A Guide to the Most Popular Zero-Day Attacks

A Guide to the Most Popular Zero-Day Attacks

Author image
January 28, 2021
Last Update posted on
February 3, 2024
Keep your web applications secure from vulnerabilities.

A vulnerable web applications can open the door to your critical assets. Stay protected with CloudSEK BeVigil Enterprise Web App Scanner module.

Schedule a Demo
Table of Contents
Author(s)
No items found.

[vc_row][vc_column][vc_column_text]Zero-day exploits are software vulnerabilities that are not known to developers or anti-virus companies. “Zero-day” represents the number of days the developer has known about the vulnerability. Stuxnet, dubbed as “Operation Olympic Games” was the world’s first digital weapon, which was created to target the Iranian nuclear program; it leveraged zero-day exploits to infect Windows machines. The malicious computer worm was a product of the concerted efforts of NSA, the CIA, and Israeli intelligence. Stuxnet used four zero-day exploits along with vulnerabilities like CPLINK and Conficker worm vulnerability. The Sony Pictures hack and the DNC hack are other popular instances of zero-day attacks. 

Uncovering Operation Olympic Games

On 24 June 2010, analysts at the anti-malware firm VirusBlokAda, Sergey Ulasen and Oleg Kupreev, received a request to analyse a rather unusual incident; a set of suspicious files that were causing computers in Iran to enter an endless reboot loop. In a futile attempt, they even considered wiping the entire computer and reinstalling all the software. And yet somehow the files re-infected the system.

Analysis

Oleg and Sergey analyzed the files and found that file size was too big compared to most viruses. While the size of viruses are usually only 10-15 KB, the size of this compressed file was 500 KB. On decompressing, the file size increased to 1.2 MB which was thought to be unusual for viruses at that time. Once the files were transferred to another computer, the files installed and ran without human intervention. It shocked the analysts that the files did not even set off an alarm or a warning in the system. This is possible only if the worm is bundled with a kernel-level rootkit which allows it to evade detection. 

Most viruses exploit the Windows Autorun feature. However, the Stuxnet only included .LINK files that Windows uses to display files and applications as icons. All 4 .LINK files infected every version since Windows 2000. Disabling the Autorun feature had no effect on the Stuxnet. It propagated through flash drives that had genuine digital certificates signed by the Taiwanese Realtek Semiconductor Corp. The worm was designed in such a way as to only infect systems that contained certain software used for automation of machines in the nuclear weapon industry. And if a machine did not contain a specific software, the worm shut down on its own without infecting the system.

On 24 June 2012, Stuxnet stopped working which also halted the further spread of the sophisticated cyber weapon. Self destruction was configured in Stuxnet, but those code files were not found during the investigation. 

 

Other Major Zero-Day Attacks

Here are details of other popular zero-day attacks from the last five years: 

Microsoft / CVE-2016-0167

This vulnerability allows local elevation of privilege in the Win32k Windows Graphics Component. A hacker who has achieved RCE could easily exploit this vulnerability to run processes with elevated privileges. An attack that exploited this vulnerability typically began with a spear phishing attack that leveraged multiple Word documents embedded with macros. A malicious downloader, dubbed PUNCHBUGGY, is then executed. The attackers, then, load and execute a POS (point of sale)-scraping malware called PUNCHTRACK.

EternalBlue / CVE-2017-0144

CVE-2017-0144 is a critical RCE vulnerability that when exploited allows an attacker to send specific messages to Microsoft’s SMBv1 server. The exploitation tool EternalBlue was developed by the NSA to exploit CVE-2017-0144 in the SMB protocol. This tool was later leaked in April 2017, which allowed hackers to gain access to other systems in the network. The WannaCry and NotPetya ransomware attacks also famously used EternalBlue. 

Adobe / CVE-2018-15982

Attackers used an exploit for this vulnerability, found in the wild, to perform RCE on intended targets. This zero-day enables a malicious Adobe Flash object to execute a code which allows the hacker to gain control of the command line. The Flash object is then embedded in a Word document contained in a WinRAR file, which also includes a jpeg file. When Flash is launched, the jpeg file that contains remote administration tools loads a backdoor in the application.

Apple – Safari – Zoom / CVE-2020-3852

Recently, Ryan Pickren found seven zero-day vulnerabilities in Safari. Some of these zero-days can be used to gain unauthorized access to the cameras on iOS and macOS devices. Apple paid a whopping $75,000 as a bounty to Pickren (approx. ₹54,00,000).

