Zero-day exploits are software vulnerabilities that are not known to developers or anti-virus companies. “Zero-day” represents the number of days the developer has known about the vulnerability. Stuxnet, dubbed as “Operation Olympic Games” was the world’s first digital weapon, which was created to target the Iranian nuclear program; it leveraged zero-day exploits to infect Windows machines. The malicious computer worm was a product of the concerted efforts of NSA, the CIA, and Israeli intelligence. Stuxnet used four zero-day exploits along with vulnerabilities like CPLINK and Conficker worm vulnerability. The Sony Pictures hack and the DNC hack are other popular instances of zero-day attacks.
Uncovering Operation Olympic Games
On 24 June 2010, analysts at the anti-malware firm VirusBlokAda, Sergey Ulasen and Oleg Kupreev, received a request to analyse a rather unusual incident; a set of suspicious files that were causing computers in Iran to enter an endless reboot loop. In a futile attempt, they even considered wiping the entire computer and reinstalling all the software. And yet somehow the files re-infected the system.
Oleg and Sergey analyzed the files and found that file size was too big compared to most viruses. While the size of viruses are usually only 10-15 KB, the size of this compressed file was 500 KB. On decompressing, the file size increased to 1.2 MB which was thought to be unusual for viruses at that time. Once the files were transferred to another computer, the files installed and ran without human intervention. It shocked the analysts that the files did not even set off an alarm or a warning in the system. This is possible only if the worm is bundled with a kernel-level rootkit which allows it to evade detection.
Most viruses exploit the Windows Autorun feature. However, the Stuxnet only included .LINK files that Windows uses to display files and applications as icons. All 4 .LINK files infected every version since Windows 2000. Disabling the Autorun feature had no effect on the Stuxnet. It propagated through flash drives that had genuine digital certificates signed by the Taiwanese Realtek Semiconductor Corp. The worm was designed in such a way as to only infect systems that contained certain software used for automation of machines in the nuclear weapon industry. And if a machine did not contain a specific software, the worm shut down on its own without infecting the system.
On 24 June 2012, Stuxnet stopped working which also halted the further spread of the sophisticated cyber weapon. Self destruction was configured in Stuxnet, but those code files were not found during the investigation.
Other Major Zero-Day Attacks
Here are details of other popular zero-day attacks from the last five years:
Microsoft / CVE-2016-0167
This vulnerability allows local elevation of privilege in the Win32k Windows Graphics Component. A hacker who has achieved RCE could easily exploit this vulnerability to run processes with elevated privileges. An attack that exploited this vulnerability typically began with a spear phishing attack that leveraged multiple Word documents embedded with macros. A malicious downloader, dubbed PUNCHBUGGY, is then executed. The attackers, then, load and execute a POS (point of sale)-scraping malware called PUNCHTRACK.
EternalBlue / CVE-2017-0144
CVE-2017-0144 is a critical RCE vulnerability that when exploited allows an attacker to send specific messages to Microsoft’s SMBv1 server. The exploitation tool EternalBlue was developed by the NSA to exploit CVE-2017-0144 in the SMB protocol. This tool was later leaked in April 2017, which allowed hackers to gain access to other systems in the network. The WannaCry and NotPetya ransomware attacks also famously used EternalBlue.
Adobe / CVE-2018-15982
Attackers used an exploit for this vulnerability, found in the wild, to perform RCE on intended targets. This zero-day enables a malicious Adobe Flash object to execute a code which allows the hacker to gain control of the command line. The Flash object is then embedded in a Word document contained in a WinRAR file, which also includes a jpeg file. When Flash is launched, the jpeg file that contains remote administration tools loads a backdoor in the application.
Apple – Safari – Zoom / CVE-2020-3852
Recently, Ryan Pickren found seven zero-day vulnerabilities in Safari. Some of these zero-days can be used to gain unauthorized access to the cameras on iOS and macOS devices. Apple paid a whopping $75,000 as a bounty to Pickren (approx. ₹54,00,000).
Apps on iOS need permission from the user to access the device’s camera or microphone. However, Apple applications can by default access the camera or the microphone. Thus, by design, Apple’s own browser Safari has permission to use the device’s webcam. A hacker that exploits the vulnerability in Safari only needs to redirect the user to a malicious website, which allows them to directly access the webcam/ microphone.