A flaw in software that is unknown to its creators—and therefore remains unpatched—can be a tremendous opportunity for hackers. Once the flaw becomes known, a patch must be made immediately available to ensure that it cannot be exploited. The software creators have zero days in which to respond.
From an insurance perspective, zero-day cyber attacks can be a serious threat to any organization. A growing concern for companies worldwide, zero-day vulnerabilities should be treated seriously by those underwriting cyber policies.
Unfortunately, hackers have various ingenious ways of finding flaws in software. They may opt not to use one they found themselves, and instead sell it on the black market to others, where prices can go as high as $250,000 according to Forbes.
An attack exploiting this type of vulnerability can be very dangerous because there is no defense: traditional antivirus software and firewalls do not work well as the nature of the attack is unknown beforehand.
Some of the most famous cyber attacks have exploited zero-day vulnerabilities:
Stuxnet (2010)
This unique attack exploited at least three zero-day vulnerabilities that targeted Programmable Logic Controllers (PLCs). It deployed a 500 kilobyte worm that executed all routines related to the attack and infected at least 14 industrial sites in Iran, including a uranium-enrichment plant.
RSA Attack (2011)
A phishing email sent to RSA employees initiated this attack. It exploited an Adobe Flash vulnerability and resulted in confidential information being stolen, including RSA's SecurID token authentication system.
Red October (2012)
Red October was a multifunctional attack platform and an advanced cyber espionage campaign. It targeted routers, switches, mobile phones, and storage devices to steal information from trade, military, aerospace, research, and diplomatic targets. Organizations in Russia, Iran, the U.S., and at least 36 other countries are known to have been victims. Though it was discovered in 2012, it is believed to have been operational worldwide for at least five years prior.
Pawn Storm (2015)
This campaign targeted sensitive, high-profile targets like NATO and U.S. defense organizations, and lured victims to malicious websites using spear-phishing emails. It exploited a Java vulnerability first, and then an Adobe Flash vulnerability, until both were patched.
Recently, Adobe warned of a new Flash zero-day vulnerability that affects all of its versions running on Windows, Mac, and Linux operating systems. Reacting to this flaw, Adobe plans to have a patch available soon. But thanks to the abundance of zero-day opportunities like this, hackers are staying one step ahead.
