Zero Day Diary

Q3 2017

ZeroDayDiary.com — sponsored by Digital Defense — provides chief information security officers (CISOs) and IT security teams with a quarterly list of noteworthy zero day vulnerabilities and exploits to software applications and IoT devices.

ZEROING IN

Trend Micro and Zerodium each offer up to $500,000 for zero day vulnerabilities

No payouts in a year from Apple’s bug bounty program

Kacy Zurkus

Menlo Park, Calif. – Oct. , 2017

BlueBorne, Devil’s Ivy, and Dragonfly, all in the news this quarter, are rather whimsical names for zero day exploits that can cause considerable harm.

Some vendors are dangling up to a half-million dollars for zero day vulnerabilities, but the actual payouts from major vendors — including Apple — appears to be sparse.

Bug bounties aside, zero-day exploits are trending up — heading towards Cybersecurity Ventures’ recent prediction that there will be one new exploit per day by 2021, up from one-per-week in 2015.

September

Sep. 28. Though initially believed to have been a zero day exploit, the Equifax breach was the result of a failure to patch the ApacheStruts 2 Web. Discovered two months ago, the bug has been fixed and a patch was released in time for Equifax to have prevented this breach.

Sep. 27. An over-the-air update notification delivered a fix for one of the eight zero-day vulnerabilities Armis reported. The most concerning was the Blueborne vulnerability, which attacks devices through Bluetooth.

Sep. 26. Richard Smith, Equifax CEO is out in the wake of a disastrous hack to the company’s computer system.

Sep. 26. Apple’s recently released macOS High Sierra operating system comes with a zero day exploit that could put your stored keychain passwords at risk if your Mac gets hacked.

Sep. 22. Google’s security team project open-sourced Domato, an automated testing tool which finds dozens of security bugs in popular website. Google, Mozilla, Microsoft’s Internet Explorer and Edge all contain a few bugs, but Apple’s Safari has the most at 17.

Sep. 20. Equifax admits to experiencing a security incident in March 2017, involving a payroll-related service.

Sep. 19. Microsoft extends bug bounty program until the end of 2017; it had originally been slated to end June 15. The minimum bounty has been increased to $6,000, while the cap remains at $15,000.

Sep. 15. Equifax confirms an unpatched critical Apache Struts vulnerability was the source of its major data breach. Attackers used the vulnerability to steal personal data from 143 million Americans.

Sep. 12. 10 D-Link zero day flaws affecting 850L routers are uncovered by Pierre Kim, a security researcher. If these flaws are exploited, hackers could gain backdoor access to devices.

Sep. 11. Two key U.S. senators want answers about Equifax’s cyber breach of  September 7th.  Senator Orrin Hatch (R-Utah) and Senator Ron Wyden (D-Oregon) want a time-line of the breach.

Sep. 7. Equifax, one of three major consumer credit reporting agencies, reveals that hackers have gained access to company data—names, addresses, social security numbers, and driver’s license numbers were stolen.

Sep. 7. CrowdStrike’s vice president of marketing, Dan Larson, says that having a plan in place to address zero-day threats long before an attack occurs, and taking steps to ensure your plan is effective, is of utmost importance.

Sep. 6. A new Symantec report details a sustained and sophisticated campaign to hack into more than 20 power stations in the United States and elsewhere. The campaign, dubbed dragonfly has been active since 2011, but Symantec identifies a surge in late 2015 continuing to the present.

Sep. 1. There are many challenges to security containers, and zero-day container attacks are one of the most concerning threats given that you can’t protect what you can’t see.

August

Aug. 31. A recent study from Sonatype shows that more than 10,000 new component versions —patches, fixes–are released daily which can require extra configuration to block zero day exploits.

Aug. 31. Trend Micro, a Japanese cyber security firm, announces a competition in which security researchers look for zero day vulnerabilities and receive up to $500,000.

Aug. 26. Researchers from Citizen Lab and Lookout detect three zero-days vulnerabilities found in iOS. Apple recommends users update their phones.

Aug. 23. Zerodium, a company specializing in acquiring and reselling zero day exploits is ready to pay up to $500,000 for working zero day vulnerabilities targeting messenger applications.

Aug. 18. Foxit Reader zero-day flaws would allow a remote attacker to execute arbitrary code on vulnerable installations of Foxit Reader. Foxit says it is working on a fix.

