Post

Meow's CyberAttack - Application/Server Attacks - Zero-Day Exploits

Posted
By Grace L
4 min read

book:

  • S+ 7th ch9
  • New S+ ch5

Meow’s CyberAttack - Application/Server Attacks - Zero-Day Exploits

Zero-Day Exploits

  • When a hole is found in a web browser / software and attackers begin exploiting it the very day it is discovered by the developer (bypassing the one-to-two-day response time that many software providers need to put out a patch once the hole has been found)

  • a vulnerability or bug that is unknown to trusted sources

    (operating system and antivirus vendors.)

  • attack exploits a vulnerability before it is generally known to the public and, usually, before patches for the vulnerability have been announced and distributed.

  • Operating system vendors write and release patches once they know about them,
    • but until the vendors know about them, the vulnerability remains.
  • difficult to respond to a zero-day exploit.
    • If attackers learn of the weakness the same day as the developer,
    • then they have the ability to exploit it until a patch is released.

Example

  • the Heartbleed vulnerability: existed for a couple of years before it was widely published. Up until the time that OpenSSL developers released a fix, everyone using it was vulnerable.

News

Stuxnet

Stuxnet: using a total of four zero-day vulnerabilities to spread

Stuxnet

  • a great example of the need to protect embedded systems, like SCADA systems.

  • a computer worm designed to attack a specific embedded system used in one of Iran’s nuclear enrichment facilities.

  • It caused centrifuges to spin fast enough to tear themselves apart and some reports indicated

  • it destroyed as many as 20 percent of these centrifuges.

  • Security expert Roel Schouwenberg completed extensive research on Stuxnet and identified how it operated in six major steps:

  1. Infection. Stuxnet first infected Windows systems through infected USB drives after someone plugged one into the system. One of the architects of Stuxnet reportedly said “…there is always an idiot around who doesn’t think much about the thumb drive in their hand.” Indeed, USB sticks have been the source of many infections.

  2. Search: checks the network of the infected system looking for the targeted system.

  3. Update. If it finds the targeted system, it downloads an updated version of the worm.

  4. Compromise. It then attempts to compromise the targeted system. When first released, Stuxnet took advantage of four zero-day vulnerabilities. Zero-day vulnerabilities are either unknown to the vendor, or the vendor hasn’t released a patch for them yet.

  5. Control. It then sends signals to the systems. A late version of Stuxnet told the systems to spin the centrifuges uncontrollably.

  6. Deceive and destroy. While it was causing the centrifuges to spin out of control, it was sending false data to engineers monitoring the system. Monitoring systems indicated everything was fine.

VDM

  • a bug existed in the virtual DOS machine (VDM)

  • shipped with every version of 32-bit Windows systems from 1993 to 2010.

  • The bug allowed attackers to escalate their privileges to full system level, effectively allowing them to take over the system.

  • Google researcher Tavis Ormandy stated that he reported the bug to Microsoft in mid-2009. At this point, Microsoft (the vendor) knew about the bug, but didn’t release a work-around until January 2010 and a patch until February 2010.

  • Because the bug wasn’t known publicly until January 2010, it remained a zero-day vulnerability until then.

  • Both attackers and security experts looking for new threats, such as zero-day vulnerabilities.

  • Attackers want to learn about them so that they can exploit them.

  • security experts want to know about them so that they can help ensure that vendors patch them before causing damage to users.

  • No matter how great an antivirus company is at identifying new malware, there is always going to be a lag between the time when criminals release the malware and the antivirus company releases new signatures to discover it.

  • This is especially true when attackers are releasing more than 200,000 new variants of malware daily. This includes malware designed to take advantage of zero-day vulnerabilities.

  • users need to practice safe computing habits. can’t depend on the antivirus software and other technical controls to protect them.

solution

Often, the only solution:

  • between the discovery of the exploit and the release of the patch, is to turn off the service.
  • only way to keep the network safe.

Some basic guidelines are:

  • Don’t click on links within emails from unknown sources (no matter how curious you might be).

  • Don’t open attachments from unknown sources . Malware can be embedded into many different files, such as Portable Document Format (PDF) files, Word documents, Zipped (compressed) files, and more.

  • Be wary of free downloads from the Internet . (Trojans entice you with something free, but they include malware.)

  • Limit information you post on social media sites

    . (Criminals use this to answer password reset questions.)

  • Back up

    your data regularly (unless you’re willing to see it disappear forever).

  • Keep your computer up to date with current patches (but beware of zero-day exploits).

  • Keep antivirus software up to date (but don’t depend on it to catch everything).
10CyberAttack
CyberAttack
This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.