Understanding Zero-Day Vulnerabilities in Control Systems: A Growing Threat to Critical Infrastructure
What is Zero-day?
A zero-day is sometimes written as 0-day. A zero-day is a software vulnerability discovered by attackers before the vendor has become aware of it, because the vendors are unaware no patch exists for zero-day vulnerabilities, making attacks likely to succeed.
You can think about zero-day as a flaw in a piece of software or even sometimes hardware, zero-day is an attack vendor known only to the attackers, it can work without interruption from the defenders.
Typical Lifecycle of an attack utilizing zero-days to compromise devices:
A vulnerability or new attack vector is discovered by a malware author.
The capability is weaponized and proven to work.
The Zero-day is kept secret and utilized by cybercriminals
The vulnerability is discovered by defenders
The OS vendor or application vendor delivers a patch.
What are zero-day attacks and how do zero-day attacks work?
White hat security researchers who discover an attack may contact the vendor in confidence so that a patch can be developed before the attack’s existence is widely known. Some malicious hackers or state-sponsored hacking groups may want to keep knowledge of the vulnerability secret so that the vendor remains in the dark and the hole remains open. Attackers write and implement a code to take advantage of the exploit code.
Whenever attackers identify a previously unknown vulnerability, they write a code to target that specific vulnerability and package it into malware. The code, when executed can compromise a system.
There are various ways for an attacker to exploit zero-day vulnerabilities. One common tactic is to distribute malware through phishing emails that contain attachments or links that have the exploits embedded into them, these malicious payloads are executed when a user interacts with the attachment or link.
Exploits are sold on the dark web for large sums of money. Once an exploit is discovered and patched, it’s no longer referred to as a zero-day threat.
Zero-day attacks are especially dangerous because the only people who know about them are the attackers themselves. Once they have infiltrated a network, criminals can either attack immediately or sit and wait for the most advantageous time to do so.
Why zero-day exploit?
First, A zero-day exploit (also called a zero-day threat) is an attack that takes advantage of a security vulnerability that does not have a fix in place. It is referred to as a “Zero-day” threat.
Zero-day exploits represent a means to take advantage of a vulnerability that has yet to be patched. Almost, innumerable systems around the world are breached every year, the truth is that most of these breaches make use of holes that are known to security pros and for which fixes exist. The attacks succeed in part due to poor security hygiene on the part of victims, and organizations that are on top of their security situation.
Who carries out Zero-day attacks?
Zero-day attacks fall into different categories, depending on their motivation.
Corporate Espionage – Hackers who spy on companies to gain information about them.
Cyber warfare – Countries or political actors spying on or attacking another country’s cyber infrastructure.
Hacktivists – Hackers who are motivated by a political or social cause who want the attack to be visible to draw attention to their cause.
Cybercriminals – Hackers whose motivation is usually financial gain.
Who are the targets for Zero-day exploits?
When attackers are not targeting specific individuals, a large number of people can still be affected by zero-day attacks, usually as collateral damage. Non-targeted attacks aim to capture as many users as possible, meaning that the average user’s data could be affected.
There is a broad range of potential victims:
Individuals who use a vulnerable system such, as a web browser, or operating system. Hackers can use security vulnerabilities to compromise devices and build large botnets.
Hardware devices, firmware, and the Internet of Things (IoT).
Large Businesses and Organizations.
Individuals with access to valuable business data, such as intellectual property.
Government Agencies.
Political targets and National security threats.
In terms of targeted and non-targeted zero-day exploits:
a. Targeted zero-day attacks are carried out against potentially valuable targets such as large organizations, government agencies, or high-profile individuals.
b. Non-targeted zero-day attacks are typically waged against users of vulnerable systems, such as operating systems or browsers.
Examples of Zero-day attacks from recent years:
In December 2021, Amazon web services, Microsoft, Cisco, Google Cloud, and IBM were among the major tech players affected by the Log4j vulnerabilities in an open-source logging library. “Wired” reported the exploit, stating “will continue to wreak havoc across the internet for years to come”. The US’s Cybersecurity and infrastructure security agency director described the flaw as “One of the most serious I’ve seen in my entire career, if not the most serious”.
Earlier in 2021, Google Chrome was hit by a series of zero-day threats and issued updates to a vulnerability stemming from a bug in its web browser’s V8 Javascript engine.
Zoom was targeted in 2020. Hackers were able to remotely access users’ PCs if the video conferencing platform was running on an older version of Windows.
Apple’s IOS: Apple’s IOS is often described as the most secure of the major smartphone platforms. However, it fell victim in 2020 to two sets of zero-day bugs that saw attackers compromising iPhones remotely.
In 2019, Microsoft Windows, located in Eastern Europe experienced an attack that was focused on local escalation privileges, a vulnerable part of Microsoft Windows, and targeted government institutions in Eastern Europe. The Zero-day exploit abused a local privilege vulnerability in Microsoft Windows to run arbitrary code install applications and view and change the data on compromised applications. Once the attack was identified and reported to the Microsoft security response center, a patch was developed and rolled out.
Stuxnet, first discovered in 2010 but with roots that spread back to 2005, this malicious computer worm affected manufacturing computers running Programmable Logic Controller (PLC) software. The primary target was Iran’s Uranium enrichment plants to disrupt the country’s nuclear program. The worm infected the PLCs through vulnerabilities in Siemens software, causing the PLCs to carry out unexpected commands on assembly-line machinery.