Aug. 17. Quarter 2 revealed an alarming increase in the number of zero-day attacks. According to research from PandaLabs, attacks rose 40% from the first quarter.

Aug. 14. Bitcoin is getting lots of buzz, but its popularity also makes it a target for hackers who are sophisticated enough to know how to exploit zero day vulnerabilities in user wallets.

Aug. 9. A report put out by Synopsys on the State of Fuzzing 2017 looks at the threat of zero day exploits across industries ranging from automotive to government.

Aug. 8. Microsoft August Patch Tuesday includes 48 patches, 25 of them critical. One remote code execution (RCE) bug allows an attacker to take complete control of a server or workstation via Windows Search.

Aug. 8. Microsoft failed to fix a known zero day server message block exploit in its August-Patch-Tuesday. The company says administrators don’t have anything to worry about.

Aug. 7. Armis Labs reveals a new attack vector which endangers major mobile, desktop, and IofT operating systems including Android, iOS, Windows and Linux.  The vector is dubbed  “BlueBorne,” as it spreads through the air and attacks devices via Bluetooth.

Aug. 3. A deeper look into a Lloyd’s of London report on the challenges and risks that threaten enterprises. When reported, zero-day vulnerabilities and their exploits open the door not only for patches but also for malicious actors to use in new attacks.

Aug. 2. Ransomware attacks are coming from all angles and have the potential to grow more successful as criminals earn more money and are able to purchase zero-day exploits in the wild.

Aug. 1. Industry analyst, Jon Oltsik, reflected on his Black Hat 2017 experience. In response to the suggestion that the industry is too focused on zero-day vulnerabilities, Olstik responds with his own insight.

July

Jul. 31. Only days after the Tesla Model X CAN BUS hack was reported, the company was able to release a security patch using an over-the-air software update by collaborating with the researchers.

Jul. 29. IoT security just became a little more insecure. A group of researchers, including the hackers Zenofex, 0x00string, and maximus64_, revealed 22 zero-day exploits in consumer devices by hacking the hardware.

Jul. 28. Chinese researchers discover several zero-day vulnerabilities and gained access to the CAN BUS system in the Tesla Model X.

Jul. 26. All good things must come to an end, and the Adobe Flash Player, more than twenty years after being introduced, is being set to rest, citing the advancement of browser plugins as a reason.

July 26. At the  Black Hat USA 2017 security conference in Las Vegas, Lillian Ablon offered lessons from RAND Corporation’s analysis of more than 200 zero day software vulnerabilities and related exploits, many of which have not yet been publicly revealed.

July 24. The attacker of Italian spyware maker hacking team leaked three zero day exploits and 400 gigabytes of the company’s internal emails.

Jul. 21. The question of government agencies disclosing zero-day vulnerabilities poses a lot of issues. One of great concern is that nearly a third of those known to government intelligence organizations end up rediscovered.

July 20. Mid-year security threat review from ESET reports that Shadow Brokers promises to release more zero-day exploits and hacking tools, not only for operating systems, but also for browsers, routers and smartphones.

July 20. Tor launches bug bounty program to detect vulnerabilities in its anonymizing network.

July 20. The Federal Communication Commission (FCC) says it cannot provide more proof of claimed cyberattack – says there is no “written” analysis of the DDoS cyberattack that occurred in May.

July 19. US State Department is merging the Office of the Coordinator for Cyber Issues with the State Department Bureau of Economic and Business Affairs. The reshuffling is seen as lowering the priority of cybersecurity.

Jul. 19. Senrio, a security firm focused on the Internet of Things, discover a vulnerability while researching Axis security cameras.  The zero-day exploit is dubbed  Devil’s Ivy because like the plant, it is hard to kill and it spreads quickly.

Jul. 17. An Israeli cybersecurity firm, Votiro Cybersec–that patented a process to break down files and neutralize malicious code to help prevent zero-day exploits–made its IPO on the Australian Securities Exchange.

Jul. 14. CIOs and CISOs need to consider a different approach to protecting against ransomware given that none of the major attacks were the result of zero day exploits.

Jul. 11. Patches for 19 critical vulnerabilities were released on Patch Tuesday with issues ranging from the most frequently discovered bugs: remote code execution, cross-site scripting, and elevation of privilege.

Jul. 11. Adobe Flash Player users should update their software.  It doesn’t matter if a hacker does not have a zero day exploit to throw at your Adobe Flash Player if you haven’t patched against known vulnerabilities.

