Zero Day Vulnerability: The Open Door For Hackers

It is also known as ‘0Day’. ‘Vulnerability’ and ‘Exploit’ are terms used in tandem with 0Day, but there is a difference.

Usually, a vulnerability is discovered before the developers have become aware of it. These attacks will nearly always succeed because there is no patch to fix them.

Exploits are similar, but the developer is already aware of the issue.

The true definition of a zero-day attack is that a hacker abuses an exploit to attack a system affected by a vulnerability.

Still, both Vulnerability and Exploit are used interchangeably, except by researchers.

Vulnerabilities are unfortunately an unavoidable part of software development. Programmers work tirelessly to test their code, and discover any vulnerabilities to fix before release. But due to deadlines, resource restraint, and sometimes human error, vulnerabilities make it to the surface.

From an outsiders perspective it may seem like it is in ineptitude on part of the developers, but this couldn’t be further from the truth. The biggest technology companies you can think of – Microsoft, Google, Apple, Facebook – have all had vulnerabilities and continue to do so, despite employing the finest programmers in the world. Vulnerabilities are simply a fact of life in tech.

When a hacker does take advantage of a vulnerability, or an exploit, the damage can manifest in a number of ways. These are often critical attacks that affect network access, and can allow things like remote code execution. There’s often several stages to these attacks before a vulnerability can be abused, such as gaining a foothold in a target organization by phishing. With that in mind, it is fair to say that many of the devestating 0day attacks that occur can be protected against by simple anti-phishing measures.

Though a vulnerability may be found out and disclosed at launch, it can take weeks and sometimes months for a developer to fix them. Worse yet, many users may not update to the fixed version in time, which leaves them open to attack.

Exploits have monetary value too, and details concerning their implementation are often sold on the dark web.

Spotting vulnerabilities is a skill where the more sets of eyes you have on code, the better. Thus, there are many independent researchers and ‘bug bounty hunters’ out there who find a vulnerability and disclose it to a company, often in return for a monetary reward. Microsoft are known to be the most generous in this regard, and reward up to $100,000 for some categories of bugs.

As you will see later in this article, not all companies are so generous, and some even reject the findings of researchers, leaving themselves open.

In this article, we’ll look at some of the most devestating zero day vulnerabilities that have occured in recent years.

Security Solution Hit With Zero Day Vulnerability

Sophos Firewall recently found itself breached after Chinese hackers used a zero day vulnerability to compromised the software. The attack was done to penetrate cloud-hosted webservices operated by a company and client of Sophos.

The exploit has since been fixed, but hackers continue to abuse unpatched endpoints to bypass authentication. This allows them to run remote code across a number of organizations.

A report was issued by Sophos on March 25th detailing the zero day vulnerability, which was dubbed CVE-2022-1040. The exploit affects the user portal and webadmin section of the Sophos firewall.

Three days following the report, Sophos warned that the bug was being exploited across South Asia.

Cybersecurity researchers at Volexity have done the most extensive research on CVE-2022-1040, as they have been tracking an APT named DriftingCloud, who have been actively abusing the vulnerability.

DriftingCloud used the zero day vulnerability to compromise the Sophos Firewall and install backdoors and malware that would interact with external systems outside of the firewall.

When Volexity began monitoring the APT, the group were actively engaging in attacks which allowed researchers to investigate each step of the campaign.

Volexity noted that the hackers blended its traffic by accessing the webshell through legitimate requests.

“At first glance, this might appear to be a brute-force login attempt instead of an interaction with a backdoor. The only real elements that appeared out of the ordinary in the log files were the referrer values and the response status codes”, researchers said.

Gaining access to the Firewall was just the initial step, and is followed up by a Man-in-the-middle attack.

“This allowed the attacker to intercept user credentials and session cookies from administrative access to the websites’ content management system (CMS)”, Volexity said.

While Sophos have applied hotfixes to address the issue, many firewalls remain unpatched.