Apps on iOS need permission from the user to access the device’s camera or microphone. However, Apple applications can by default access the camera or the microphone. Thus, by design, Apple’s own browser Safari has permission to use the device’s webcam. A hacker that exploits the vulnerability in Safari only needs to redirect the user to a malicious website, which allows them to directly access the webcam/ microphone.[/vc_column_text][/vc_column][/vc_row]

Author

Predict Cyber threats against your organization

Related Posts
Blog Image
February 3, 2024

From Discussion Forums to Malware Mayhem: The Alarming Rise of Abuse on Google Groups and Usenet

Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Blog Image
December 29, 2023

Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking

A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Malware Intelligence

min read

A Guide to the Most Popular Zero-Day Attacks

A Guide to the Most Popular Zero-Day Attacks

Authors
Co-Authors
No items found.

[vc_row][vc_column][vc_column_text]Zero-day exploits are software vulnerabilities that are not known to developers or anti-virus companies. “Zero-day” represents the number of days the developer has known about the vulnerability. Stuxnet, dubbed as “Operation Olympic Games” was the world’s first digital weapon, which was created to target the Iranian nuclear program; it leveraged zero-day exploits to infect Windows machines. The malicious computer worm was a product of the concerted efforts of NSA, the CIA, and Israeli intelligence. Stuxnet used four zero-day exploits along with vulnerabilities like CPLINK and Conficker worm vulnerability. The Sony Pictures hack and the DNC hack are other popular instances of zero-day attacks. 

Uncovering Operation Olympic Games

On 24 June 2010, analysts at the anti-malware firm VirusBlokAda, Sergey Ulasen and Oleg Kupreev, received a request to analyse a rather unusual incident; a set of suspicious files that were causing computers in Iran to enter an endless reboot loop. In a futile attempt, they even considered wiping the entire computer and reinstalling all the software. And yet somehow the files re-infected the system.

Analysis

Oleg and Sergey analyzed the files and found that file size was too big compared to most viruses. While the size of viruses are usually only 10-15 KB, the size of this compressed file was 500 KB. On decompressing, the file size increased to 1.2 MB which was thought to be unusual for viruses at that time. Once the files were transferred to another computer, the files installed and ran without human intervention. It shocked the analysts that the files did not even set off an alarm or a warning in the system. This is possible only if the worm is bundled with a kernel-level rootkit which allows it to evade detection. 

Most viruses exploit the Windows Autorun feature. However, the Stuxnet only included .LINK files that Windows uses to display files and applications as icons. All 4 .LINK files infected every version since Windows 2000. Disabling the Autorun feature had no effect on the Stuxnet. It propagated through flash drives that had genuine digital certificates signed by the Taiwanese Realtek Semiconductor Corp. The worm was designed in such a way as to only infect systems that contained certain software used for automation of machines in the nuclear weapon industry. And if a machine did not contain a specific software, the worm shut down on its own without infecting the system.

On 24 June 2012, Stuxnet stopped working which also halted the further spread of the sophisticated cyber weapon. Self destruction was configured in Stuxnet, but those code files were not found during the investigation. 

 

Other Major Zero-Day Attacks

Here are details of other popular zero-day attacks from the last five years: 

Microsoft / CVE-2016-0167

This vulnerability allows local elevation of privilege in the Win32k Windows Graphics Component. A hacker who has achieved RCE could easily exploit this vulnerability to run processes with elevated privileges. An attack that exploited this vulnerability typically began with a spear phishing attack that leveraged multiple Word documents embedded with macros. A malicious downloader, dubbed PUNCHBUGGY, is then executed. The attackers, then, load and execute a POS (point of sale)-scraping malware called PUNCHTRACK.

EternalBlue / CVE-2017-0144

CVE-2017-0144 is a critical RCE vulnerability that when exploited allows an attacker to send specific messages to Microsoft’s SMBv1 server. The exploitation tool EternalBlue was developed by the NSA to exploit CVE-2017-0144 in the SMB protocol. This tool was later leaked in April 2017, which allowed hackers to gain access to other systems in the network. The WannaCry and NotPetya ransomware attacks also famously used EternalBlue. 

Adobe / CVE-2018-15982

Attackers used an exploit for this vulnerability, found in the wild, to perform RCE on intended targets. This zero-day enables a malicious Adobe Flash object to execute a code which allows the hacker to gain control of the command line. The Flash object is then embedded in a Word document contained in a WinRAR file, which also includes a jpeg file. When Flash is launched, the jpeg file that contains remote administration tools loads a backdoor in the application.

Apple – Safari – Zoom / CVE-2020-3852

Recently, Ryan Pickren found seven zero-day vulnerabilities in Safari. Some of these zero-days can be used to gain unauthorized access to the cameras on iOS and macOS devices. Apple paid a whopping $75,000 as a bounty to Pickren (approx. ₹54,00,000).

Apps on iOS need permission from the user to access the device’s camera or microphone. However, Apple applications can by default access the camera or the microphone. Thus, by design, Apple’s own browser Safari has permission to use the device’s webcam. A hacker that exploits the vulnerability in Safari only needs to redirect the user to a malicious website, which allows them to directly access the webcam/ microphone.[/vc_column_text][/vc_column][/vc_row]