Jul. 7. Nearly a year after Apple’s head of security announced that his firm was launching a bug bounty program, there is no evidence that any bounties have been claimed.  

Jul. 7. There have been few submissions which some think is an indication that Apple has misread the bounty market and isn’t offering the fair payouts to those who spot zero days in the platform.

Jul. 5. Reported to have stronger capabilities and be able to address security issues and defend against zero-day exploits in a more advanced and sophisticated way, deception technology is a market to watch.

July 3. Windows Defender Exploit Guard, a new Windows 10 feature from Microsoft, comes with a set of intrusion rules and policies to protect organizations from advanced threats, including zero day exploits.

Jul. 3. Help is on the way for one of the world’s most targeted software. Abode aims to amp up its security though it remains an unfortunate truth that Adobe doesn’t have the resources to spot, report, and remediate their many vulnerabilities.

Stay tuned for the Q4 2017 edition of the Zero Day Diary.

Kacy Zurkus is a freelance writer for Cybersecurity Ventures and has contributed to several other publications. She covers a range of cybersecurity and cybercrime topics.


Q2 2017

ZeroDayDiary.com — sponsored by Digital Defense — provides chief information security officers (CISOs) and IT security teams with a quarterly list of noteworthy zero day vulnerabilities and exploits to software applications and IoT devices.

ZEROING IN

Discovery of zero day exploits predicted to reach one-per-day by 2021

Growing demand for ethical hackers specializing in vulns.

kacyzurkusbwKacy Zurkus

Menlo Park, Calif. – Jul. 2, 2017

Bad code and black hats are expected to boost the discovery of zero day exploits from one-per-week in 2015 to one-per-day by 2021, according a recent report from Cybersecurity Ventures.

The latest diary of zero day exploits reinforces that prediction.

June

Jun. 27. A previously unknown flaw in Skype with a CVSS score of 7.2 allows attackers to crash Microsoft’s application and execute malicious code.

Jun. 26. With 40 percent of vulnerabilities considered zero-days, the federal government’s threat landscape is widening, which begs the question of whether building security into software applications might narrow the target field.

Jun. 23. Google’s Project Zero team started only a few years ago, but the conglomerate has since acquired some of the most highly skilled and very expensive group of ethical hackers.

Jun. 23.  Zero days are killing exploit kits, which means browsers are becoming more secure or hackers are not as talented as they used to be.

Jun. 23. Because zero-day exploits are previously unknown vulnerabilities, antivirus software won’t detect them, leaving business decision makers wondering if a cyber attack should be considered an inevitable and unavoidable cost.

Jun. 20. A newly released report from Trustwave concluded that zero day vulnerabilities found in the wild continue to target Adobe Flash Player and Microsoft applications. The survey found that every application tested had at least one vulnerability.

Jun. 19. Zero day exploit use suspected in the ransomware attack on two UK universities, University College London and Ulster University.

Jun. 14. Students at the University College London are strongly encouraged not to open emails because the university was the victim of a ransomware attack that allegedly used ‘the software nasty’ to exploit a zero-day vulnerability.

Jun. 13. Nearly 100 security issues were released on Microsoft’s Patch Tuesday to protect against remote code execution in even the now unsupported Windows XP operating system.

Jun. 13. Zero-day exploits are often the root cause for cyber attacks, but when patches aren’t updated, it’s the N-days—or known bugs that are more often at the root of disaster.

Jun. 9. Not yet released cyber weapons released in the Shadow Broker’s NSA dump are being sold as a service by the notorious group. Interested parties are invited to join their monthly service that publishes zero-day exploits.

Jun. 6. Zero day bugs are worth big bucks, and Google has the money to pay researchers who can find Android vulnerabilities.

Jun. 5. While developers work on patches to fix zero day bugs that have been disclosed in their software, users remain vulnerable for weeks or even months while hackers identify their targets and set out to exploit unmatched systems.

Jun. 2. Organizations go on high alert when they learn of a zero-day bug, but the the fear, uncertainty, and doubt (FUD) that fuels their reaction can sometimes do more harm than good.

May

May 26. Many want to point fingers at the NSA for stockpiling their tools, suggesting that if the vulnerabilities had been disclosed, perhaps the Google Docs and WannaCry attacks might not have been as widespread.

May 24. Sure, hackers are exploiting zero-day vulnerabilities and disrupting the digital world, but cybersecurity is more than protecting against unknown bugs in software.