Exploit That Disables Wifi

A novel zero day vulnerability has appeared on iOS devices, which is actively being abused by hackers. The bug disables an iPhones wireless functionality by simply connecting to a specific WiFi hotspot.

Once the connection is made, it disables iPhones ability to establish a wifi conecction, even if the phone is rebooted or the WiFi hotspot is renamed.

​This can be exploited by malicious actors who are able to plant rogue WiFi hotspots in popular areas.

The vulnerability has been researched by Carl Schou, a reverse engineer.

On connecting to a wifi named, “%p%s%s%s%s%n”, Schou found that his phones WiFi would be disabled, and everytime he tried to turn it back on it would switch back to off immediately.

“After joining my personal WiFi with the SSID ‘%p%s%s%s%s%n’, my iPhone permanently disabled it’s WiFi functionality. Neither rebooting nor changing SSID fixes it :~),” tweeted Schou.

Schou tested the issue on an iPhone XS, running iOS 14.4.2.

Further tests by researchers at BleepingComputer using iOS 14.6 confirmed the issue on a later version.

Exploits like these can be very serious. There is no true financial gain for a threat actor to carry out an attack like this, so it is truly malicious. This is more so the case for younger generations of hackers, who may look on the exploit like a prank.

The issue does not appear on Android devices.

Other researchers in contact with Schou analyed the crash report and believe that an input parsing issue likely causes this bug.

When a string with “%” signs exists in WiFi hotspot names, iOS may be mistakenly interpreting the letters following “%” as string-format specifiers when they are not.

In C and C-style languages, string format specifiers have a special meaning and are processed by the language compiler as a variable name or a command rather than just text.

When Schou was asked why his wifi name was something so complex, he joked that he intentionally does this to mess with “poorly developed devices”

Exploit Leads To Escalated Privileges

VMware has released a workaround to address a critical zero-day in multiple VMware Workspace One components that allows attackers to execute commands on the host Linux and Windows operating systems using escalated privileges.

Zero-days are publicly disclosed vulnerabilities not yet patched by the vendor. In some cases, zero-days are also actively exploited in the wild or have publicly available proof-of-concept exploits.

The vulnerability tracked as CVE-2020-4006 is a command injection bug — with a 9.1/10 CVSSv3 severity rating — found in the administrative configurator of some releases of VMware Workspace ONE Access, Access Connector, Identity Manager, and Identity Manager Connector.

“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” according to VMware’s advisory.

While VMware is still working on releasing security updates to address the zero-day vulnerability, the company does provide admins with a temporary workaround designed to fully remove the attack vector on affected systems and prevent exploitation of CVE-2020-4006.

The provided workaround applies ONLY to VMware Workspace One Access, VMware Identity Manager, and VMware Identity Manager Connector according to VMware.

“Impacts are limited to functionality performed by this service,” VMware adds. “Configurator-managed setting changes will not be possible while the workaround is in place.”

“If changes are required please revert the workaround following the instructions below, make the required changes and disable again until patches are available. In addition, most of the system diagnostics dashboard will not be displayed.”

Full details on how to implement and revert the workarounds on Linux-based appliances and Windows-based servers are available HERE.

The Cybersecurity and Infrastructure Security Agency (CISA) also urges admins and users to apply the workarounds issued by VMware to block attackers from potentially taking over impacted systems.

Trio Of Vulnerabilities Hit iOS

Apple recently needed to patch 3 zero-day vulnerabilities which were being exploited on iPhone, IPad, and iPod devices.

In a security advisory that was issued by the company, they stated, “Apple is aware of reports that an exploit for this issue exists in the wild”

Affected devices include: iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, and iPad mini 4 and later.

The exploits were patched out with the release of iOS 14.2.

The bugs are also exploitable on Macs running OSX Catalina, Apple watches running versions prior to watchOS 7.1, and Apple TVs running tvOS versions earlier than 14.2.

