What are zero-day attacks?

VPN
(Image credit: Marcus Spike)

The most dangerous cyber threats are the ones we don’t know about yet. Most cyber defenses rely on already knowing what the attack looks like. This is why zero days are so dangerous: we simply don’t know what they are.

A zero-day attack occurs when hackers exploit a software or hardware vulnerability that is completely unknown to developers and the wider cybersecurity community. Because no one is aware of the flaw, no defense has been developed against it, leaving systems vulnerable. This means that even if you're using top-of-the -line cybersecurity software, like the best VPN or best antivirus, you could still be vulnerable to zero-day attacks. The term "zero-day" refers to the fact that security teams have had zero days to fix or patch the vulnerability.

Zero-day attacks are especially dangerous because they’re often used by advanced hackers or nation-state groups to infiltrate highly secured networks. These attacks can remain undetected for long periods of time, making them extremely difficult to defend against. 

In this article, I’ll explain more about what zero-day attacks are, how they work, and what steps you can take to protect yourself or your business from these hidden threats.

A close-up of a programmer coding on their laptop

(Image credit: Getty Images)

What are zero-day attacks?

A zero-day attack occurs when a hacker takes advantage of a previously unknown vulnerability. These vulnerabilities are weaknesses or flaws in code that allow for unintended actions to take place, like allowing unauthorized access to their networks. Once a hacker identifies a vulnerability, they can exploit it to infiltrate a network, install malware, steal data, or cause other types of damage.

A “zero-day” can actually refer to one of three different closely-related concepts.

Zero-day vulnerabilities

First, there’s the zero-day vulnerability. This refers to the actual flaw in the software or hardware that has not been discovered by developers. Zero-day vulnerabilities can potentially be present in any piece of software and may lie dormant for years, even decades. 

For example, a program present on practically every Linux distribution called Sudo had an undiscovered vulnerability that allowed any user on the system to become and act as an admin. 

It took over ten years before security researchers discovered and patched this vulnerability, and to this day it’s unclear whether it was ever used in the wild.

Zero-day exploits

This brings us nicely along to the concept of zero-day exploits. Zero-day exploits are code engineered by hackers to make a system do something it wouldn't usually do by exploiting its vulnerability. 

This is the hacker’s secret weapon, allowing them to break into systems while flying under the radar. A hacker gang might have a wide variety of zero-day exploits under their belt, ready to use when the moment calls for it. 

These exploits are used to carry out a zero-day attack. In most cases, a zero-day attack is when the public first becomes aware of the vulnerability. Once the attack is discovered, the race begins to fix the vulnerability and prevent further exploits.

Zero-day attacks

Let’s imagine a software program has a bug that allows users to bypass authentication controls that are used to make sure only those with the proper credentials can access a system. This would be considered a vulnerability. If a hacker takes advantage of this bug to gain access to the system without proper credentials, that’s an exploit. The attack comes when the hacker actually uses this exploit to infiltrate a network and steal sensitive data.

To give you a better idea of how damaging a zero-day can be in the real world, let’s look at the MOVEit data breach. MOVEit is a file transfer software used by many businesses to move sensitive data securely. In 2023, hackers discovered a zero-day vulnerability in the software that allowed them to access files held by MOVEit without authorization. They used this flaw to launch ransomware attacks on businesses across a range of sectors, including government agencies, healthcare providers, and financial institutions.

Over 1,000 organizations were compromised by the MOVEit breach, with the number of affected individuals estimated at over 60 million. Clop, the ransomware group behind the attack, extorted millions in ransom payments from victims and the total cost of the breach has been estimated at nearly $10 billion. This makes the MOVEit breach not just the largest of 2023 but one of the most significant ransomware attacks of all time. All of this stemmed from a single zero-day exploit. 

While zero-days are often the domain of intelligence agencies and nation state-backed hacking groups, criminal hacking gangs know very well that zero-days are worth a huge payout if used correctly. There’s a huge underground market for zero-day exploits, which are traded back and forth between hackers in exchange for cash, services, and other exploits. 

Hackers also know that once a zero-day exploit is, well, exploited, it’s used up, so they tend to wait until they can be used for maximum effect. It’s suspected that the MOVEit exploit was developed at least two years before it was deployed, which gave Clop enough time to plan and execute their ransomware crimewave in a way that delivered maximum return on investment.

A person sat at a computer and a tablet, coding

(Image credit: Getty Images)

How can I protect myself from zero-day attacks?

Zero-day attacks are notoriously difficult to defend against. By definition, they involve the unknown. However, there are still steps you can take to minimize your risk and mitigate the damage a zero-day attack can cause:

  • Installing updates ASAP. This should go without saying, but keeping your software up-to-date is crucial. As soon as a vulnerability is discovered and a patch is released, it’s important to apply the update immediately. While a zero-day attack might initially involve a very small set of targets, once the greater security community is made aware of a vulnerability it won’t take very long for hackers to build their own exploits.
  • Keeping up-to-date with emerging threats. Threat intelligence services also allow you to stay informed about the latest emerging threats. These feeds provide real-time data on new vulnerabilities, exploits, and attack techniques, allowing you to reduce the risk you're facing by adjusting your defenses to counter them.
  • Increase overall network defenses. Remember, a zero-day isn’t a skeleton key. It’s a very specific flaw that allows a hacker to step past a particular defense in your system. The more defenses you have up, for example two-factor authentication, or antivirus and antimalware, the more chances you have to stop a hacker in their tracks.
Sam Dawson
VPN and cybersecurity expert

Sam Dawson is a cybersecurity expert who has over four years of experience reviewing security-related software products. He focuses his writing on VPNs and security, previously writing for ProPrivacy before freelancing for Future PLC's brands, including TechRadar. Between running a penetration testing company and finishing a PhD focusing on speculative execution attacks at the University of Kent, he still somehow finds the time to keep an eye on how technology is impacting current affairs.

With contributions from