zero-day attacks. You can easily get in touch with our engineers to discuss any questions or concerns that may arise during the testing process. You will also receive daily reports on your penetration testing progress, so everyone is always in the loop.

Are you interested in safeguarding your web applications against the possibility of a zero-day threat? Or do you have a need for manual penetration testing overall? Contact Siemba today for a free consultation.