May 22. In the wake of WannaCry, the government of India is on alert, fearing that not yet discovered exploitable bugs in software cripple their systems and critical infrastructure.

May 16. Making an argument in defense of the National Security Agency, security industry experts talk about the NSA’s process of deciding whether to reveal or conceal the bugs they discover.

May 15. Whether the NSA’s disclosure of their discovered bugs could have prevented the WannaCry attack is debatable, but the consequences of the global ransomware threat confirm that risks to patient health are a real issue in cybersecurity.

May 10. Despite making headlines when researchers discover bugs, Microsoft engineers are reportedly doing a good job of blocking attacks of the three zero day bugs reported by FireEye and ESET.

May 10. More bad news for Microsoft as security researchers with FireEye detect vulnerabilities being exploited in the wild in both Microsoft Offices Encapsulated PostScript (EPS) and Windows’ Graphics Device Interface (GDI).

May 9. Sednit hacking group use a spearphishing email with an Word attachment that contained information about Trump’s attack on Syria, luring users to click on the document that actually contained two of the many zero day exploits used by the group in the past two years.  

May 8. Credited for having discovered countless zero day vulnerabilities for Google’s Project Zero, researcher Davis Ormandy warns that a wormable Windows remote code execution vulnerability was not only critical, but “crazy bad.”

May 8. TechRepublic reports on everything you need to know about zero day exploits, from what they are to why they matter.

May 4. Security researcher discovers a zero day vulnerability in Word Press Core that  reportedly uses an untrustworthy default setting that could allow an attacker to hack into accounts and reset the user password.

May 4. Security experts debate whether intel agencies should disclose—rather than stockpile— zero day vulnerabilities and whether the disclosure would be helpful or harmful given that most go undiscovered for at least a year.

May 2. A new Zero Day Initiative (ZDI) rewards white hat hackers with compensation and bonuses for their loyalty in discovering and reporting zero day bugs.

May 1. Signature based antivirus software detects known patterns, but as malware becomes more sophisticated, security practitioners are turning to artificial intelligence to help detect zero day vulnerabilities.

April

Apr. 23. Zero day vulnerabilities in Microsoft Office send developers racing to protect their software with a patch and prevent future attacks.

Apr. 17. Despite the Shadow Brokers data dump of NSA tools reported to include zero day Windows exploits, Microsoft claimed the known vulnerabilities had already been patched.

Apr. 13. Hundreds of thousands of online retailers at risk due to a zero day remote code execution vulnerability in an e-commerce platform.

Apr. 12. Microsoft continues to make headlines as different groups of attackers leverage the zero day to delivery FINSPY spyware, infecting computers with malware.

Apr. 11. After months of attacks, Microsoft released a patch for what was known as the Word zero-day booby-trap exploit.

Apr 10. Four zero-day security vulnerabilities found while Digital Defense, Inc. was developing new audit modules for its vulnerability scanning technology.

Apr. 9. McAfee beat FireEye to the presses in disclosing a zero day vulnerability allowing a malicious Word document to be executed by systems running Windows operating systems.

Apr. 8. At the Infiltrate conference in Miami, a researcher disclosed that a baseband zero day vulnerability in Huawei smartphones could be used to execute an attack.

Apr. 6. At least ten groups of attackers earned quite a sum by exploiting zero days in Apache Struts that have since been disclosed and patched.

Apr. 5. Antivirus defenses unable to defend against nearly a third of today’s malware as they are exploiting new, zero-day vulnerabilities.

Apr. 4. Careers as ethical hackers are on the rise in 2017 because their pen testing skills help organizations discover zero-day vulnerabilities and fix the flaws.

Apr. 3. More than 40 zero day threats pose risks to Samsung’s Tizen OS, all of which allow remote code execution and could potentially be used across any of their smart devices powered by the operating system.

Apr. 3. Pegasus, a malware that originally targeting iOS using zero day vulnerabilities, has a new Android version that doesn’t need the zero day exploits.
Apr. 3. Troubles for Microsoft hit again with the discovery of a zero day that’s been exploited in IIS 6.0. A temporary patch was released, but the flaw falls under their end of life products for which they no longer provide updates.

Stay tuned for the Q3 2017 edition of the Zero Day Diary.

Kacy Zurkus is a freelance writer for Cybersecurity Ventures and has contributed to several other publications. She covers a range of cybersecurity and cybercrime topics.


