Zero-Day Exploits

[00:00:00] Zero Day Exploits are a major concern for both organizations and individuals.

[00:00:05] Incident responders often fear handling unknown threats because they lack predefined defenses

[00:00:12] and require new methods for detection and response.

[00:00:16] These exploits represent vulnerabilities that can be targeted before they are even known

[00:00:21] to exist.

[00:00:22] In this episode, we will talk about what Zero Day Exploits are, how they are discovered

[00:00:27] and utilized, and the strategies that can be employed to defend against them.

[00:00:39] You're listening to The Cyber Riddler, where we decipher the offensive and defensive side

[00:00:46] of the cyber world.

[00:00:47] I'm Ahmad Almorabea

[00:00:48] To start, let's define what we mean by a Zero Day Exploit.

[00:01:04] A Zero Day Exploit refers to a cyber attack that targets a software vulnerability that

[00:01:10] is unknown to the software vendor or those who are responsible for patching or mitigating

[00:01:15] the vulnerability.

[00:01:17] The term Zero Day signifies that developers have had zero days to fix the flow before

[00:01:23] it's exploited because the vulnerability is unknown, there are no defenses in place,

[00:01:29] making these types of exploits extremely dangerous.

[00:01:33] Zero Day Exploits can affect various types of software including operating systems,

[00:01:38] web browsers, applications and even firmware.

[00:01:42] They can be used to steal data, install malware, disrupt services and gain unauthorized

[00:01:47] access to the systems.

[00:01:48] The life cycle of a Zero Day Exploit can be broken down into several stages.

[00:01:53] The first stage is the discovery of the vulnerability.

[00:01:56] This can happen in several ways.

[00:01:58] Researchers or hackers might find vulnerabilities through manual testing.

[00:02:03] Some may call this stage as R&D, recession development.

[00:02:07] Another way is to use automated tools or by analyzing source code.

[00:02:11] Sometimes, believe it or not, vulnerabilities are discovered by accident.

[00:02:15] The researcher is doing a research on something and then another issue arises that wasn't

[00:02:21] the target in the first place.

[00:02:23] The researcher will pivot into that issue and then he found a strange behavior that

[00:02:28] lead to the discovery of a new vulnerability outside the scope of the original research.

[00:02:33] The second stage is weaponization.

[00:02:36] Once a vulnerability is found, it needs to be weaponized, meaning the creation

[00:02:40] of a working exploit that can take advantage of the vulnerability.

[00:02:44] This step requires significant skills you may ask why, right?

[00:02:48] To break it down for you, a researcher could find a vulnerability theoretically but he

[00:02:54] doesn't have the skills to implement it due to many restrictions and the way of

[00:02:59] gaining access to the system primitives in the code itself.

[00:03:03] That's why you can see some CVEs that doesn't have a public exploit for a while

[00:03:08] but certain companies already wrote an exploit for it and then they use it in their software.

[00:03:13] Eventually, you can find a public release for it and then some hacker groups start

[00:03:18] weaponizing their malware with this vulnerability.

[00:03:22] The third stage is delivery.

[00:03:24] The next stage is delivering the exploit to the target system.

[00:03:28] This could be done through various means such as phishing emails, malicious websites,

[00:03:33] infected USPs or compromised software updates.

[00:03:37] There are a lot of ways for delivering the malware but hackers usually see the easiest

[00:03:42] option for them and their intention of delivering the malware by asking themselves the question

[00:03:48] which is, do we want to target a lot of people or it's a targeted attack which

[00:03:53] only targets few people with it?

[00:03:55] The fourth stage is exploitation.

[00:03:58] After the exploit is delivered, it executes the attack by exploiting the vulnerability.

[00:04:03] This can lead to different outcomes such as remote code execution, privilege escalation

[00:04:08] or data exfiltration.

[00:04:10] The bottom line, the attacker will gain access to your system and then they do what they

[00:04:14] want to do with it but still sometimes even after all of this hard work of writing

[00:04:20] the exploit, delivering it, shit can happen.

[00:04:23] Maybe the Windows build doesn't have the vulnerability because vulnerabilities exist

[00:04:29] like what happened in SMB Ghost or sometimes the system's state is corrupted due to multiple

[00:04:34] attempts of exploiting the vulnerability.

[00:04:37] So the machine was vulnerable but the state of which the system should be on is

[00:04:41] not the same anymore like many vulnerabilities such as PloKey.

[00:04:46] The fifth and final stage is detection and response.

[00:04:50] Finally once the exploit is used, it may detected by security tools or reported

[00:04:55] At this point, the software vendor and security community work to analyze the exploit, develop

[00:05:02] patch and deploy it to affected systems.

[00:05:05] This stage could take a lot of time to happen as some hackers are delivering the exploit

[00:05:10] to certain people and then delete the artifact so no one can know anything about it and

[00:05:15] they can use it for a long period of time.

[00:05:17] It could be months, years but sometimes one incident can happen and then the logs

[00:05:23] will be sent to the security vendors and start analyzing the raw data and then they

[00:05:28] discover the exploit even though the hackers were cautious but logs already sent.

[00:05:34] There are many case studies, to better understand the impact of Zero-day exploits, let's

[00:05:39] discuss a few notable case studies.

[00:05:41] Stuxnet Perhaps the most famous Zero-day exploit

[00:05:45] is the Stuxnet.

[00:05:46] Substicated worm discovered in 2010, Stuxnet targeted industrial control systems, specifically

[00:05:53] those used in Iran's nuclear program.

