What is zero-day?

The term zero-day refers to hackers who try to exploit a newly found vulnerability in software and the software vendor then has "zero days" to respond.

02-01-2023 - 11 minute read. Posted in: hacking.

What is zero-day?

Define zero-day vulnerability: What is zero-day?

Zero-day is a relatively new term that refers to a hacker attempting to exploit a newly found vulnerability in software before software vendors have had a chance to respond, meaning that the software vendor has had “zero days” to address the threat and update the vulnerability. Read on for an in-depth look at how Zero-day can be an avenue for hackers to attack systems.

The definition of zero-day vulnerability

A Zero-day attack occurs when the developer of a system has had zero days to fix a bug before cybercriminals have exploited it. It can also be referred to as 0-day.

Discovering zero-day vulnerabilities often involves independent security researchers, cybersecurity firms, and even government agencies working proactively to uncover these threats before they can be exploited.

Zero-day is often used in front of words like vulnerability, exploit and attack. However, these words refer to different aspects of Zero-day:

  • A Zero-day vulnerability refers to the software vulnerability itself, which a cybercriminal has discovered before the developer of the software has had a chance to become aware of it. Thus, at this point, no update has been made to fix the vulnerability yet.

  • The zero-day exploit, on the other hand, is the very method used by the cybercriminal to exploit the zero-day vulnerability as described above.

  • A Zero-day attack is the result of Zero-day exploit, which is performed to damage or steal data from a system affected by a vulnerability.

Types of zero-day threats

Zero-day threats can be categorized into several distinct types, each posing unique challenges to cybersecurity:

  1. Zero-day vulnerabilities: These are security flaws in software, hardware, or firmware that remain unknown to the vendor or developer. Since no one is aware of these vulnerabilities, they remain unpatched and open to exploitation.

  2. Zero-day exploits: These are the specific codes or techniques that cybercriminals use to take advantage of zero-day vulnerabilities. These exploits are crafted to bypass security measures and gain unauthorized access to systems.

  3. Zero-day attacks: These attacks occur when threat actors exploit zero-day vulnerabilities before a patch or fix is available. The attackers leverage the element of surprise, as the vulnerability is unknown to the software vendor and users.

  4. Zero-day malware: This type of malware is designed to exploit zero-day vulnerabilities and evade detection by traditional security measures. Zero-day malware can be particularly dangerous because it can operate undetected for extended periods.

Understanding these types of zero-day threats is crucial for developing effective defense strategies and staying ahead of potential attacks.

What is zero-day attack and how does it work?

Typically, software has vulnerabilities that hackers exploit to attack businesses and individuals. Software developers are always looking for “holes” to patch in updates.

However, software developers may find that hackers get ahead of them and find the holes before they do. The moment the vulnerability is open, attackers can make and implement different code that gives the hackers an advantage in that they have access to software that was otherwise locked to outsiders. This kind of coding is called exploit code.

To mitigate zero-day attacks, organizations can employ techniques such as vulnerability scanning, behavioral anomaly monitoring, and advanced threat detection to swiftly recognize and respond to threats.

This exploit code can lead to more software users becoming victims of cybercrime - this could be identity theft, for example. As soon as hackers find a zero-day vulnerability, they have to go through it too. They do this most often with social engineering via email. In short, the hacker pretends to be someone else to trick you into trusting them and clicking on links they attach, or getting you to give up personal information. It downloads malware that infiltrates the software they want to access. Discover how social engineering manipulates users and fuels cybercrime.

The software developers, of course, try to patch any holes in the software that give the hacker an entry point to infiltrate the system. They can detect it quickly and find a solution, but not all users are as quick to update their software. This gives the hacker extra time to infiltrate their software.

However, security vulnerabilities are not always detected immediately - it can take days, weeks or even months before it can be detected. This therefore gives the hacker free rein in the software, which they exploit to the fullest.

Hackers can sell the information on the dark web for large sums of money - usually paid in cryptocurrency as it is untraceable. However, you can’t call it a zero-day attack once the vulnerability is discovered. Learn more about the dark web and how cybercriminals profit from stolen data.

Zero-day attacks are especially dangerous because only the hackers themselves know about the vulnerability. Once they have infiltrated the system, they can exploit the fact that they are the only ones with access - and can recode the system to their advantage. Once hackers have infiltrated a network, they can choose to attack immediately or wait for the most opportune time when the network is most vulnerable.

Who is executing zero-day attacks?

There are several different categories of attackers when it comes to zero-day attacks:

  • Cybercriminals, whose motivation is mostly financial.

  • Hacktivists, who are most often motivated by a political agenda who wants attention for their cause

  • Corporate surveillance, where hackers often monitor companies to gather information about them

  • Cyber warfare, are countries and political actors spying on or attacking other countries' cyber infrastructure

Who are the victims of a zero-day attack?

There is not just one specific group of companies and systems that can be victims of zero-day attacks. This includes operating systems, internet browsers, hardware and firmware, and the like.

Potential victims of attacks are:

  • People using vulnerable systems, such as browsers and operating systems

  • People with access to company information and intangible assets.

  • Hardware devices and firmware

  • Large companies and organisations

  • Government agencies

  • Policy and/or national objectives

It may also be easier to think of sacrifices in terms of conscious goals and unconscious goals. The conscious targets are potential and valuable victims; thecan be large companies and organisations. The more unwitting targets are typically the vulnerable systems that get hit, because the hacker finds it easier to infiltrate a system that already has holes in it.

How can you spot a zero-day attack?

Zero-day attacks can come in many shapes and sizes - which is why they can be harder to spot. Companies that are hit by a zero-day attack may experience unexpected traffic on websites or suspicious scanning from a customer or service.