Q1 2017

ZeroDayDiary.com — sponsored by Digital Defense — provides chief information security officers (CISOs) and IT security teams with a quarterly list of noteworthy zero day vulnerabilities and exploits to software applications and IoT devices.

ZEROING IN

Cybercriminals are earning enormous profits selling zero day bugs on the black market

Microsoft, Google, commercial sector continues to struggle with zero day vulnerability disclosure policies.

kacyzurkusbwKacy Zurkus

Menlo Park, Calif. – Mar. 31, 2017

Given that new software continuously comes to market, every day presents a potentially new discovery of a zero day exploit. In this first quarter, many of the disclosures prompted the question, What is the most responsible way to disclose zero day vulnerabilities?

Rather than having vendors and tech companies warring with each other, some leaders in the security industry have called for the establishment of industry-wide policies to expedite the discovery, reporting, and patching of zero day bugs.

Short of having a uniform policy, companies like Google follow their own rules. Meanwhile, cybercriminals are earning enormous profits selling zero day bugs on the black market while governments continue to hoard their knowledge, leaving the commercial sector to fend for itself.

March

Mar. 30. Legacy antivirus systems fail to recognize new signatures because malware is changing so quickly. As a result, nearly 30 percent of all malware attacks are zero day exploits.

Mar. 27. Sometimes even security researchers get it wrong, which is what appears to have happened when Cybellum reported a zero day vulnerability named DoubleAgent. Sophos clarified the severity of the vulnerability and the back story on DoubleAgent.

Mar. 22. Even though LastPass, a password manager, had to fix a zero day flaw, Rapid7 said that this shouldn’t sway the trust of users. The disclosure proves that bug bounty programs can lead to quick fixes with little harm, and password managers are still reliable.

Mar. 16. Hoping that researchers will identify and disclose the most dangerous bugs that need fixing, Intel joins the ranks of Microsoft, Google, and Facebook, launching its own bug bounty program.

Mar. 13. The study released by the RAND Institute continues to make noise across the security industry, raising questions about disclosure and hoarding discovered bugs.


RELATED: Digital Defense Cloud Platform Researches and Discovers Unknown Zero Day Vulnerabilities


Mar. 11. Wired reports on a week’s worth of news, calling the post A One Stop Guide to Zero Day Exploits, in the aftermath of the WikiLeaks data dump.

Mar. 9. The RAND Institute examines the life and times and exactly what to do about zero day vulnerabilities.

Mar. 8. The Boston Globe investigates the potentiality of criminals discovering and hoarding the very same zero day exploits that the CIA had found.

Mar. 8. Tables are turned and the corporate character of Google is called into question after they disclosed vulnerabilities in both Microsoft and Cloudflare before a patch was released.

Mar. 8. Likely to go on for some time in the aftermath of the Vault7 revelations, debates over whether hoarding zero day vulnerabilities are good or bad for security continued.

Mar. 7. WikiLeaks published the long list of zero day exploits and tools that the CIA had allegedly been using to spy on iPhone and Android users.

Mar. 6. After a security firm issued a patch for the long standing Microsoft vulnerability discovered by Google, users were finally able to take advantage of a fix.

Mar. 5. Hacker earned $5,000 from Uber for reporting a vulnerability that allowed him to get free rides in India and the United States.

Mar. 3. The malware involved in the UK attack on Barts Health Trust reportedly took advantage of a zero day vulnerability.

Mar. 2. User credentials are more often used to breach organizations, so should cyber security teams be overly concerned with zero day vulnerabilities?

Mar. 1. Windows SMB vulnerability continued to cause headaches. The vulnerability was deemed the the “zero day that keeps on giving.”

Mar. 1. Zero day exploits allow hackers to work around established security measures including sandbox strategies.

February

Feb. 28. The clock ticked for 90 days, in accordance with Google’s disclosure policy on zero day bugs, when another Microsoft vulnerability was made public before a patch was available.

Feb. 22. Though they released a patch for critical vulnerabilities in Adobe Flash Player, two zero day bugs remained unfixed until March, leaving Microsoft Windows users vulnerable.

Feb. 22. No foreseeable changes expected in the vulnerabilities equities process (VEP), the process government agencies use to disclose zero day bugs.

Feb. 18. Proof of concept available in another Microsoft bug discovered by Google’s Project Zero team.

