Exclusive by Ivica | WordPress zero-day vulnerability. And why running WP or any other CMS (content management system) software cause security risks?
Why software vulnerabilities cause security risks? Running WordPress or any other CMS (content management system) without adequate security is like owning a warehouse and leaving the key under a mat for thieves. But even with security, hacking is becoming a new reality for many Internet entrepreneurs, content publishers, and digital media retailers.
Attackers can easily access your confidential and private data after hacking your digital property. You can lose significant market share once you learn that your websites and applications have been compromised.
What exactly is a Zero-Day Vulnerability?
A zero-day vulnerability is a security flaw in software, such as a browser, application, or operating system, that is not yet known to the manufacturer of that software or to antivirus vendors.
A zero-day threat is a threat that exploits such a previously unknown vulnerability.
The term zero-day is meant to indicate that the developers have “zero days” to close the gap, i.e., they do not know at any given time that a vulnerability or threat exists.
Attackers can exploit zero-day vulnerabilities via a variety of attack directions. Often, the attack is done through web browsers, as they are very popular. Also, attackers send emails with attachments when they want to exploit software vulnerabilities related to the attachment. The zero-day threat is also referred to as a “zero-hour attack” or “day-zero attack”.
Zero-day attacks are usually carried out by known hacker groups. A zero-day attack exploits a vulnerability that is not known to developers or users. When attackers discover a vulnerability, they create a worm or virus that exploits the vulnerability and causes damage. The attack can take the form of a virus, worm, Trojan, or other malware. They can be bought, sold, and exchanged.
Sometimes zero-day attacks occur even though the developers knew about the vulnerability but simply did not have time to create the patch. Sometimes developers delay releasing patches because they are waiting to collect multiple patches and release them in one package when they come to the conclusion that a particular vulnerability does not pose an extreme risk. You should keep in mind that this is a risky strategy that can “invoke” a zero-day attack.
A zero-day attack occurs within a specific time period called the vulnerability window. The vulnerability window lasts from the moment the vulnerability is first exploited until the moment the threat is brought under control. Attackers develop malicious software (malware) to exploit common file types, compromise the system, and steal valuable data. Attacks are carefully executed to cause maximum damage, usually within a day.
The window for security vulnerabilities can be open for a short time, but it can also be open for several years! In 2008, for example, Microsoft discovered a vulnerability in Internet Explorer that infected several versions of Windows released in 2001. It is not known when the attackers discovered the vulnerability, but it is clear that the vulnerability window could have been open for up to 7 years!
In general, vulnerabilities can be discovered by hackers, security companies, researchers, the vendors themselves, or users. If the vulnerability is discovered by malicious hackers, they will try to keep it secret for as long as possible.
Good guys vs. Bad guys
When the vulnerability is discovered by “good guys” (security companies or vendors), it is common to keep it secret until a patch is created. In some cases, the public is notified immediately because the problem can be avoided, such as avoiding visiting a certain website or opening certain attachments.
When a vulnerability is discovered by a user, they may make it public. In this case, the race begins, the good guys versus the bad guys, and the question is: Will the good guys provide a patch before the hackers find a way to exploit the vulnerability?
The year 2010. is known as the year of zero-day browser vulnerabilities. The attacks affected Adobe products (Flash, Reader), Internet Explorer, Java, Mozilla Firefox, Windows XP and many others.
Attacks on Microsoft
Zero-day attacks targeting Microsoft software often occur immediately after Microsoft releases patches. Since Microsoft releases patches once a month (on the second Tuesday of the month, known as “Patch Tuesday“), cybercriminals have realized that they can exploit this fact by attacking the day after the patches are released.
One such attacker strategy is what experts call “Zero-Day Wednesday“. These attacks expose new vulnerabilities in Microsoft, but unless they are extremely dangerous vulnerabilities, it takes a month for the company to release patches for them. And so it goes, blow by blow. More than a third of zero-day vulnerabilities in 2014. were attributed to Microsoft-related products.
How exactly is Zero-Day vulnerability exploited?
There are several ways to exploit zero-day vulnerabilities. In most cases, attackers use code to exploit a zero-day vulnerability by bypassing defenses and injecting a virus or other malware into a software (e.g. plugin), computer or device.
