ZERO-DAY ATTACK

by Ajay Kumar, MCA Computer and Information

A zero-day (Zero-Day) exploit is a cyber-attack that targets a software vulnerability that antivirus companies, software vendors, or any firm are unaware of. Before any function interested in mitigating the vulnerability notices it, the attackers construct an exploit and employ it in a sort of attack. Because no defenses are in place, such attacks are usually effective. Hackers frequently target Web browsers because of their widespread use, as well as email attachments that exploit holes in the application files that accept the attachment or explicit file formats such as Word, Excel, PDF, or Flash. A related idea in zero-day malware is a computer infection for which specific antivirus software signatures are not yet available, and it is not recognized by signature-based antivirus software due to the time it takes to update the signature, most of the time patch updates come from the developer side but it takes time and it depends on the user when they update the software because 80% users do not update their software on time. According to Microsoft studies, 91 percent of new PCs from India are infected with pirated software so, the chances of vulnerabilities are more hackers always looking for this type of opportunity.


A zero-day exploit's typical targets are:

  • Government agencies.

  • Big businesses.

  • School / Colleges.

  • People who have access to sensitive corporate information, such as intellectual property.

  • A large number of users at home are using a vulnerable system, such as a browser or operating system. Hackers can take advantage of flaws to infiltrate computers and create enormous botnets.

  • Hardware, software, and the Internet of Things (IoT).

  • Governments have been known to deploy zero-day attacks against persons, organizations, and countries that pose a threat to their national security.

Because zero-day vulnerabilities are useful to multiple parties, in the market most of the companies pay money to researchers and bug bounty hunters to find variability. There are grey and black markets, in addition to the "white market," where zero-day vulnerabilities are traded.


An Overview of a Zero-Day Attack


The most common Zero-Day attacks are Malware, adware, spyware, or unauthorized access. The basic thing to protect users from zero-day attacks and the think is regular software updates, including operating systems, antivirus software, and web browsers, and by installing recommended updates outside of regularly scheduled updates as soon as possible. However, having up-to-date antivirus software will not always protect a user from a zero-day thrash, because antivirus software may not be able to identify the vulnerability until it is publicly known. By preventing and responding against intrusions and protecting data, host intrusion prevention systems also help to protect against zero-day assaults. While hackers with criminal intent are known to make use of zero-day vulnerabilities, they can also be used by government security services for monitoring or attacks. Government security organizations have such a high demand for zero-day vulnerabilities that they contribute to fuel the market for buying and selling information about these flaws and how to attack them.


Zero-day exploits can be made public, made only available to the software vendor, or sold to a third party. They can be sold with or without exclusive rights if they are sold. From the standpoint of the software firm responsible for the problem, the optimum option is for an ethical hacker or white hat to confidentially disclose the flaw to the company so that it can be rectified before criminal hackers discover it. However, in some circumstances, more than one party may be required to address the vulnerability to fully resolve it, making a complete private disclosure impractical.


Anatomy


When thieves take advantage of a zero-day vulnerability, it is known as a zero-day attack.

The following steps are frequently included in the timeline of a zero-day assault.


Detecting flaws: Criminals look for vulnerabilities in open-source code and proprietary apps that haven't been reported yet. Attackers may even purchase information on vulnerabilities that aren't yet public on black markets. Exploitation kits, scripts, and processes are created by attackers to exploit the reported vulnerability.Tools that help to collect users information:

  • Nmap

  • Burp suite

  • Dark Web Black Markets

Identifying susceptible systems: As soon as an exploit is released, attackers begin looking for vulnerable systems. Automated scanners, bots, or manual probing may be used in this process.

To exploit the discovered vulnerability attackers used

  • Shell script

  • Python programs

  • GitHub codes

  • Dark web

This step is determined by the type of attack that the criminal wishes to carry out. When an attack is targeted, assailants usually conduct reconnaissance to lower the likelihood of getting caught and raise the likelihood of succeeding. Criminals are more inclined to utilize phishing campaigns or bots in broad attacks in order to hit as many targets as possible as rapidly as feasible.


Infiltration and launch: If exploiting a vulnerability necessitates first entering a system, attackers work to accomplish so. If a vulnerability can be exploited to get access, the exploit is used right away.


Detection of zero-day vulnerabilities


The Zero-day exploits, by definition, have no patches or antivirus signatures, making them impossible to detect. However, there are several methods for detecting previously unknown software flaws.