Feb. 16. Exodus Intelligence, a company that specializes in zero day vulnerability research, partners with NSS Labs to enhance their testing capabilities in determining exploitable vulnerabilities.

Feb. 16. A last minute issue that couldn’t be fixed in time for Patch Tuesday delays Microsoft’s weekly release of patches for the first time.

Feb. 10. A malware program, likely part of the cache of exploits used by Russian hacking group that goes by many aliases including APT28, is targeting Macs with what was possibly a known exploit. A bit unusual as the group is renowned for its use of zero day exploits.

Feb. 10. The door to information about discoveries of zero day vulnerabilities is slowly closing for commercial industries as more of those disclosures are more often now either sold for profit on the black market or hoarded by governments.


RELATED: VMaaS, Vulnerability Management-as-a-Service with on-demand access to a Personal Security Analyst


Feb. 10. Cybersecurity practitioners, moonlighting as bounty hunters, take advantage of the growing zero day vulnerability market.

Feb. 8. 2016 saw a tremendous growth in software vulnerabilities despite continued calls for building security into the development life cycle. Also on the rise were paid disclosures of zero day bugs found by third parties or vendors.

Feb. 8. A new report calls for better cooperation between the government and private sector in sharing information about zero day vulnerabilities.

Feb. 7. New platform introduced by Kenna Security in partnership with Exodus Intelligence promises to provide greater visibility into zero day metadata, giving security teams immediate knowledge of vulnerabilities.

Feb. 6. Those left vulnerable by the zero day Windows SMB bug have to wait until Patch Tuesday for a fix.

Feb. 1. A particularly dangerous zero day vulnerability in WordPress was patched and fixed, but given the seriousness of the vulnerability, users are strongly encouraged to keep current with their updates.

Feb. 1. New exploit acquisition program from Zimperium focuses on N-day rather than zero day exploits.

January

Jan. 30. Security Intelligence examines the growth of available exploits in darknet marketplaces and looks at ways that enterprises can zero in on the dilemma of zero day vulnerabilities.

Jan. 25. Developers can mitigate risks by practicing secure coding and testing to find zero day vulnerabilities before hackers do.

Jan. 25. Zero day vulnerabilities discovered hiding out in browser extensions, but the critical Cisco WebEx vulnerability has been patched.

Jan. 24. Regardless of how seemingly insignificant a software update might seem, Apple’s IOS 10.2.1 update fixes more than ‘bugs and security on the phone’. A look at the security content page revealed that there were some malicious WebKit vulnerabilities discovered by Google’s Project Zero.

Jan. 19. Confirmation that a zero day exploit kit targeting Windows Server Message Block was part of a collection of cyber weapons served as a reminder that the outdated version of SMB v1 should not be used.

Jan. 17. Trust in Adobe Flash continues to decline as concerns mount that the repeated vulnerabilities are threatening enterprise security.


RELATED: Digital Defense, Inc. – Reduce Risk. Build a Culture of Security.


Jan. 16. Microsoft’s Windows Defender APT research team reported that exploit mitigation techniques running in the Windows 10 systems on the Anniversary Update actually neutralized zero day vulnerabilities and reduce the attack surface against future exploits.

Jan. 12. Windows customers are encouraged to keep their patches up to date after ShadowBrokers hackers put an exploit kit, which includes a zero day vulnerability, on sale for $750 bitcoin.

Jan. 11. Adobe Flash continues to cause problems across multiple computing platforms as Google’s Project Zero researchers discover five zero-day issues.  

Jan. 11. Even though bug bounty programs have helped companies successfully identify zero day bugs, they can also put security at risk when details are posted in public forums.

Jan. 9. Once a hacker exploits zero day vulnerabilities and is able to access valuable data, they turn to these top marketplaces on the dark web to sell those stolen credentials.

Jan. 5. Will establishing an industry standard for responsible disclosure of zero day vulnerabilities benefit the security industry?

Jan. 4. Brazen hacker known as CyberZeist exploits zero day vulnerability in the Plone Content Management System (CMS) of the FBI’s website.
Jan. 3. A Legal Hackers researcher discovered a zero day bug marked as having extreme criticality in PHPMailer, which is widely used in the ‘contact us’ section of websites.

Stay tuned for the Q2 2017 edition of the Zero Day Diary.

Kacy Zurkus is a freelance writer for Cybersecurity Ventures and has contributed to several other publications. She covers a range of cybersecurity and cybercrime topics.


