Zero-day exploits — or 0days, in hacker-speak — allow attackers to quietly access a network or software. Due to their scarcity and the high stakes attached to high-value targets like Apple or banks, these bugs are often sold on the Dark Web for thousands of dollars.
This cheat sheet is routinely updated with the latest information about the fundamentals of how zero-day exploits work, who secret vulnerabilities affect and how to learn more about code exploits and hacking.
SEE: Explore TechRepublic’s cheat sheets and smart person’s guides.
What are zero-day exploits?
Zero-day exploits are code vulnerabilities and loopholes that are unknown to software vendors, security researchers and the public. Examples of well-known zero-days are Stuxnet, the MOVEit Transfer vulnerability and zero-day exploits targeting the Chrome browser and Android.
The term “zero day” originates from the time remaining for a software vendor to patch buggy code. With zero days — or 0 hours — to respond, developers are vulnerable to attack and have no time to patch the code and block the hole. One bug can give hackers enough access to explore and map internal networks, exfiltrate valuable data and find other attack vectors.
SEE: Discover the latest cybersecurity predictions for tech leaders in 2023.
Zero-day exploits are access points for malware and can take many forms: Stuxnet, the most well-known zero-day exploit, targeted programmable logic controllers that regulated centrifuges used by Iran’s nuclear program. The zero-day SQL injection MoveIT vulnerability targeted organizations in North America. And a commercial surveillance company sells zero-day exploits to government-backed actors who aim them at Android devices.
Because zero-days inherently violate user and corporate privacy, and in some cases the law, the use of these exploits is hotly debated by law enforcement, hackers and developers. In an attempt to reduce the number of critical exploits in the market, Google and other large tech companies offer bug bounty programs that provide cash incentives to individuals who locate, document and disclose loopholes.
Gray and white hat hackers, and many tech companies, follow the Rain Forest Puppy (RFP) policy, unofficial guidance that stipulates vendors should have at least five working days to respond before a bug is disclosed to the public. To avoid association with unscrupulous hackers, many private cybersecurity firms, hacking teams and government organizations adhere to RFP and similar policies.
Why do zero-days matter?
Zero-day exploits frequently result in material harm, cost companies millions of dollars and expose consumers to cyber threats.
Where developers and vendors see risk, entrepreneurial hackers and other malefactors see opportunity. Zero-days matter because they imperil the public, business and government, and because they’re worth a considerable amount of money on the Dark Web.
SEE: Keep your organization prepared with this security awareness and training policy from TechRepublic Premium.
Identified in 2010 by security researcher Sergey Ulasen, the Stuxnet worm was allegedly developed in partnership between Israeli and American intelligence services and targeted Iran’s Natanz facility. The worm exploited zero-days on Siemens industrial control systems and caused centrifuges to spin at higher speeds and break down. American cyber-experts estimated that the cyberattack set Iranian nuclear ambition back by three to five years.
Stuxnet remains the best-known zero-day and opened a new chapter in modern cyberwar that portends a dystopian future where cyberattacks against physical infrastructure kill and cause billions in damage.
“Zero-day threats lurk and proliferate every day [on the Dark Web],” said Joe Saunders, CEO of RunSafe Security, in an interview with TechRepublic. “Over time patches can be implemented, but often severe economic damage is perpetrated.”
SEE: Discover how IT budgets can fill cybersecurity moats.
Saunders continued: “The unknown unknown is the [hardware] supply chain threat. Imagine a cheap component or chip inserted into a mobile device that creates a backdoor for a nation state to exfiltrate data from every consumer’s phone. These threats are very difficult to detect as they may be embedded in standard code. Our best security experts need to assist our largest manufacturers, telecommunications, power plants and other physical infrastructure that relies on code.”
Left unsupervised, old code on infected hardware could result in a “disastrous kinetic event,” Saunders said.
Who do zero-day exploits affect?
The public, companies ranging from small and midsize businesses to large enterprises, activists and journalists, NGOs and nonprofits, and government organizations are all vulnerable to potential harm posed by zero-days.
All code has bugs. Zero-days are exploitable in bugs and inherently coupled with software. As mobile and IoT devices proliferate, so too does the exploit risk associated with software that controls important physical infrastructure, safeguards financial systems and is used by billions of consumers daily.
SEE: Learn more about zero-day attacks and what they say about the traditional security model.
“SMBs are vulnerable to [zero-day] attacks because they are often seen as a conduit to a larger ecosystem,” Saunders said.
“SMBs may have weaker defenses than a large organization, so if their devices are connected to cloud services offered by large solution providers, their data is exposed and vulnerable. Often, SMBs don’t have sophisticated security measures. They need to rely on solution providers and engage ones who help them protect their data. Startups often are targets of stolen intellectual property as they are seen as cutting-edge and innovative.”
The more devices employed by a company, Saunders explained, the more threat vectors open up to hackers.
“I can’t name the site I use, but I think that most hackers would use the same [site],” said the Russian hacker known as KapustKiy.
“I hack for political reasons,” he said in translated, broken English, “but I make money sometimes from selling hacks.” He might use Zerodium, or one of the dozens of bug bounty and zero-day acquisition markets that sell zero-day exploits starting at $10,000 to $100,000 and up.
French hacker x0rz said it’s true that “a vulnerability can be sold for $100,000,” but overhead costs remain high “because it can take one or two years to reverse engineer and find an exploitable bug.”
“It’s hard work,” he said. That means that small hacking teams and individual hackers are unlikely to discover a bug.
SEE: Explore these tips to help cybersecurity pros protect their organizations.
“Zero-days come from entities that can have the time and energy to find [the bugs],” he said. “Yes, zero-days can be quite dangerous. And expensive to the companies. But they almost always come from government, not from [individual hackers].”
When are zero-day exploits happening?
Zero-days are a top concern for all major enterprise companies and particularly for large software companies like Google and Apple. Zero-days are a profit engine for hackers and help governments hack other governments.
In 2015, zero-days were discovered at a rate of about one per week, and the discovery rate doubled each year, according to security firm Symantec. A white paper by FireEye Security corroborated the Symantec study, estimating that zero-days have grown at about 115% each year.
Due to the high overhead cost of human discovery of zero-days, expect artificial intelligence and machine learning to change the exploit landscape soon, Saunders said. “If you think about artificial intelligence and other innovations, you realize that large scale cyber warfare could be played out without human intervention,” he said.
“What if automated bots that take over devices globally are both offensive and defensive in nature? Imagine a self-healing army of bots employing artificial intelligence to discard code designed to stop them, and then resuming their offensive attacks. If you let yourself go there, you can see that the Cyber War is the new Cold War.”
How can I learn more about zero-day exploits?
The best way to learn about modern zero-day exploits is by reading contemporary news on trusted sites like TechRepublic. To learn about the history of zero-day bugs, read Kim Zetter’s authoritative book “Countdown to Zero Day.”
The zero-day ecosystem is evolving quickly and touches every market. From business technology to consumer and hard news, TechRepublic provides up-to-the-second updates on the latest exploits.
To help you better understand the history of zero-days, and the economic forces that motivate governments and hackers, Fred Kaplan’s “Dark Territory” explores zero-day exploits inside the cyberwar ecosystem. Additionally, Alex Gibney’s documentary about Stuxnet is essential viewing for all cybersecurity professionals.
For more dedicated training and certification, check out The Complete Ethical Hacking Bootcamp 2023 and the 2023 Complete Cyber Security Ethical Hacking Certification Bundle from TechRepublic Academy.