[00:05:56] It exploited multiple Zero-day vulnerabilities in Windows to spread and sabotage centrifuges.

[00:06:02] Stuxnet is a prime example of how Zero-day exploits can be used for cyber warfare and

[00:06:08] industrial sabotage.

[00:06:10] It used four Zero-days so they can take control of the system.

[00:06:15] The second case study is the Aurora attack in 2009.

[00:06:18] A series of cyber attacks known as Operation Aurora targeted several major companies including

[00:06:24] Google.

[00:06:26] The attackers exploited Zero-day vulnerability in Internet Explorer to gain access to the

[00:06:30] company networks and to steal intellectual property.

[00:06:33] This attack highlighted the importance of browser security and led to significant changes

[00:06:38] on how companies approach cybersecurity.

[00:06:41] There are a lot of operations that use Zero-days.

[00:06:44] Zero-day exploits are highly valuable in the cybersecurity world and there is a thriving

[00:06:49] market for them.

[00:06:51] This market can be divided into two main segments, the black market and the white

[00:06:55] market.

[00:06:56] On the black market, Zero-day exploits are bought and sold by cyber criminals,

[00:07:01] nation-state and other malicious actors.

[00:07:04] These transactions often take places on the dark web where anonymity is preserved.

[00:07:10] Prices for Zero-day exploits can vary widely depending on the target software and the

[00:07:15] potential impact of the exploit.

[00:07:17] High value targets like popular operating systems and widely used applications command

[00:07:22] higher prices.

[00:07:24] On the other hand, we have the white market.

[00:07:26] The white market involves legitimate sales and disclosure of Zero-day exploits.

[00:07:32] Security researchers and ethical hackers can sell their findings to software vendors

[00:07:37] who then patch the vulnerabilities.

[00:07:39] Bug bounty programs offered by companies like Google, Microsoft and Facebook reward

[00:07:44] researchers for discovering and responsibly disclosing vulnerabilities.

[00:07:49] Additionally, some firms specialize in finding and selling Zero-day exploits to

[00:07:55] government agencies for defensive and offensive cyber attacks operations.

[00:08:00] Ok so let's talk about how you can defend yourself against Zero-day exploits.

[00:08:06] To be honest, defending against Zero-day exploits is a significant challenge due to

[00:08:10] their unknown nature.

[00:08:12] However, there are several strategies and best practices that organizations can adopt

[00:08:17] to mitigate the risk.

[00:08:18] Let me be clear here, it's really hard to prepare and detect Zero-days.

[00:08:22] For many reasons, the signature based approach isn't effective because at this

[00:08:27] stage we don't have signatures yet.

[00:08:30] But at least you can understand some rules that make the life of an attacker a living

[00:08:35] hell.

[00:08:36] For example, if an attacker manages to do an attack by using a Zero-day, but you made

[00:08:41] the environment so locked out for his T2 to connect, the attacker will have a hard

[00:08:46] time to connect to the payload.

[00:08:48] You could argue that maybe the payload will send a callback, but what about if

[00:08:52] you had a policy against newly registered domains?

[00:08:55] It will block the request either way.

[00:08:57] I know there are so many bypasses, I'm just giving you the example so you can think

[00:09:02] about it from a different aspect.

[00:09:04] So the attackers have a valid Zero-day exploit but he couldn't manage to connect back,

[00:09:10] and this limited the attack a little bit.

[00:09:12] And the attackers have to find new ways to get access to the payload, and you

[00:09:17] never know, maybe one of his attempts will allow your SOC to detect and investigate

[00:09:22] the host.

[00:09:24] The second thing I want to talk about is the behavioral analysis.

[00:09:29] Traditional signature-based detection methods are ineffective against Zero-day exploits.

[00:09:33] Instead, behavioral analysis and anomaly detection can help identify unusual activities that

[00:09:39] may indicate an exploit.

[00:09:41] If you found the word application tried to spawn a PowerShell process, you can sense

[00:09:46] that something is abnormal here and so on.

[00:09:50] As technology evolves, the methods are too, and tools used by attackers and defenders

[00:09:55] the future of Zero-day exploits will likely to be shaped by advancement in AI or Artificial

[00:10:01] Intelligence, machine learnings and quantum computing.

[00:10:04] AI can be used to discover vulnerabilities more quicker and develop sophisticated exploits.

[00:10:10] However, AI can also be leveraged to enhance defensive capabilities such as predictive

[00:10:15] analytics and automated response systems.

[00:10:19] Machine learning algorithms can improve threat detection by identifying patterns and anomalies

[00:10:23] that may indicate Zero-day exploits.

[00:10:26] These systems can continuously learn and adopt new methods.

[00:10:29] The final thoughts I want to leave you with is, while Zero-day is a buzzword that many

[00:10:35] are familiar with, I aim to present the concept in a structured and architectural

[00:10:41] manner.

[00:10:42] This approach helps you think about it systematically and organize your thoughts

[00:10:47] So the next time you hear Zero-day, you will remember this episode recall the life cycle

[00:10:52] we discussed and have a clearer understanding of the topic.

[00:10:56] You have been listening to The Cyber Riddler, Zero-day researching is fun but it requires

[00:11:01] a lot of work and months of research.

[00:11:05] Don't forget to share this episode with anyone you think is interested in the topic.

[00:11:09] Follow us on X aka Twitter at AlMurabiAlmoraBeA and the podcast page at CyberRiddler.

[00:11:18] See you in the next episode.