Q4 2016

ZeroDayDiary.com — sponsored by Digital Defense — provides chief information security officers (CISOs) and IT security teams with a quarterly list of noteworthy zero day vulnerabilities and exploits to software applications and IoT devices.

ZEROING IN

Cyber bounty hunters and hackers exposed critical flaws during the final quarter of 2016

kacyzurkusbwKacy Zurkus

Menlo Park, Calif. – Jan. 3, 2017

Microsoft patched several holes while tensions rose in the tech world after Google disclosed a Microsoft zero day before it had been patched. Adobe patched nearly 100 vulnerabilities in the final quarter of 2016, with 83 patches in October alone.

The patches, though, were not released before hackers took advantage of the vulnerability, elevating the critical status to an exploit in the wild, something no developer wants to hear.

An ever-increasing amount of new code and a robust underworld economy will be stoking the market in 2017 for zero-day vulnerabilities, according to Cybersecurity Ventures’ newly released annual Zero Day Report.

December

Dec. 28. The research team at Check Point discovered three zero-day vulnerabilities in the unserialized mechanism in PHP 7, the web programing language used in a large majority of websites.

Dec. 19. Gaining access to programs in Linux can allow hackers to delve deeper into the operating system, which means the exploit has greater potential to result in data exfiltration.

Dec. 19. Noting that criminals can now purchase zero-day exploits, industry leaders face the future of cyberwar and prepare for the unexpected.

Dec. 15. Opening or browsing a music file running on Linux could leave desktops vulnerable. A second zero-day exploit on Fedora 25, released by Chris Evans is said to run as a ‘classic drive-by’.

Dec. 15. Advanced persistent threat groups spy on users in Europe and Turkey using a Wingbird backdoor in a zero-day exploit discovered in FinFisher.  

Dec. 13. Another 31 vulnerabilities patched across multiple Microsoft product lines. The Flash zero-day is one of the four zero-day vulnerabilities listed as critical.


RELATED: DDoS Report, Q1 2017. DDoS attacks are the most dangerous cyber threat to every organization in the world.


Dec. 9. Vulnerabilities and backdoor codes in video cameras from multiple manufacturers continue to raise security concerns as they can potentially become part of IoT botnets and cause massive DDoS attacks.

Dec. 9. Hackers imply that they exploited a zero-day vulnerability when they hacked into the Twitter account of Indian tycoon Vijay Mallya.

Dec. 7. Concerns of vulnerabilities in IoT devices continue to grow, noting that the multiplying number of connected devices that come to market will only increase the attack surface, particularly with zero-day bugs.

Dec. 7. Among the many predictions experts made for 2017, novel zero-day reflection and amplification attacks will appear with more frequency, enabling more sophisticated and targeted attacks.

Dec. 6. Security experts and researchers weigh in on a call for consensus on responsible disclosure guidelines for reporting zero-days.  

Dec. 6. The Dutch take issue with the Netherlands after they grant permission for police and secret service agencies to exploit zero-day vulnerabilities, calling it a subterfuge for surveillance programs.

Dec. 6. Vulnerable IP cameras go unpatched as two zero-days are exploited, allowing hackers to spy on computer users and take over the device.

Dec. 5. Hefty competition at HITCON CTF 2016 results in the discovery of three zero-day vulnerabilities and a big win  of $10,000 for Korea’s Cykorkinesis.

Dec. 4. In response to the zero-day security issues Adobe Flash has experience, Google Chrome decides to replace Flash with HTML5.

Dec.1. Exploit targeting Tor users deemed a near perfect replica of the zero day bug used by the FBI to identify anonymous users. Some question whether the bug was developed by the Feds.

November

Nov. 29. The Mac Observer gives Kudos to Apple’s ability to patch zero day exploits, having successful created in a fix for the issues in just ten days.

Nov. 29. Tor users find themselves under attack from a zero-day exploit in the wild that executed malicious code through the Firefox browser.

Nov. 28. ISP customers of Deutsche Telekom and Eircom were targeted through their home routers using Mirai malware, leaving Internet port 7547 open which caused a weekend service outage.  

Nov. 28. Senior software engineer, Anotio Sanso, at Adobe disclosed a vulnerability in PayPal’s OAuth that allowed him to override the validation and return a client token.

