A zero-day exploit refers to a cyberattack that takes advantage of a software vulnerability that is unknown to the vendor or developers of the affected software. This means that the vulnerability is “zero-day” because the developers have had zero days to fix it or release a patch before the exploit is utilized by malicious actors.
How Do Zero-Day Exploits Work?
Table of Contents
The zero-day exploits generally happen in three stages:
- Discovery: A security researcher or a malicious hacker discovers a vulnerability in the software. This vulnerability could be related to an application, operating system, browser, or any other software component.
- Exploit Development: The discoverer then creates a specific piece of code called an “exploit” that takes advantage of the vulnerability to gain unauthorized access, execute malicious code, or perform other malicious actions on the affected system.
- Attack: The attacker uses the zero-day exploit to target systems that have not yet been patched for the vulnerability. Since there is no known fix, the attack can be highly effective until a security patch is released.
How Do Zero-Day Vulnerabilities Occur?
A zero-day vulnerability refers to a software flaw that attackers discover before the vendor becomes aware of it. Since vendors are unaware, there is no available patch to fix these vulnerabilities, making successful attacks highly probable.
In such cases, attackers have the advantage of exploiting the vulnerability before any defense measures can be put in place.
These are some of the common ways through which zero-day vulnerabilities can creep in.
Coding Errors
Regardless of their experience level, even the most skilled developers can inadvertently introduce coding errors that may expose the code to exploitation. For example, neglecting to implement proper input validation could lead to vulnerabilities, enabling attackers to inject malicious code into the system.
Similarly, mistakes in memory allocation or data handling could result in data corruption or leaks, further compromising the software’s security and integrity. Vigilance and adherence to secure coding practices are essential to minimize the risk of such errors and enhance the overall robustness of the codebase.
Absence of Code Review
In open-source codebases, peer reviews play a crucial role in detecting and resolving issues within the code. Unfortunately, without a stringent review process, security gaps may arise, offering opportunities for attackers to exploit vulnerabilities.
Furthermore, when inexperienced developers make changes without fully comprehending the ramifications of their modifications, they can unwittingly introduce new vulnerabilities.
A robust code review system is essential to ensure a higher level of security and code quality, empowering developers to collaboratively identify and rectify potential weaknesses, bolstering the overall resilience of the software.
Forked Code
Forking is a common practice in the open-source community where developers create a new project by modifying an existing codebase. While forking is encouraged, it can lead to vulnerabilities if the developers overlook integrating security updates or make improper changes.
If a forked project gains popularity, it might attract the attention of attackers who exploit its potential vulnerabilities. Therefore, it is crucial for developers involved in forking to maintain a vigilant approach towards security, regularly incorporating updates and adhering to best practices to ensure the safety and reliability of their projects.
Software Dependencies
Numerous open-source projects rely on third-party libraries and frameworks to operate efficiently. While these dependencies can streamline development and save time, they also pose potential risks if they contain flaws or are not updated.
Vulnerabilities in these dependencies can be exploited by attackers to gain unauthorized access to sensitive data or compromise the integrity of the blockchain system. Therefore, it is imperative for developers to regularly update and audit their dependencies, ensuring they stay secure and minimize potential vulnerabilities in their software.
Social Engineering
Regardless of the codebase’s technical robustness, attackers can leverage human vulnerabilities to gain unauthorized access to a system. For instance, they may employ phishing attacks to deceive users and obtain their login credentials or manipulate developers into unwittingly introducing malicious code into the system.
Recognizing and defending against social engineering tactics is critical in maintaining a strong security posture, as it complements the technical measures in safeguarding the system against unauthorized access and potential harm. Educating users and developers about the risks associated with social engineering is essential to enhance overall cybersecurity awareness and resilience.
Zero-Day Exploits in Cryptocurrency
Cryptocurrencies and their underlying technologies are continually evolving, and security researchers and malicious actors are constantly looking for vulnerabilities to exploit.
Zero-day exploits may emerge in various aspects of the cryptocurrency ecosystem, including:
- Wallet Software: Vulnerabilities in cryptocurrency wallet applications that allow attackers to gain unauthorized access to users’ private keys and funds.
- Smart Contracts: Zero-day exploits in smart contracts on blockchain platforms can be particularly dangerous as they could lead to the manipulation or theft of digital assets stored in decentralized applications (DApps).
