Plenty of software vulnerabilities -- referring to flaws or weaknesses in code that could be exploited by an attacker -- are ones that you’ll never hear about. Like the police foiling an attempted crime before it can take place, software developers frequently find out about bugs and fix them before most people are any the wiser. But that’s not true for every software vulnerability.
A zero day vulnerability is a flaw that exists in software or firmware that’s not known to the group responsible for patching those flaws. A zero day attack harnesses that vulnerability as part of a cyber-attack that developers have, literally, zero days to address prior to the first attack taking place. It’s the vulnerability that all developers and cyber security experts dread.
A zero day vulnerability that’s been made public is called an n-day or, sometimes, one-day vulnerability. At this point, particularly if an attack has been successful, the race is on for developers to patch it and release the patch before it is actively exploited again.
Microsoft Exchange vulnerabilities
Zero day attacks are, unfortunately, not quite as rare as people would like to think. In early March, Microsoft sounded alarm bells after it found that cyber-espionage attackers from China had chained several zero-day exploits together in order to exfiltrate email data from corporate Microsoft Exchange servers.
Microsoft blamed a Chinese advanced persistent threat (APT) operator called HAFNIUM, which targets a variety of United States sectors -- including infectious disease researchers, higher education institutes, law firms, think tanks, NGOs, and defense contractors.
The first of the known exploitation attempts took place January 3, around two months before the vulnerabilities were publicly disclosed. Attempted attacks took place internationally, with, at times, the number of exploitation attempts multiplying by more than six times over a 72 hour period.
The attack exploited several vulnerabilities. One was a server-side request forgery (SSRF) that allowed attackers to send arbitrary HTTP requests, which they could then authenticate posing as the Exchange server. Another allowed HAFNIUM to run code on the Exchange server. Another allowed them to authenticate with the Exchange in order to write files to any path on a targeted server. The final one was a post-authentication arbitrary file write flaw in Exchange. Chaining together these vulnerabilities, the hackers were able to access an Exchange Server, create a web shell in order to control it remotely, and then use U.S.-based private servers to steal data from organizations’ networks.
Microsoft released fixes for the vulnerabilities. These included both security updates (SUs) and cumulative updates (CU). As a result of the updates, upward of 95% of Exchange Server versions were protected. However, thousands of others remained exposed. According to Microsoft, on March 12, upward of 80,000 Exchange servers still had yet to be updated. This meant that they could still be targeted by attackers.
The patching problem
Instances like the Microsoft Exchange vulnerability highlights one of the big problems involving patching vulnerabilities: That they still require people to install the patches. The moment a vulnerability is publicly disclosed, it increases awareness not just among legitimate users, but also with cyber attackers. Attacks can therefore ramp up, even when patches for the vulnerability are in circulation. This is because not everyone will immediately install patches, thereby leaving them exposed to exploits.
Overstretched security teams can’t keep up with patching, especially at a time when businesses and organizations may rely on hundreds of apps and other software tools in order to do their job. Installing updates can result in unwanted downtime, which can be tough to factor in for a busy company. It is also very difficult to know which patches should be prioritized -- particularly in organizations in which there may not be enough cyber security experts on hand in an IT department.
As a result, businesses might be exposed to vulnerabilities even when there is, in terms of patches available, no reason why this should be the case. Vulnerabilities like the Microsoft Exchange example could result in ransomware attacks, data exfiltration, and more.
Patching isn’t the only line of defense
It is crucial that organizations get better at this, and make sure that they install critical updates as soon as possible. But this doesn’t have to be your only line of defence. Tools like Web Application Firewalls (WAFs) and Runtime Application Self-Protection (RASP) can help mitigate vulnerabilities, including zero day exploits, by assessing potential threats and stopping them, including filtering out malicious inputs and request payloads. As such, WAF and RASP can be used to block exploits of unpatched vulnerabilities.
Unfortunately, zero day vulnerabilities are, most likely, always going to exist. However, by taking the right steps to protect yourself and your business or organization, it’s possible to minimize the negative effects they may have. In the modern cyber security threat landscape, that’s not just a nice “optional extra” to have available; it should be a “must.”