Vulnerability analysis


Some zero-day attacks can be detected using vulnerability scanning. Vulnerability scanning technologies allow security firms to simulate attacks on software code, conduct code reviews, and look for new vulnerabilities that may have been introduced as a result of a software update. This method is not capable of detecting all zero-day exploits. Scanning, even for those it discovers, is insufficient—organizations must act on the scan's findings, conduct code reviews, and sanitize their code to avoid the exploit. In practice, most firms take a long time to respond to newly disclosed vulnerabilities, but attackers can execute a zero-day exploit in a matter of seconds.


Patch administration


Another technique is to distribute software updates for newly found software vulnerabilities as quickly as possible. While this will not preclude zero-day attacks, it will dramatically minimize the chance of an attack if patches and software upgrades are applied swiftly. However, there are three causes that can cause security patches to be delayed. It takes time for software vendors to identify vulnerabilities, create a patch, and disseminate it to consumers. The fix may also take some time to apply to organizational systems. The longer this procedure takes, the more likely it is that a zero-day assault will occur.


Validation and sanitization of input


  • Many of the challenges that come with vulnerability detection and patch administration can be solved with input validation. It doesn't leave organizations vulnerable while they patch systems or sanitize code, which can take a long time. It is run by security specialists and is considerably more adaptable, allowing it to react to emerging threats in real-time.

  • Deploying a web application firewall (WAF) on the network edge is one of the most effective techniques to avoid zero-day attacks. A WAF examines all incoming traffic and filters out harmful inputs that could be used to exploit security flaws.

  • Additionally, runtime application self-protection is the most recent innovation in the fight against zero-day assaults (RASP). RASP agents sit inside applications, evaluating request payloads in the context of the application code during runtime to decide whether a request is legitimate or malicious, allowing apps to protect themselves.


Initiative with a zero-day deadline


An initiative designed to encourage security researchers to responsibly disclose vulnerabilities rather than selling them on the black market. Its purpose is to create a broad community of vulnerability researchers who can uncover security holes and warn software vendors before hackers do.


India's Information Security Laws

  • Sections 43 and 66 of the IT Act, respectively, cover civil and criminal data theft and hacking violations.

  • A simple civil crime will be prosecuted under section 43 if a person accesses a computer without the owner's authorization and takes any data or damages the data contained therein. The cracker will be responsible for compensating those who have been harmed.

  • The highest compensation cap under the ITA 2000 was one crore rupees. This ceiling, however, was removed in the 2008 amendment. In 2008, Section 43A was added to the amendment to include corporate sheds where employees took information from the company's sensitive files.

  • Penalties for receiving stolen computer resources or information are outlined in Section 66B. Penalties include a year in prison or a fine of Rs. 1 lakh, or both.

  • Section 66A requires the presence of men's intention. The existence of criminal purpose and the wicked mentality, i.e. destruction, deletion, alteration, or lowering in value or utility of data are all major factors to bring any act under this Section.

  • The case's jurisdiction in cyber laws is largely questioned. Cybercrime does not take place in a single location. It is devoid of geography and borders. As a result, determining the jurisdiction in which the action must be brought becomes extremely complicated. If a person works from several locations and his data is stolen in one city while he is residing in another, there will be a disagreement over where the complaint should be filed.


Example from the Real World


  • Microsoft was made aware of a zero-day cyberattack on their Microsoft Word program in April 2017. The attackers exploited a weak and unpatched version of the software using the Dridex banker trojan malware. The trojan allowed attackers to inject harmful code in Word documents that would be executed automatically when the documents were opened. McAfee, an antivirus company, identified the hack and alerted Microsoft to the corrupted software. Despite the fact that the zero-day attack was discovered in April, millions of people had been harmed since January.

  • Microsoft issued a warning in March 2020 to consumers about zero-day attacks that targeted two different vulnerabilities. These flaws affected all supported versions of Windows, and no solution was expected for several weeks. This vulnerability does not yet have a CVE identifier.

  • Remote code execution (RCE) vulnerabilities in the Adobe Type Manager (ATM) library were targeted in the assaults. This library is pre-installed with Windows and is used to manage PostScript Type 1 fonts.