- Blockchain Consensus Mechanisms: Vulnerabilities in the consensus algorithms of blockchains could lead to various attacks, such as 51% attacks or double-spending.
- Exchange Platforms: Zero-day exploits in cryptocurrency exchanges could allow attackers to steal digital assets, manipulate prices, or disrupt trading activities.
- Decentralized Finance (DeFi) Applications: Vulnerabilities in DeFi protocols can result in the loss of funds, the manipulation of token prices, and other financial losses for users.
- Network Layer: Exploiting vulnerabilities in the peer-to-peer network layer of blockchain systems might enable attackers to carry out attacks like denial-of-service (DoS) or eclipse attacks.
How to Identify Zero-Day Attacks and Tackle Them?
Identifying zero-day attacks can be challenging since these exploits target undisclosed vulnerabilities in software that are not yet known to the vendor or public. However, several strategies and tools can help in detecting and mitigating zero-day attacks:
- Behavior-based anomaly detection: Implementing advanced security solutions that use machine learning and behavioral analysis can help identify abnormal patterns and activities on the network or within the software. These anomalies may indicate a potential zero-day attack.
- Network monitoring: Continuously monitoring network traffic and analyzing logs can reveal suspicious activities, such as unusual data transfers or connections to known malicious domains.
- Intrusion detection/prevention systems (IDS/IPS): IDS/IPS tools can help in detecting and blocking known attack patterns, and some solutions may include features to identify previously unknown threats based on behavior.
- Endpoint protection: Deploying endpoint security solutions that utilize heuristic and behavioral analysis can help identify suspicious activities on individual devices.
- Sandboxing: Running potentially risky files or software in a virtualized environment (sandbox) can help observe their behavior without risking the system’s security.
- Security research and threat intelligence: Staying updated with the latest security research and threat intelligence feeds can provide insights into emerging zero-day vulnerabilities and potential attack vectors.
- Bug bounty programs: Running a bug bounty program allows security researchers to report vulnerabilities responsibly, potentially identifying zero-day flaws before malicious actors do.
- Employee training and awareness: Educating employees about the risks of phishing attacks and social engineering can prevent attackers from gaining access to the network through human weaknesses.
- Patch management: Promptly applying software updates and patches from vendors can help protect against known vulnerabilities, reducing the window of opportunity for attackers to exploit zero-day vulnerabilities.
- Collaboration and information sharing: Engaging with cybersecurity communities, industry groups, and government agencies can help organizations receive early warnings about zero-day threats and share best practices in defense.
Zero-Day Exploit Incidents in the Crypto World
July 2023-Curve Finance
In July 2023, many stable pools on defi Curve Finance and web3 projects built on Ethereum and Binance blockchains came under a zero-day exploit/attack and lost ~$52M.
Vyper—A popular programming language to write smart contracts for the Ethereum blockchain—had a bug in its versions 0.2.15, 0.2.16, and 0.3.0, due to which the projects using smart contracts built on these versions became susceptible to the failure of reentrancy guard.
Due to the failure of this reentrancy guard, the liquidity pools of the projects
@AlchemixFi, @JPEGd_69, MetronomeDAO, @DebridgeFinance, @Ellipsisfi, and token #Curve CRV-ETH were exploited, along with many stable pools on #defi Curve Finance and lost #crypto assets worth ~$52M. All of them were using Vyper 0.2.15 version.
Curve Finance operated 232 different pools at the time of this exploit and it was estimated that ~$100M worth of crypto could have been at risk due to this vulnerability.
March 2023 – 280 Blockchains, Including Dogecoin, Litecoin, and Zcash
In March 2023, a cybersecurity firm published a report stating that more than 280 blockchains were at risk of exploitation due to a critical vulnerability which was called Rab13s.
This list of 280 blockchains included prominent names such as Dogecoin, Litecoin, and Zcash.
Most of these blockchains were not even aware of the existence of these potential zero-day vulnerabilities. It is believed crypto assets worth in excess of $25B were at risk.
As per the published report, the discovered vulnerabilities have existed since March 2022, and one of them was so critical that its exploitation could result in the closing down of individual nodes just by sending malicious consensus messages by the hackers.