One way to catch zero-day attacks is to use existing databases of malware and study how they operate so you can learn from them (even though zero-day attacks are so fast and new, you can still see how they operate).

Alternatively, there are some techniques that examine the characteristics of zero-day malware by looking at the codes and systems. They look at the interactions between existing software while detecting whether they originate from malicious software. By examining more interactions, you can also increase the likelihood of them being detected and even detect zero-day attacks.

How can you catch zero-day attacks?

There are several - and relatively easy - things you can do to intercept any attacks:

  • Keep all software up-to-date so you have the latest versions with patches for any security holes

  • Use only the most important applications and programs, because the more software you have, the greater the risk that the hacker can find a hole in them

  • Use a firewall - firewalls protect your software and the browsers you use.

  • Educate staff about malware and hackers - if you and your business become more aware of potential dangers, you’ll know what to look for if the worst happens.

  • Use anti-virus software, because just like firewalls, anti-virus programs protect you and your software from hackers and viruses.

Zero-day attack mitigation involves continuous monitoring and quick responses to vulnerabilities, including timely updates and virtual patching to protect against zero-day threats.

Examples of zero-day attacks

Real-world examples of zero-day attacks highlight the significant impact these threats can have:

  • Stuxnet: This highly sophisticated computer worm was designed to target industrial control systems, particularly those used in Iran’s nuclear program. Stuxnet exploited multiple zero-day vulnerabilities to infiltrate and damage centrifuges, significantly disrupting Iran’s nuclear activities. Dive into the story of Stuxnet and how it became one of the most infamous cyber weapons in history.

  • WannaCry: This ransomware attack exploited a zero-day vulnerability in Windows operating systems, spreading rapidly and affecting over 200,000 computers worldwide. WannaCry encrypted users’ data and demanded ransom payments in cryptocurrency, causing widespread disruption and financial loss.

  • NotPetya: Another ransomware attack, NotPetya exploited a zero-day vulnerability in Windows operating systems. Unlike typical ransomware, NotPetya was designed to cause maximum damage, rendering data irrecoverable and causing significant operational disruptions for businesses and organizations globally.

  • MOVEit transfer zero-day attack: A zero-day vulnerability in MOVEit Transfer software was exploited by a Russian ransomware ring, affecting hundreds of organizations. This attack underscored the importance of securing file transfer systems and promptly addressing vulnerabilities.

These examples illustrate the diverse ways in which zero-day vulnerabilities can be exploited and the far-reaching consequences of such attacks.

Preventing zero-day attacks

Preventing zero-day attacks requires a multi-layered approach that combines technology, processes, and user education:

  • Keeping software up-to-date: Regularly updating software and operating systems ensures that known vulnerabilities are patched. This reduces the risk of zero-day attacks by closing security gaps as soon as they are discovered.

  • Implementing security patches: Quickly applying security patches and software upgrades is critical to reducing the window of opportunity for attackers. Organizations should have a robust patch management process in place to ensure timely updates.

  • Using endpoint protection: Implementing endpoint protection solutions can help detect and block zero-day threats. These solutions use advanced techniques, such as behavioral analysis and machine learning, to identify and mitigate suspicious activities.

  • Educating users: Educating users about the risks of zero-day attacks and the importance of safe computing practices is essential. Users should be trained to recognize phishing attempts, avoid suspicious links, and report any unusual activity.

By implementing these precautionary strategies, organizations can greatly minimize their risk of zero-day threats.

Mitigating zero-day vulnerabilities

Mitigating zero-day vulnerabilities requires a proactive and comprehensive approach:

  1. Vulnerability scanning: Regularly scanning systems and networks for potential vulnerabilities helps identify and address security gaps before they can be exploited. Automated vulnerability scanners can provide continuous monitoring and alert administrators to new threats.

  2. Penetration testing: Conducting penetration testing simulates real-world attacks to identify vulnerabilities and weaknesses in systems. This helps organizations understand their security posture and take corrective actions to strengthen defenses.

  3. Input validation and sanitization: Implementing input validation and sanitization prevents malicious inputs from reaching vulnerable systems. By ensuring that only valid and expected data is processed, organizations can reduce the risk of exploitation.

  4. Runtime application self-protection (RASP): RASP solutions can detect and block zero-day threats in real-time by monitoring application behavior and intercepting malicious activities. This adds an additional layer of security to protect against unknown vulnerabilities.

Proactively addressing potential vulnerabilities helps mitigate the risk of zero-day attacks and enhances overall security.

Best practices for zero-day protection

Adopting best practices for zero-day protection can help organizations stay ahead of emerging threats:

  1. Implementing a zero-day initiative: Establishing a program to reward security researchers for responsibly disclosing vulnerabilities encourages the discovery and reporting of zero-day vulnerabilities. This helps vendors address security flaws before they can be exploited.

  2. Using AI-based malware detection: Implementing AI-based malware detection solutions can detect and block zero-day threats by analyzing patterns and behaviors. These advanced systems can identify anomalies that traditional security measures might miss.

  3. Deploying a web application firewall (WAF): Deploying a WAF helps filter and verify incoming traffic, blocking malicious inputs and protecting web applications from zero-day exploits. A WAF can provide an additional layer of defense against web-based attacks.

  4. Conducting regular security audits: Regular security audits help identify vulnerabilities and weaknesses in systems and processes. By continuously assessing and improving security measures, organizations can better protect against zero-day threats.

By following these best practices, organizations can enhance their defenses and reduce the risk of zero-day attacks.

This post has been updated on 03-02-2025 by Sarah Krarup.

Author Sarah Krarup

Sarah Krarup

Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.

View all posts by Sarah Krarup

Similar posts