  • ATM weaknesses let attackers remotely run programs using infected documents. The materials were either sent as spam or obtained by unwitting individuals. The scripts would run when accessed or previewed in Windows File Explorer, infecting user devices.


How to safeguard yourself?


  • To help defend yourself against a zero-day vulnerability, keep your software up to date.

  • When a zero-day vulnerability is announced, look for a remedy. When a security flaw is discovered, most software vendors work rapidly to fix it.

  • Don't undervalue the danger. Cybercriminals will attempt to obtain access to your devices and personal information by exploiting security flaws. They can utilize your information for identity theft, bank fraud, and ransomware, among other cybercrimes.

  • To keep your gadgets safe and secure, always use a reputable security program.


To be continued...


standby for our next blog by

by Ajay Kumar, MCA Computer and Information

Meanwhile, you can log in to the blog page to offer your comments.


For more details regarding updates on the new products, please visit


https://www.drasintrisk.com/shop

Book for free Consultation with our experts today.


Mobile Number:+918290439442, Email-forensic@drasintrisk.com



DRASInt Risk Alliance Private Limited acts as your Consultative Investigative Unit (CIU) for Field Investigation Services and Surveillance. We specialize in investigations related to Arson, White Collar Crime, Financial Fraud and Malpractice, Corporate Fraud, and Forgery. We specialize in Protective Intelligence, Industrial Surveys, Asset Verification, Accident Investigation Services, and Fire Damage Investigation Services, Character Report, Background Verification, Identity Verification Services, Pre-Employment Check, Documentary Proofing, Bank Card Verification, Digital Forensics Services, and Forensic Audit Services, Insurance Fraud Investigation and Insurance Claim Verification. We also undertake to investigate Anti-Counterfeit Services, Infringement of Trade Mark, Trademark Verification, and Pilferage of Good. As private investigators, we undertake Property Dispute and Asset Verification Investigations, investigations related to Matrimonial Discord, Extra Marital Affairs, and Spouse Fidelity and Pre Matrimonial Verification. Sourcing and provisioning of Security Manpower and Equipment, and conducting Security, Investigation, Intelligence Awareness Training programs are some of our other specialties.


DRASInt RISK ALLIANCE PRIVATE LIMITED कॉपीराइट के उल्लंघन, साहित्यिक चोरी या प्रकाशन के अन्य उल्लंघनों के मुद्दों को बहुत गंभीरता से लेती है। हम अपने अधिकारों की रक्षा करना चाहते हैं और हम हमेशा साहित्यिक चोरी के दावों की जांच करते हैं। प्रस्तुत पाठ की जाँच की जाती है।जहाँ पाठों में पाया जाता है कि बिना अनुमति के या अपर्याप्त स्वीकृति के साथ तृतीय-पक्ष कॉपीराइट सामग्री शामिल है, हम कार्रवाई करने का अधिकार सुरक्षित रखते है। प्रतियाँ बनाने का अधिकार डेटाबेस, या वितरकों को उपलब्ध है जो विभिन्न दर्शकों को पांडुलिपियों या पत्रिकाओं को प्रसारित करने में शामिल हो सकते हैं।


DRASInt RISK ALLIANCE PRIVATE LIMITED प्रकाशित सामग्री का एकमात्र मालिक है।


References

  1. P. Chen, L. Desmet, and C. Huygens, “LNCS 8735 - A Study on Advanced Persistent Threats.”

  2. “Spectre and Meltdown explained: A comprehensive guide for professionals - TechRepublic.” https://www.techrepublic.com/article/spectre-and-meltdown-explained-a-comprehensive-guide-for-professionals/ (accessed Sep. 04, 2021).

  3. J. Frankenfield, “Zero-Day Attack Definition,” 2020. https://www.investopedia.com/terms/z/zero-day-attack.asp#:~:text=A%20zero%2Dday%20attack%20(also,developer%20may%20be%20unaware%20of.&text=The%20solution%20is%20called%20a,internet%20of%20things%20(IoT). (accessed Jul. 31, 2021).

  4. K. Singh Vaisla, R. Saini, and M. T. Student, “Analyzing of Zero Day Attack and its Identification Techniques,” 2014. [Online]. Available: https://www.researchgate.net/publication/260489192

  5. “What is a Zero-Day Exploit | Protecting Against 0day Vulnerabilities | Imperva.” https://www.imperva.com/learn/application-security/zero-day-exploit/#:~:text=Some%20high%2Dprofile%20examples%20of,Iran%2C%20India%2C%20and%20Indonesia.&text=Sony%20zero%2Dday%20attack%3A%20Sony,day%20exploit%20in%20late%202014. (accessed Jul. 31, 2021).