Of of the most critical bugs allowed for remote code execution, and is tracked as CVE-2020-27930. It is a trigger by a memory corruption issue.

The second exploit is a kernal memory leak dubbed CVE-2020-27950 . This caused a memory initalization issue that allowed malware to access kernal memory.

The final vulnerability is a kernel privilege escalation flaw – CVE-2020-27932. This allowed malware to execute code with kernel privileges.

The zero day vulnerability was discovered by Project Zero, Googles vulnerability hunting team, and was reported to Apple’s Security team.

“Targeted exploitation in the wild similar to the other recently reported 0days,” said Shane Huntley, Director and Google’s Threat Analysis Group. “Not related to any election targeting.”

Zero Day Vulnerability Found in Windows Kernal

Another story coming from Project Zero occured where the team disclosed a zero day vulnerability dealing with a elevation of privileges (EoP) bug, which was found in the Windows kernel. The exploit was actively used in targeted attacks.

The flaw is a pool-based buffer overflow, and is tracked as CVE-2020-17087.

According to Project Zero researchers, Mateusz Jurczyk and Sergei Glazunov, the bug can be exploited by local attackers for privilege escaltion, which includes sandbox escape.

“The bug resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue,” the researchers explain.

The researchers were also able to provide a proof-of-concept that can be used to crash vulnerable Windows devices.

The PoC was “tested on an up-to-date build of Windows 10 1903 (64-bit), but the vulnerability is believed to be present since at least Windows 7.”

The zero day vulnerability has since been patched out.

IBM Ignore Research From Zero Day Vulnerability Expert

Four zero day vulnerabilities were discovered in IBM security software and were since disclosed by a separate security researcher, after IBM refused to fix the issues or truly acknowledge the vulnerability report.

The zero days were published on GitHub by Pedro Ribeiro, Director of Research at Agile Information Security. Ribeiro found the bugs in IBM Data Risk Manager (IDRM), a tool used to “uncover, analyze and visualize data-related business risks.”

While examining the tool, Ribeiro discovered an authentication bypass, a command injection, an insecure default password, and an arbitrary file download.

Though these flaws are separately accessed, chaining the first three would allow hackers to remotely excute code as root.

“IDRM is an enterprise security product that handles very sensitive information,” Ribeiro explained.

“The hacking of an IDRM appliance might lead to a full scale company compromise, as it stores credentials to access other security tools, not to mention it contains information about critical vulnerabilities that affect the company.”

“In addition, two Metasploit modules that bypass authentication and exploit the remote code execution and arbitrary file download are being released to the public,” he added.

IBM responded to Agile Information Security and refused the vulnerability report, thus the researchers released their findings.

IBM said that they assessed the report and closed it “as being out of scope for our vulnerability disclosure program since this product is only for ‘enhanced’ support paid for by our customers.”

“This is outlined in our policy https://hackerone.com/ibm,” IBM added. “To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report.”

Steps To Mitigate the Risk of a Zero Day Vulnerability Attack

Protecting against a zero day vulnerability attack is similar to protecting against malware in general, but there are some differences to.

Chiefly, the most important point is to keep your software updated. This is to ensure that you recieve any patches that fix exploits and vulnerabilities. Updates should be applied to devices – Laptops, desktops, phones, IoT devices – Anything connected to the internet. It should also be applied to all software being used, especially browsers and operating systems, but all software can be effected.

Education is also a key step in protecting against 0Days. Many of these attacks rely on human error. Teach employees and users on your network to keep things updated, and practice good digital hygene.

One of the most critical defensive steps you can take is using a good cybersecurity solution, such as SaferNet. As mentioned previously in this article, many 0Days involve a number of steps, including phishing and other attack vectors, which SaferNet was built to defend against.

A zero day vulnerability attack is one of many aspects. It is crucial that you follow all steps to keep you or your organizations as protected as possible.