Emails and similar means are also used to trick users into visiting a website created by hackers. When the site is visited, the malicious code is executed unnoticed. Simply put, the attackers gain access to your system without you noticing.
The steps attackers take in a zero-day attack typically include the following phases:
– Search for vulnerabilities. The attackers examine the code looking for vulnerabilities. In some cases, information about zero-day vulnerabilities may be sold or bought by hackers.
– Vulnerability found. The attackers have found a “hole” in the security system that is unknown to the developers of the application in question.
– Exploitation code generation.
– Infiltration. Attackers bypass defenses without the developer’s knowledge.
– Launching the attack. Armed with exploit code, attackers infiltrate a virus or malware.
A zero-day attack occurs because of a vulnerability window that exists from the moment the threat is discovered until the patch is deployed. The patch or “code fix” is sometimes released within a few hours, but can take much longer.
How to detect a Zero-Day Attack?
Methods of detection include the following:
– Statistics-based technique. This is a real-time attack detection approach based on previous attack profiles based on historical data.
– Signature-based technique. This technique is based on “signatures” left over from known attacks.
– Behavior-based technique. This model is based on analyzing how attacks interact with the target of the attack.
– Hybrid technique. As the name suggests, this technique is a mixture of different approaches.
How to prevent a Zero-Day attack?
You can take proactive and reactive security precautions. Below are some tips you can use to protect your organization from security risks associated with zero-day vulnerabilities – 7 steps to protect your website from Zero-Day vulnerabilities:
1. Stay up to date with all software on your website (plugins, Theme, WordPress, PHP version,…)
2. Install fixes/patches as they happen (Virtual patch management system helps in that as well)
3. Check YOUR habits
4. Set security settings right from the start
5. Add protection from the beginning (e.g. use a Firewall)
6. Monitor your site for suspicious behavior
7. Choose a secure hosting provider
Further protection against potential Zero-Day vulnerabilities
– Signature-Based Mapping
– Techniques Based on Statistics
– Behavior-Based Defense
– Combination Technique
What is the Zero-Day market?
It’s a place to buy and sell information about zero-day vulnerabilities and ways to exploit them. This market is currently booming. Since zero-day vulnerabilities and their exploitation are essentially rare, these codes are of exceptional value not only to cybercriminals, but also to government intelligence agencies.
In some cases, the so-called ethical hackers or the “good guys” discover the vulnerability and quickly report it to the developer to create a patch. They often do this out of altruism, and sometimes they receive financial compensation for doing so. There is another, darker side to the zero-day market, which is hackers who discover vulnerabilities and sell the code for exploitation. This is big business. According to an article in Forbes magazine, the codes sell for $5,000 to $250,000.
There are 3 parts to the zero-day market:
– The black, “underground” market. This is where hackers trade exploitation code.
– White market. Researchers and hackers share information about security vulnerabilities with vendors.
– Gray market. This is where hackers sell information about vulnerabilities and ways to exploit them to the military, intelligence agencies, and law enforcement, who use it for surveillance (wiretapping).
Unfortunately, zero-day attacks are not going to stop anytime soon. Their increase can also be expected because the zero-day market is growing and cybercriminals are becoming more brazen.
In addition, developers sometimes do not want to publicly disclose that there is a vulnerability. There are many reasons for this. One of them is to protect the reputation of the company. This is harmful to developers, users, and the industry as a whole, as it encourages the emergence of new attackers who want to exploit zero-day vulnerabilities.
Companies need to be constantly vigilant as hackers continue to improve their tactics and attack methods. Fighting zero-day attacks requires constant education and the use of the latest defensive techniques. Zero-day vulnerabilities are not just a concern for industry, but for all of us as end users.
Education, preparation, and rapid response to zero-day vulnerabilities must be the concern of everyone in the organization – from senior management, board members, IT experts, and everyone else.
Article by Ivica Delic
founder of FreelancersTools,
exclusively for Virusdie.
Join our private Facebook group to get help from other security experts, and share your own web security experiences and expertise. Group members receive exclusive news and offers. They can also communicate directly with the Virusdie team. Join us on Facebook.