  6. llai Bavati, “A zero-day guide for 2020: Recent attacks and advanced preventive techniques | Malwarebytes Labs,” Jun. 22, 2020. https://blog.malwarebytes.com/exploits-and-vulnerabilities/2020/06/a-zero-day-guide-for-2020/ (accessed Jul. 31, 2021).

  7. “What Is Ransomware Attack? Definition, Types, Examples, and Best Practices for Prevention and Removal | Toolbox It-security.” https://www.toolbox.com/it-security/vulnerability-management/articles/what-is-a-ransomware-attack/ (accessed Aug. 14, 2021).

  8. “2021 Ransomware Statistics, Data, & Trends | PurpleSec.” https://purplesec.us/resources/cyber-security-statistics/ransomware/ (accessed Aug. 14, 2021).

  9. T. R. Reshmi, “Information security breaches due to ransomware attacks - a systematic literature review,” International Journal of Information Management Data Insights, vol. 1, no. 2, p. 100013, Nov. 2021, doi: 10.1016/j.jjimei.2021.100013.

  10. “Ransomware Charges | Criminal Lawyer Group.” https://www.criminallawyergroup.com/practice-areas/cyber-crimes/ransomware-charges/ (accessed Aug. 14, 2021).

  11. “10 of the biggest ransomware attacks of 2021 -- so far.” https://searchsecurity.techtarget.com/feature/The-biggest-ransomware-attacks-this-year (accessed Aug. 14, 2021).

  12. “Hackers’ latest weapon: Steganography.” https://publications.computer.org/computer-magazine/2018/11/15/how-steganography-works/ (accessed Aug. 09, 2021).

  13. “Use of ‘StegWare’ Increases in Stealth Malware Attacks | Threatpost.” https://threatpost.com/use-of-stegware-increases-in-stealth-malware-attacks/131293/ (accessed Aug. 09, 2021).

  14. “Steganography: Uses, Methods, Tools and Examples.” https://www.ukessays.com/essays/computer-science/steganography-uses-methods-tools-3250.php (accessed Aug. 09, 2021).

  15. “FBI — Forensic Science Communications - July 2004.” https://archives.fbi.gov/archives/about-us/lab/forensic-science-communications/fsc/july2004/research/2004_03_research01.htm (accessed Aug. 09, 2021).

  16. P. Kocher et al., “Spectre Attacks: Exploiting Speculative Execution.” [Online]. Available: www.paulkocher.com

  17. “What are Meltdown and Spectre flaws? Definition from WhatIs.com.” https://searchsecurity.techtarget.com/definition/Meltdown-and-Spectre-flaws (accessed Sep. 04, 2021).

  18. M. Fadzil Abdul Kadir et al., “A Review on spectre attacks and meltdown with its mitigation techniques,” 2018. [Online]. Available: https://www.researchgate.net/publication/329810347

  19. “Meltdown & Spectre: More Than an Intel Security Flaw | Avast.” https://www.avast.com/c-meltdown-spectre (accessed Sep. 04, 2021).

  20. “Advanced Persistent Threat Buyer’s Guide What are Advanced Persistent Threats?,” 2021.

  21. M. A. and N. Ghani, “Critical Analysis on Advanced Persistent Threats,” International Journal of Computer Applications, vol. 141, no. 13, pp. 46–50, May 2016, doi: 10.5120/ijca2016909784.

  22. “What is advanced persistent threat?” https://searchsecurity.techtarget.com/definition/advanced-persistent-threat-APT#:~:text=Some%20examples%20of%20advanced%20persistent%20threats%20include%3A%201,cybersecurity%20researchers%20in%202010.%20...%20More%20items...%20 (accessed Sep. 04, 2021).

  23. “What is Advanced Persistent Threat Detection? | RSI Security.” https://blog.rsisecurity.com/what-is-advanced-persistent-threat-detection/ (accessed Sep. 04, 2021).

  24. “Login Credentials: Fortune 500 Stolen Login Data | DWL.” https://darkweblink.com/fortune-500-login-credentials/ (accessed Sep. 04, 2021).