Skip to content

A zero-day (0-day) vulnerability refers to a security risk in a piece of software with no patches or mitigations to prevent cybercriminals from exploiting them. A zero-day attack happens when threat actors use a new vulnerability to hack into a system. 

Zero-day vulnerabilities can often be quite dangerous, especially when found on a program or device used by many systems. Antivirus and firewall software cannot typically recognise or prevent a zero-day attack; hackers then use this to their advantage and attempt to target vulnerable systems as quickly as possible. Typically, most hacks occur after an exploit for the vulnerability has been made public. Depending on the type of vulnerability, hackers will create malware that allows them to conduct exploits on a mass scale. Studies have shown that after zero-day vulnerabilities are disclosed, the number of malware variants exploiting them increases up to 83,000 times! 

The public disclosure of a zero-day vulnerability is often not the first time the exposure has been seen or exploited. Cyber security researchers Leyla Bilge and Tudor Dumitraș have identified seven stages of a zero-day attack:

  1. The vulnerability is introduced – An update to a device or software unknowingly containing vulnerable code takes place. It can be months or even years before the vulnerability is discovered.
  2. The vulnerability is discovered in the wild – This is typically either found by malicious hackers looking to exploit the vulnerability for personal gain or by Ethical Hackers researching possible weaknesses in highly-used software. Many tech companies have ‘bug bounty’ programs that reward people who find and report new vulnerabilities. 
  3. The vendor discovers the vulnerability –  If malicious hackers have first found the vulnerability, the vendor may not discover it for many months while it is being exploited in the wild.
  4. The vendor publicly discloses the vulnerability – This is often done through security advisories published on the vendor’s website.
  5. Antivirus signatures released – Data relating to how the vulnerability can be exploited is used by antivirus companies to help detect and prevent these attacks.
  6. A patch for the vulnerability is released – The vendor has been able to identify and fix the code that allows for an exploit to occur in their software.
  7. Patch deployment completed 

Nowadays, many vendors will try to release the vulnerability’s public disclosure alongside the patch’s release. Depending on the vendor and the vulnerability, they may refrain from releasing detailed information on how the exploit takes place, as it could lead to hackers taking advantage of the vulnerability before users have a chance to update their systems.

Zero-day vulnerabilities can have lasting effects on technology. For example, the Log4j vulnerability is still present on many millions of devices. It is still actively exploited by threat actors, despite a patch which was released soon after publicly disclosing the vulnerability.

How to Protect Yourself and Your Organisation Against Zero-Day Vulnerabilities

Due to the nature of zero-day vulnerabilities, it is challenging to prevent them before they happen. However, it is possible to detect unusual and malicious activity within your organisation’s network that could indicate a threat actor is attempting to gain access to or already has compromised a device within your system.

Signs that a hacker has successfully compromised your network include;

  • There is unusual network activity, such as a large number of files being downloaded or accessed across your network.
  • There are unusual or malicious IP addresses connected to your systems at strange times (such as in the middle of the night).
  • Odd applications and executables are running, especially those you don’t typically use that aren’t created by your operating system. 

Most targeted attacks using new vulnerabilities happen after a vendor has announced a zero-day exploit in their software. To prevent your devices from becoming a target, keep up-to-date with vendors that provide software your organisation relies on, no matter how insignificant. If an application has access to data and users, it can be exploited to let threat actors into your network!

If a new update is released, update all devices or applications as soon as possible, prioritising those that can be easily accessed from the internet, such as servers that handle public requests and webpages.

Vulnerabilities discovered on applications and devices that are no longer supported often never receive updates to patch them. For example, Windows 7 ceased being supported by Microsoft in January 2020, and any new vulnerabilities discovered for the operating system will never be officially fixed. If a threat actor finds an outdated device or software running on your network, it is the first thing they will target and could lead to your IT system being compromised. If possible, stop using any unsupported technology and move to newer, supported versions to strengthen the security of your network.

Ensure that antivirus and firewall applications are running on and protecting all devices connected to your organisation’s network. Additionally, regularly updating these devices will mean they can detect and prevent attempts to exploit new vulnerabilities.