Zero-Day attacks in Cybersecurity have become weapons of choice at the hands of bad actors over the past several years. But what does this term mean and how has this tactic evolved to become such a prevalent threat?
What Is a Zero-Day Attack?
The term “Zero-Day” or “Never Before Seen” refers to the fact that by the time security analysts discover these exploits, they have Zero-Days to fix them. Often, hackers have taken advantage of security vulnerabilities long before they are discovered.
It’s a good idea to develop an understanding of a few terms related to Zero-Day attacks:
- Zero-Day vulnerabilities are uncovered by bad actors
- Zero-Day exploits include the hacking method used to carry out attacks
- Zero-Day attacks take advantage of exploits to breach networks in order to sabotage an organization or to steal data
How Bad Actors Perform Zero-Day Attacks
While attacks can vary in their specifics, typically this broad series of events takes place:
- Attackers seek out vulnerabilities through coding or with the help of applications built for this purpose. Alternatively, vulnerabilities are purchased on the black market from so-called Zero-Day markets.
- Attackers create malware or another method for exploiting a vulnerability.
- Attackers often deploy bots or automated scanners to identify the systems affected by the vulnerability.
- In targeted attacks against specific organizations, attackers might spend time identifying the best way to hack into vulnerable systems. Non-targeted attacks usually involve bots or large-scale phishing campaigns in an attempt to take advantage of as many vulnerabilities as possible.
- Attackers breach the network, breaking through any Cybersecurity defenses the organization has put into place.
- Attackers launch a Zero-Day attack by executing code remotely on a compromised machine.
A Brief History of Zero-Day Attacks
One of the earliest hacks identified as a “Zero-Day” attack was the Stuxnet attack, often referred to as the world’s first cyber weapon. In 2006, the Stuxnet malware helped hackers break into Iran’s uranium enrichment centrifuges.
Stuxnet infected controls that allowed hackers to change the speed of the centrifuges, eventually leading to the centrifuges self-destructing. Throughout this attack, the Iranian monitoring systems showed no abnormalities and appeared to operate normally.
Today, many experts believe the U.S. National Security Agency (NSA) launched this attack, labeling Stuxnet as an early example of “cyberwarfare.”
While Zero-Day attacks “in the wild” were rare in 2006, they gradually became more commonplace. By 2018, the Trend Micro Zero-Day Initiative discovered nearly 400 new vulnerabilities in the first half of the year, up from eight in 2016 and 49 in 2017. The Initiative predicts that there will be a new Zero-Day attack discovered every day by the end of 2021.
According to the Ponemon Institute, by early 2020, around 80 percent of successful network breaches fell into the Zero-Day category.
The Top 5 Zero-Day Attacks of the 21st Century
Yahoo (August 2013)
Though it’s been eight years since the Yahoo attack, this Zero-Day incident remains one of the most prominent to date. More than 3 billion accounts were accessed by a hacking group, information the company revealed in 2016. The attack affected an ongoing deal between Yahoo and Verizon, which was in the midst of purchasing Yahoo when the news broke. Yahoo accepted a reduced price, acknowledging the severity of the breach.
Alibaba (November 2019)
1.1 billion users were affected when a developer scraped customer data from the Alibaba Chinese retail website Taobao. The hacker carried out the attack, completely undetected, for eight months, using crawler software to collect the information.
LinkedIn (June 2021)
LinkedIn recently reported that it had been hit by a Zero-Day attack that affected 700 million users — a figure that represents more than 90 percent of LinkedIn’s user base. In this attack, a hacker scraped data by exploiting the site’s API. Since then, the group has publicly released a data set of around 500 million users while threatening to sell the full set of data related to all 700 million exploited accounts.
The UK’s National Cyber Security Centre warns that the type of data stolen, including email addresses, phone numbers, geolocation records, genders and social media details, could be used by bad actors to create alarmingly credible social engineering attacks.
Facebook (April 2019)
Information related to more than 530 Facebook users, including phone numbers, account names and Facebook IDs, was exposed to the public internet after a successful Zero-Day attack.
Marriott International (September 2018)
More than 500 million guests who had registered an account with Marriott’s Starwood subsidiary had their sensitive data breached in a Zero-Day attack. As early as 2014, bad actors had breached Starwood’s guest reservation database, copying data including guest names, addresses, phone number, email address, passport numbers, dates of birth, gender, arrival and departure information, reservation dates and communication preferences.
The hackers were also able to access encrypted payment card numbers and expiration dates. Later, the New York Times published an article detailing a Chinese intelligence group’s involvement in the attack.
Zero-Day Protection with MixMode
Because MixMode monitors network traffic using powerful, “third-wave” AI to identify anomalies in real time, Zero-Day attacks can be detected as they are happening. Given the nature of some of the largest Zero-Day attacks to date, this is a clear, significant advantage. MixMode establishes a constantly evolving baseline of network conditions, allowing the platform to detect hackers before catastrophic damage is done.