“Zero-Day” Definition
The term “Zero-Day” is used when security teams are unaware of their software vulnerability, and they’ve had “0” days to work on a security patch or an update to fix the issue. “Zero-Day” is commonly associated with the terms Vulnerability, Exploit, and Threat. It is important to understand the difference:
- A Zero-Day Vulnerability is an unknown security vulnerability or software flaw that a threat actor can target with malicious code.
- A Zero-Day Exploit is the technique or tactic a malicious actor uses to leverage the vulnerability to attack a system.
- A Zero-Day Attack occurs when a hacker releases malware to exploit the software vulnerability before the software developer has patched the flaw.
Zero-Day Examples
Below are just a few known vulnerabilities that were discovered over the past couple of years:
Kaseya Attack
On Friday, July 2, REvil ransomware operators managed to compromise Kaseya VSA software, used to monitor and manage Kaseya customer’s infrastructure. REvil ransomware operators used zero-day vulnerabilities to deliver a malicious update, compromising fewer than 60 Kaseya customers and 1,500 downstream companies, according to Kaseya’s public statement. Read On>
SonicWall VPN Vulnerability
On Feb. 4, 2021, SonicWall’s Product Security Incident Response Team (PSIRT) announced a new zero-day vulnerability, CVE-2021-20016, that affects its SMA (Secure Mobile Access) devices. Within the documentation, SonicWall stated this new vulnerability affects the SMA 100 series product, and updates are required for versions running 10.x firmware. SonicWall did not state if or how this newest exploit affects any older SRA VPN devices still in production environments. Read more>
MSRPC Printer Spooler Relay (CVE-2021-1678)
On Patch Tuesday, January 12, 2021, Microsoft released a patch for CVE-2021-1678, an important vulnerability discovered by CrowdStrike® researchers. This vulnerability allows an attacker to relay NTLM authentication sessions to an attacked machine, and use a printer spooler MSRPC interface to remotely execute code on the attacked machine.
Zerologon
On August 11, 2020 Microsoft released a security update including a patch for a critical vulnerability in the NETLOGON protocol (CVE-2020-1472) discovered by Secura researchers. Since no initial technical details were published, the CVE in the security update failed to receive much attention, even though it received a maximum CVSS score of 10.
This vulnerability allows an unauthenticated attacker with network access to a domain controller, to establish a vulnerable Netlogon session and eventually gain domain administrator privileges. The vulnerability is especially severe since the only requirement for a successful exploit is the ability to establish a connection with a domain controller.
Read our Zerologon Technical Analysis
NTLM Vulnerability
On June 2019 Patch Tuesday, Microsoft released patches for CVE-2019-1040 and CVE-2019-1019, two vulnerabilities discovered by Preempt (now CrowdStrike) researchers. The critical vulnerabilities consist of three logical flaws in NTLM (Microsoft’s proprietary authentication protocol). Preempt researchers were able to bypass all major NTLM protection mechanisms.
These vulnerabilities allow attackers to remotely execute malicious code on any Windows machine or authenticate to any HTTP server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS. All Windows versions which did not apply this patch are vulnerable.
Learn more about how this vulnerability was discovered
Stuxnet
One of the most well-known zero-day attacks is Stuxnet, the worm believed to be responsible for causing considerable damage to Iran’s nuclear program. This worm exploited four different zero-day vulnerabilities in the Microsoft Windows operating system.
2023 CrowdStrike Global Threat Report
Download the 2023 Global Threat Report to find out how security teams can better protect the people, processes, and technologies of a modern enterprise in an increasingly ominous threat landscape.
Download NowProtect Against Zero-day Attacks
These are the best ways to protect against Zero-Day Attacks:
Patch Management
Patch management is the process of identifying and deploying software updates, or “patches,” to a variety of endpoints, including computers, mobile devices, and servers.
A “patch” is a specific change or set of updates provided by software developers to fix known security vulnerabilities or technical issues. Patches can also include the addition of new features and functions to the application. It’s important to note that patches are typically short-term solutions intended to be used until the next full software release. An effective patch management process will consider the following elements:
- Reviewing security patch releases
- Prioritizing patching efforts based on the severity of the vulnerability
- Testing patch compatibility and installing multiple patches across all affected endpoints
A timely and effective patch management strategy is extremely important to network security because patch releases are based on known vulnerabilities. As such, the risk of using outdated software becomes even greater as adversaries can more easily identify and exploit weaknesses within systems.
Vulnerability Management
Vulnerability management is the ongoing, regular process of identifying, assessing, reporting on, managing and remediating cyber vulnerabilities across endpoints, workloads, and systems. Typically, a security team will leverage a vulnerability management tool to detect vulnerabilities and utilize different processes to patch or remediate them.
A strong vulnerability management program uses threat intelligence and knowledge of IT and business operations to prioritize risks and address vulnerabilities as quickly as possible.
Use a Web Application Firewall (WAF)
A Web Application Firewall (WAF) is a security device designed to protect organizations at the application level by filtering, monitoring and analyzing hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS) traffic between the web application and the internet.
A WAF acts as a reverse proxy, shielding the application from malicious requests before they reach the user or web application. Part of a comprehensive cybersecurity strategy, a WAF helps protect the organization from a variety of application layer attacks beyond Zero-Day attacks, including Cross Site Scripting (XSS), SQL injection, and Denial of Service (DoS)/Distributed Denial of Service (DDoS) attacks.
CrowdStrike’s Solution to Zero-Day Vulnerabilities
To effectively detect and mitigate zero-day attacks, a coordinated defense is needed — one that includes both prevention technology and a thorough response plan in the event of an attack. Organizations can prepare for these stealthy and damaging events by deploying a complete endpoint security solution that combines technologies including next-gen antivirus (NGAV), endpoint detection and response (EDR) and threat intelligence.
To optimize defense, organizations should implement the best prevention technology at the point of attack, while also having a plan for worst-case scenarios. Then, if an attacker is successful in getting into the network, the security team will have the tools, processes and technology in place to mitigate the event before real damage is done.
CrowdStrike Falcon® Spotlight leverages CrowdStrike’s single management platform and lightweight agent to provide organizations with access to vulnerability assessment information. The sensor provides real time results on protected Windows, Linux and Mac systems with no time consuming, impactful system scans or a requirement for any network hardware.
Watch the video below to see how Falcon Spotlight assesses, reports and researches vulnerabilities in your environment while overcoming the challenges with traditional vulnerability management solutions:
To learn more about CrowdStrike® Falcon and request a free trial, click the button below: