What are Zero-day vulnerabilities? Optimal protection strategies against Zero-day vulnerabilities

What is a Zero-day Vulnerability?

A Zero-day vulnerability refers to a security flaw that is not yet known to the software developer and has no available patch to address it. As a result, attackers can exploit this vulnerability to infiltrate systems, conduct attacks, and take control of the systems.

Zero-day vulnerabilities can exist in various environments, including:

• Computer software and hardware
• Mobile applications
• Enterprise internet systems
• Websites
• Cloud platforms

Typically, when a Zero-day vulnerability is discovered, the product provider will release a security patch to protect users. However, in practice, users rarely update their software to the latest version immediately. This creates a dangerous scenario, making Zero-day vulnerabilities a significant threat that can cause substantial damage to both businesses and individuals.

Targets and Trends of Zero-day Attacks

Zero-day vulnerability exploited by year (2019 - 2023)

Google's report has recorded a significant increase in Zero-day vulnerabilities exploited in 2023, reaching up to 97 vulnerabilities. This represents a more than 50% increase compared to the previous year (62 vulnerabilities in 2022). Regarding attack targets, these vulnerabilities can be divided into two main categories:

• Platforms and products for end users: Examples include mobile devices, operating systems, browsers, and other applications.
• Enterprise Technologies: Examples include devices, security software, cloud services, CRM, ERP, CMS, and other enterprise technologies.

1) Platforms and products for end users

Zero-day vulnerabilities in end-user platforms (2022, 2023)

Platforms and products used daily by end users, including mobile devices, operating systems, browsers, and other applications, have recorded a total of 61 Zero-day vulnerabilities. Notable trends in Zero-day attack targets within these platforms and products include:

• Efforts by software providers: Software providers are investing in enhancing product security, which helps reduce the risk of attackers infiltrating and conducting malicious activities. As a result, attackers are forced to find new vulnerabilities or adjust their attack tactics to adapt to the enhanced security measures.
• Focus on exploiting vulnerabilities in Third-party components and libraries: Since these vulnerabilities affect multiple products, they offer greater benefits to attackers. An attacker only needs one vulnerability to exploit and attack multiple products, rather than developing multiple separate vulnerabilities.

The overall situation of Zero-day vulnerabilities in software platforms in 2023 is quite concerning, with the exception of macOS and Chrome, which have shown improvements. Here are the specific trends:

• Android: The number of Zero-day vulnerabilities has increased compared to 2022, with most related to Local Privilege Escalation (LPE).
• iOS: The number of vulnerabilities has decreased compared to 2022, but there are still vulnerabilities targeting iPhones and iPads.
• Windows: The number of Zero-day vulnerabilities has increased, focusing on LPE and Security Boundary Bypass.
• Browsers: The number of vulnerabilities has decreased, mainly related to JavaScript Exploitation (JSE) and LPE.

In addition to popular platforms, several other applications have also been targeted by Zero-day attacks, including WinRAR, Adobe Reader, Microsoft Word, and Microsoft Outlook.

2) Enterprise Technologies

The year 2023 witnessed a surge in the exploitation of Zero-day vulnerabilities targeting Enterprise Technologies, with a total of 36 vulnerabilities recorded. Security software, in particular, has become a highly attractive target due to its position at the network perimeter, high-level access, and extensive reach. This makes it a prime target for attackers. By exploiting Zero-day vulnerabilities in security software, attackers can easily penetrate enterprise networks and carry out further malicious actions.

Key trends in Zero-day attack targets within Enterprise Technologies include:

• Diversification of attack targets: Attackers are exploiting Zero-day vulnerabilities across various enterprise technologies, not just limiting their focus to browser-based and document-based exploits.
• Increased attacks on security software/devices: There has been a significant rise in Zero-day vulnerabilities targeting security software and devices, such as Barracuda Email Security Gateway, Cisco Adaptive Security Appliance, and Trend Micro Apex One.
• Increased attacks on multiple vendors: Instead of focusing on a few major vendors, attackers are now targeting a broader range of vendors and enterprise products. For instance, Ivanti and North Grid Corporation each reported three vulnerabilities in 2023.

These trends indicate that the threat from Zero-day vulnerabilities remains severe, necessitating heightened vigilance from businesses and individuals to ensure cybersecurity.

How the Zero-day vulnerability market works

In reality, not only hackers exploit Zero-day vulnerabilities to conduct attacks, but national intelligence agencies and even software developers are also interested in these vulnerabilities for their own purposes. According to a report from the Center for International Security and Cooperation at the Freeman Spogli Institute for International Studies (Stanford University), the market for buying and selling Zero-day vulnerabilities is divided into three main segments:

1. White Market

The White Market is a legitimate and transparent ecosystem where security researchers can sell Zero-day vulnerabilities to companies or organizations for patching before attackers can exploit them. This market plays a crucial role in enhancing cybersecurity and encouraging the development of the security community.

Transaction forms:

• Third-party vulnerability purchase programs: Organizations like ZDI (Zero Day Initiative) and VCP (Vulnerability Coordination Program) buy vulnerabilities from researchers and then notify the affected companies to patch the flaws.
• Company-sponsored bug bounty programs: Companies such as Facebook and Google run their own programs to reward researchers for identifying vulnerabilities in their products (e.g., Facebook Bug Bounty, Google Vulnerability Reward Program).
• Government vulnerability submission programs: Some countries have programs to receive vulnerability information from security researchers (e.g., U.S.-CERT).

Benefits:

• Encourages responsible vulnerability reporting: Security researchers are rewarded for providing vulnerabilities, helping companies quickly patch issues and reduce the risk of attacks.
• Helps companies fix issues quickly: Early detection and patching of vulnerabilities help minimize financial, data, and reputational damage for businesses.
• Generates income for security researchers: The White Market offers opportunities for researchers to earn money by providing vulnerabilities.

2. Black Market

The Black Market operates as an underground network where illegal transactions occur, posing significant risks and threats to cybersecurity.

• Anonymity: Buyers and sellers can conceal their identities, minimizing the risk of being detected by authorities.
• Wide accessibility: This market offers a vast supply of Zero-day vulnerabilities, including undisclosed ones, providing ample opportunities for malicious attacks.
• Flexibility: Buyers can choose to purchase individual vulnerabilities or comprehensive service packages that include exploits, attack tools, and technical support to meet all illicit needs.

Transaction forms:

• Online Stores: Emerging platforms mimic e-commerce websites, allowing buyers to browse and purchase vulnerabilities anonymously.
• Online Forums: Anonymous forums are used to post vulnerability listings, exchange information, and conduct transactions.
• Email: Direct communication between buyers and sellers to discuss transaction details.
• Chat Rooms: Provide a quick communication platform to negotiate and complete transactions.

Impacts:

• Exploitation of Zero-day vulnerabilities: Attackers can use Zero-day vulnerabilities to infiltrate computer systems, steal sensitive data, and cause financial and reputational damage to organizations.
• Increase in cybercrime: The trade of Zero-day vulnerabilities on the Black Market fuels cybercrime, posing dangers to the cybersecurity of individuals, organizations, and nations.
• Challenges for security: The buying and selling of Zero-day vulnerabilities make it more difficult to patch vulnerabilities, as organizations cannot detect and address flaws before they are exploited.

3. Gray Market

The Gray Market for Zero-day vulnerabilities involves transactions between vulnerability sellers and government agencies or private companies. Although legal, this market still has negative impacts on cybersecurity. Governments are typical customers of this market, and transactions are often facilitated through brokers.

Examples of Companies and Individuals in the Gray Market: Grugq, Netragard, Exodus Intelligence, Endgame, Errata Security, Vupen, ReVuln, Arc4dia

Transaction forms:

• Direct sales: Sellers can directly sell vulnerabilities to potential customers such as governments or private companies.
• Through brokers: Brokers specialize in finding and providing information about vulnerabilities to clients, earning a commission from the transaction.

Benefits:

• Provides government agencies and organizations with the ability to quickly patch vulnerabilities and protect their systems from attacks.
• Helps cybersecurity researchers earn income from their work.

Impacts:

• Creates the risk of abuse, such as selling vulnerabilities to cybercriminal groups.
• Makes patching vulnerabilities more difficult, as software vendors may not be aware of vulnerabilities that have been sold to third parties.
• Contributes to the creation of an underground market where sensitive information can be bought and sold.

The Zero-day vulnerability market reflects the increasing demand for cybersecurity in the digital era. Understanding the different market segments and transaction activities helps organizations become more aware of risks and proactively protect their systems and data from dangerous cyberattacks.

Why Zero-day vulnerabilities are dangerous

Zero-day vulnerabilities pose a significant threat to cybersecurity for the following reasons:

Immediate exploitation

When a Zero-day vulnerability is discovered, hackers can exploit it immediately before the software vendor has time to issue a patch. This provides attackers with the opportunity to infiltrate systems and conduct malicious activities quickly, without interference from standard security measures.

Difficulty in detection

Because these vulnerabilities are previously unknown, detecting Zero-day exploits is particularly challenging. Traditional detection tools and techniques may not identify these new attack patterns, enabling hackers to operate covertly and effectively.

Wide-reaching impact

Without existing patches or security measures to counteract them, Zero-day vulnerabilities can result in extensive attacks that affect critical systems and services, from businesses to national infrastructure.

High value on the underground market

Zero-day vulnerabilities are highly valuable commodities on both the black market and gray market, where they are traded and used for criminal or intelligence purposes. Organizations might spend significant amounts to acquire these vulnerabilities for use in espionage or security operations.

Long-term consequences

Once a Zero-day vulnerability is exploited, the impact can be widespread and enduring, affecting multiple systems and services. Even after the vulnerability is patched, the resulting damage can persist in the system for an extended period.

To effectively mitigate against Zero-day attacks, organizations need to proactively implement measures to prevent, detect, and respond to these threats, including:

1. Regular system and software updates

• Manage and deploy patches: Establish an effective patch management process to ensure all systems and software are updated to the latest versions, including security patches to address Zero-day vulnerabilities.
• Automate updates: Utilize automation tools to automatically update software and systems, minimizing the risk of forgetting or delaying updates.

2. Implement monitoring and detection

• Use real-time monitoring systems: Machine learning technology has brought about intelligent monitoring solutions, allowing for the detection and alerting of suspicious activities or threats in real-time. By using machine learning, security systems can automatically identify and respond to Zero-day attacks, effectively protecting servers, workstations, and enterprise systems from these threats efficiently and automatically.
• Conduct regular security assessments: Perform regular security assessments and security control checks to identify and remediate security vulnerabilities, including Zero-day vulnerabilities.

3. Utilize firewalls and signature databases

• Firewall: Firewalls are a crucial tool in preventing attacks from outside the system. Carefully installing and configuring firewalls helps prevent Zero-day vulnerabilities by controlling network traffic and filtering out packets that may carry malicious code.
• Signature Database: The signature database contains information about known expressions of malicious software. Antivirus software and security solutions use this database to detect and block new malicious patterns, including Zero-day attacks.

Today, Zero-day attacks are not only a latent risk but also a significant challenge for businesses worldwide. To cope with this threat, VNETWORK introduces the comprehensive security platform VNIS, designed to protect enterprises against increasingly sophisticated and unpredictable Zero-day attacks.

With a mission to ensure the safety and data protection of its customers, the VNIS platform combines the latest advanced technologies and deep expertise in security, including:

VNIS comprehensive security model

• Application of advanced technologies such as AI and Machine Learning into the system to monitor, detect, and alert on suspicious activities or threats in real-time, optimizing protection for enterprise systems.

• Multi WAF system, featuring multiple Cloud WAF clusters globally, ready to leverage dense cloud infrastructure to rapidly isolate threats when website traffic spikes. Accompanied by a Scrubbing center system to analyze and remove suspicious traffic, helping coordinate the activities of Cloud WAF clusters in multiple countries and more effectively combat attacks.

• A team of SOC experts always ready to respond to cybersecurity attacks 24/7, ensuring the safety of enterprise systems and minimizing damage when Zero-day attacks occur.

• VNIS solution is designed with a user-friendly and intuitive management interface, enabling businesses to deploy quickly and easily. This allows enterprises to easily track the origin, nature, and scale of attacks through detailed threat logs, facilitating adjustments to security rules more appropriately.

With the comprehensive security platform VNIS by VNETWORK, businesses can confidently focus on developing their operations knowing that their systems are fully protected against all potential attack risks. For detailed consultation and pricing, please contact VNETWORK at the following information:

• Hotline: +84 (028) 7306 8789
• Email: contact@vnetwork.vn