To make it worse, over a period of time, this vulnerability would also have exposed these blockchains to 51% attack, giving power to the exploiters to either fork the blockchain or shut it down completely.
Another potent vulnerability could shut blockchains down by using Remote Procedure Call (RPC) requests.
March 2023 – General Bytes
In March 2023, General Bytes, a well-known manufacturer of BATMs or Bitcoin ATMs, suffered a zero-day exploit and lost $1.6M worth of 56 Bitcoins.
The vulnerability existed in the master service interface used by the terminals to upload videos.
Utilizing this vulnerability, the hackers uploaded their own Java application remotely via the master service interface and executed the application using ‘BATM’’ user privileges by creating a new default admin user account.
It took General Bytes 15 hours to implement the security patch. Earlier in August 2021, they were hit by another zero-day exploit.
July 2017 – Multi-Signature Wallets
In July 2017, the smart contract platform Parity fell victim to an exploit leveraging a zero-day vulnerability, which allowed hackers to steal over $30 million worth of ETH. The attack was specifically directed at multi-signature wallets that held Ether.
Although the exploit was identified on June 27, it went undetected until August 22. The vulnerability originated from the Parity Wallet’s failure to adequately verify whether the wallet’s owner(s) had the proper authorization to withdraw funds. Consequently, the attacker could execute transactions from any multi-sig Parity wallet without requiring permission, leading to significant theft.
December 2017 – CryptoKitties
In December 2017, a programming error in the game CryptoKitties resulted in hackers successfully stealing approximately $17 million worth of ETH within a span of just two days. The attack was enabled by a flaw in the system that allowed users to transfer funds to other accounts they owned. However, the game failed to implement checks to verify whether the recipient genuinely owned both accounts, leading to the unauthorized transfer of funds to the attackers.
April 2018 – Myetherwallet.com
In April 2018, MyEtherWallet.com experienced a compromise through a zero-day exploit, resulting in the loss of approximately $150,000 worth of ETH. The attackers were able to exploit a bug on the website, which granted them access to modify the balances of specific addresses, leading to the unauthorized transfer of funds. Though not as severe as the previous cases, the incident raised concerns about the security of the platform.
Zero-Day Exploit Incidents in the Cyberworld
Some historical examples of zero-day exploits that have been reported in the past:
2017 – WannaCry
This ransomware exploited a vulnerability in the Microsoft Windows operating system, known as EternalBlue, which allowed it to spread rapidly across networks. It affected hundreds of thousands of computers worldwide.
2010 – Stuxnet
Stuxnet was a highly sophisticated worm that targeted industrial control systems. It exploited multiple zero-day vulnerabilities to infect and disrupt Iran’s nuclear program.
2014 – Heartbleed
Heartbleed was a serious vulnerability in the OpenSSL cryptographic software library used to secure many websites. It allowed attackers to read sensitive information from the memory of the affected systems.
2017 – Petya/NotPetya
This ransomware spread through a Windows SMB (Server Message Block) vulnerability called EternalBlue, similar to WannaCry. It caused significant damage to organizations globally.
2018 – Meltdown and Spectre
These were a pair of critical vulnerabilities found in modern computer processors. They allowed attackers to access sensitive data from other processes running on the same machine.
2020 – Internet Explorer Zero-Day
In early 2020, Microsoft issued an emergency security update to fix a zero-day vulnerability in Internet Explorer. The flaw allowed attackers to execute arbitrary code on the victim’s system.
2021 – Google’s Chrome browser Zero-Day
In the year 2021, the Chrome browser encountered a chain of zero-day vulnerabilities, prompting the release of updates to address the issues. The vulnerabilities originated from a bug found in the V8 JavaScript engine, a critical component utilized by the browser to process web content.
2020 – Zoom
In 2020, a critical vulnerability was discovered in the widely used video conferencing platform, Zoom. This zero-day attack scenario allowed hackers to remotely access a user’s PC, specifically if the user was running an older version of Windows. In cases where the targeted user had administrator privileges, the attacker could gain complete control over their machine and access all their files.
Conclusion
Despite adopting security measures, it is essential to understand that zero-day exploits can still be challenging to prevent entirely. Organizations should adopt a multi-layered approach to cybersecurity and be prepared to respond swiftly and effectively if they become a victim of a zero-day attack.