Zero-Day Exploits: What They Are, and How to Mitigate the Risk

Expert insight from our senior penetration tester

Last May, the Cl0p ransomware gang exploited a zero-day vulnerability in a software now familiar to many of us: MOVEit Transfer by Progress Software.

Almost a year later, new victims are still emerging, with thousands of organizations already affected.

But what exactly are zero-day exploits? How much of an outlier was the MOVEit breach? And what can organizations do to protect themselves from zero-day attacks?

We put these questions to senior penetration tester Leon Teale, who has more than ten years’ experience in performing penetration tests for clients in various industries all over the world. In addition, he’s won hackathon events and is accredited for multiple bug bounties.

In this interview

  • What a zero-day exploit is
  • Who – or what – is most at risk
  • Insights into the implications of MOVEit
  • How to detect zero-day vulnerabilities and attacks
  • Other ways to protect yourself against zero-day exploits

What is a zero-day exploit?

Zero-day exploits are vulnerabilities not yet made public. They’re called ‘zero day’ because that’s how many days you’ve got to fix the vulnerability before an attacker can exploit it.

The trouble with zero-day vulnerabilities is that threat actors are aware of these exploits, but the developers and users often aren’t – at least, at this stage. Even when they are aware, the remediation isn’t always obvious.

Which devices and software are most at risk from zero-day attacks?

The types of software or devices commonly at risk from zero-day exploits are, unfortunately, the ones used by thousands, if not millions, of organizations.

That’s because the return on invested time to be able to exploit a vulnerability has to be beneficial to an attacker. If the potential reward isn’t worth their time, or the risk of prosecution, they’ll move on to a different exploit.

Cyber criminals are just running a business – albeit an unethical one. They want to get the best ROI possible. You may get the odd exception – criminal hackers just wanting to find a zero-day vulnerability for bragging rights. Those might target anything.

I suppose the MOVEit breach is a good example of a typical zero-day target. Could you tell us a bit more about that?

That was a significant incident, highlighting the serious threats a breach in the supply chain can present.

The breach was caused by a SQL injection vulnerability [CVE-2023-34362], which, if exploited, allowed unauthenticated access to MOVEit Transfer’s database.

A threat actor gaining access to a managed file transfer software such as MOVEit – used by high-profile companies, including Siemens and the BBC – is a serious matter. This software component is critical for organizations that require secure file transfer to, among other things, meet their legal and contractual obligations.

What were the consequences of the MOVEit breach?

A lot more than simple data theft. The MOVEit exploit led to complete system compromises of organizations in that supply chain. In turn, that led to significant financial and reputational damage around the world.

Organizations also reevaluated their reliance on a single point of compromise – how exploiting just one vulnerability in one piece of software can lead to the breach of business-critical data and systems. But fixing that requires a complete overhaul of their network architecture, taking additional time and resources.

MOVEit aside, how much risk do zero-day exploits generally pose to organizations?

The business risk is similar to any other vulnerability – if exploited, your assets are at risk.

That said, with zero-day vulnerabilities, the vendor or manufacturer hasn’t had a chance to develop a fix or patch – never mind organizations installing it. That makes it harder to prevent the zero-day vulnerability from being exploited.

And typically, if a zero-day exploit is shared within the hacking community, organizations may find themselves targeted by a wave of attacks. Particularly for software used by thousands [if not more] of systems, threat actors want to exploit it while they have the chance.

How can organizations detect attacks targeting a zero-day vulnerability?

Spotting them can be tricky: Without a known signature, your IDS [intrusion detection system] may not recognize such attacks.

More advanced solutions with heuristic monitoring may identify unusual behavioral patterns that could signify a zero-day attack. [These examine code for suspicious properties, and don’t just rely on known malicious signatures.] They’d still require proactive monitoring and assessment from a person, however.

The best thing you can do is keep an ear to the ground. Subscribe to newsletters covering emerging threats, look out for reports of newly identified zero-day vulnerabilities, and check whether they affect your systems.

If they do, take appropriate actions to mitigate the risk until ‘official’ remediation becomes available.

What are some examples of such “appropriate actions”?

Things like:

  • Identifying and isolating the vulnerable system or solution
  • Restricting access to the vulnerable service
  • Heightening security monitoring
  • Closing unnecessary ports
  • Checking configurations follow best practices [like changing default passwords to a stronger alternative]

In extreme cases, where the risk of an exploit is high, and preventing the data from being breached outweighs the need for authorized access to that data, you may even want to temporarily shut down the service in question.

Need help implementing the right cybersecurity measures?

IT Governance USA offers a full suite of cybersecurity solutions to help you defend against zero-day and other cyber attacks, including:

  • Penetration testing
  • Staff training
  • Consultancy

We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.

In the meantime, why not check out our previous interview with Leon on the CVSS (Common Vulnerability Scoring System)?

Alternatively, explore our full index of interviews here.