Detection and Prevention of Zero-day Attacks
Prevention of Zero-day attacks
With over 108 zero-days discovered over 1,825 days that works out at an average of a new zero-day exploit in the wild every 17 days. And while zero-day vulnerabilities and attacks are thus extremely serious matters, that means that mitigating them is impossible.
There are specific ways to fight against such attacks, which can be grouped into two broad categories:
What individual organizations and IT departments can do to protect their system?
What the industry and security community as a whole can do to make the overall environment safer?
What individual organizations and their IT departments can do to protect their system; if there’s no patch available for a specific zero-day vulnerability, tight security practices can still reduce the chance of being compromised:
A. Practice defense in depth: Remember, many breaches are the result of a chain of attacks exploiting multiple vulnerabilities. Keep your patches up to date and your team aware of best practices that can break that chain. Your data center servers may be afflicted with a zero-day vulnerability, for instance, but if an attacker can’t breach your up-to-date firewall or convince your users to download a trojan attached to a phishing email, they won’t be able to deliver their exploit to that vulnerable system.
B. Keep an eye out for intrusions: Because you might not know the form a zero-day attack will take, you need to keep an eye out for suspicious attack activity of all kinds. Even if an attacker enters your systems through a vulnerability unknown to you, they’ll leave telltale signs as they begin moving across your network and possibly exfiltrating information.
Intrusion detection and prevention systems are designed to spot this kind of activity, and advanced antivirus may similarly peg code as malware based on its behavior, even if it doesn’t match any existing signatures.
C. Lockdown your networks: Any device or server in your company could theoretically be harboring a zero-day vulnerability, but it’s not very likely that all of them do. A Network infrastructure that makes it difficult for attackers to move from computer to computer and easy to isolate compromised systems can help limit the damage an attack can do. In particular, you’ll want to implement role-based access controls to ensure that infiltrators can’t get to your crown jewels easily.
D. Be sure to backup: Despite your best efforts, a zero-day attack may be able to knock some of your systems offline, or damage or erase your data. Frequent backups will ensure that you can bounce back from such worst-case scenarios quickly.
E. Choose a security solution that does not whitelist code from trusted sources, or equally as bad, put blanket network-wide blocks on tools, your team needs in their daily work, killing their productivity. Instead, look for an endpoint security tool that actively monitors for and autonomously responds to chains of anomalous code execution and, which can provide contextualized alerts for an entire attack chain.
- What the industry and security community as a whole can do to make the overall environment safer:
a. Keep all software and operating systems up to date: This is because the vendors include security patches to cover newly identified vulnerabilities in new releases. Keeping up-to-date ensures you are more secure.
b. Use only essential applications: The more software you have the more potential vulnerabilities you have. You can reduce the risk to your network by using only the applications needed.
c. Use firewall: A firewall is a security system that monitors incoming and outgoing traffic based on preset security policies. Firewalls sit between trusted and untrusted networks (Most often the internet) to protect against threats, block malicious content from reaching a trusted network, and prevent sensitive information from leaving the network. They can be built into hardware, software, or a combination of both. By monitoring traffic, a firewall can block traffic that may target a security vulnerability, leading to a zero-day exploit.
d. Within the organization, educate users: Many Zero-day attacks capitalize on human error. Teaching employees and users good safety and security habits keeps them safe online and protects organizations from zero-day exploits and other digital threats.
How to detect Zero-day threats
Based on the definition, Zero-day threats are difficult to detect. Several strategies have been developed to help make decisions easier:
- Hybrid detection: A hybrid detection approach uses all three methods;
a. Statistics-based monitoring anti-malware vendors provide statistics on exploits, they previously detected: Using machine learning, historical data is collected from previous exploits, and a standard level for safe behavior is set to detect zero-day threats in real time. However, the approach does not adapt to changes in patterns, and new attack profiles need to be built out to account for changes.
b. Signature-based detection: This method has been used since the early days of security monitoring. Existing databases of malware signature-unique values that indicate the presence of malicious code are cross-referenced to as local files and downloads when scanning for new potential threats. A drawback to this method is that signatures can identify threats that are already known, so this method cannot detect most zero-day threats.
c. Behaviour-based Detection: Malicious software uses procedures to probe a system. Behavior-based detection creates alerts when it identifies suspicious scanning and traffic on the network.
Behavior-based detection sets out to learn that behavior and attempts to block any behavior that is not expected. It relies on predicting the flow of network traffic.
Wrapping up: If there’s one thing we can learn from the past years of zero-days exploits, it is that zero-days are a constant that you need to have a coordinated strategy to deal with. Be sure you can check, patch, and defend against any attacker trying to leverage it against your network.
If you don't want to miss out on the next article of our blockchain and Web3 guide, subscribe to our blog. You'll receive updates, insights, and exclusive content directly in your inbox.
Want to connect with me and get more updates on cybersecurity, blockchain, and Web3 trends on other platforms? Let Connect on
LinkedIn: Connect with me to stay updated on tech-related insights. Let's network and collaborate on exciting projects:
X: Join me on X for tech news and engaging discussions. Follow me and let's share our thoughts in the X verse. Follow on X.
Writing Portfolio: Explore my portfolio website to see a curated collection of my projects, learn more about my skills, and get in touch for potential collaborations.