Nov. 28. Vanity Fair spotlights the evolution of zero-days, going back to the days of old when hackers held onto their discoveries. In telling the story of a grad student who discovered spyware that could control the iPhone, they take a look at how zero day exploits have changed.

Nov. 24. Zeus type malware used to target African and Asian banks, delivering a zero day to users by way of phishing emails and social engineering.

Nov. 16. Dark Reading’s Radio invites leaders in the security industry to engage in a live discussion, debating the benefits and drawbacks of bug bounty programs, responsible disclosure, and the “gray market” in zero day vulnerabilities.


RELATED: The Data Breach Report provides a quarterly diary of noteworthy data breaches and cyber-attacks to CIOs, CSOs, CISOs, IT security teams, and the media.


Nov. 10. In only 18 seconds, South Korean security researchers hacked two different vulnerabilities in Microsoft Edge at PwnFest2016 in Seoul.

Nov. 9. Pawn Storm cast a wide net in its attempt to exploit a zero day vulnerability discovered in Adobe Flash. Between late October and early November, the espionage group targeted several governments world-wide with spear-phishing campaigns trying to capitalize on the combined vulnerabilities in Flash and Windows.

Nov. 9. In response to the criticism over the time it took for Microsoft to respond to the zero-day vulnerability exploited by Fancy Bear, security experts debate over responsible disclosure.

Nov. 8. After nearly two weeks of internally testing solutions to the zero-day Flash and Windows Kernel vulnerabilities, Microsoft released a patch for their troublesome duo of flaws.

Nov. 7. Belkin home products issue updates for the firmware flaws discovered in WeMo devices.

Nov. 3. Invincea Labs presented at Black Hat Europe 2016 sharing how they detected two zero-day vulnerabilities in an Android phone application, a first in IoT security research.  

Nov. 2. Apple challenges the reporting time frame of Google’s Project Zero program, which aims to not only identify but fix zero-day vulnerabilities in popular software.

Nov. 2. Tensions rise in the tech industry as two of the largest enterprises disagree on the timing of when the Microsoft vulnerability was made public.

Nov. 1. After Microsoft still had not issued a fix, Google went public about the vulnerability issue as users were under attack by a group formerly tied to Russia’s prestigious intelligence agency.  

Nov. 1. Microsoft issues an advisory recognizing that the same group that hacked the DNC was exploiting the win32k.sys vulnerability identified by Google.

October

Oct. 31. Nearly 10 days after Google privately reported a flaw in the Windows kernel, the zero-day vulnerability was used in attacks.

Oct. 27. After Google fully patched the vulnerability on its Nexus 6P, security researchers at the 2016 mobile Pwn2Own event in Tokyo were able to exploit it and other fully patched devices.

Oct. 27. Few in the tech industry were surprised to learn of yet another vulnerability discovered in Flash Player that allows attackers to remotely execute code and take control of a compromised system.  

Oct. 26. Urgent call for Windows users to update asap as malware exploits newly discovered vulnerability.

Oct. 26. Art reflects reality in the debut of VICELAND’s series CYBERWAR. The first episode of the new season, “The Zero-day Market” fictionalizes the reality of the growing market of zero-days.

Oct. 24. Ruxton hacking confab in Melbourne reveals flaws in wireless keyboard and mouse that can’t be patched, but will be updated in newer versions.

Oct. 21. ESET reveals the extensive hacking activity of the group, sometimes knowns as Fancy Bear and Pawn Storm among other names. In addition to having a minimum of six zero-day exploits to hack the DNC, they’ve also targeted embassies, academics, and political groups worldwide.

Oct. 17. A $5,000,000 happy birthday celebration for Facebook’s bug bounty program seems a little pricey, but over the past five years researchers have earned hefty sums for discovering more than 900 bugs and zero day vulnerabilities.


RELATED: Ransomware Report says Crypto ransomware targeting critical infrastructure


 

Oct. 17. Censorship questions over reporting issues were tweeted out after IBM asked researcher, Maurizio Agazzini, to refrain from releasing sections of his disclosure that list the exploits.

Oct. 12. Internet Explorer vulnerability serves as a reminder to take caution when clicking as the flaw CVE-2016-3298, requires that the bad actors trick targets into opening attachments or visiting malicious websites.

Oct. 12. Hackers get busy exploiting four of Microsoft’s zero day vulnerabilities using malvertising campaigns and avoid researchers by checking target systems.

Oct. 11. Of the 45 vulnerabilities that Microsoft addressed using its new update technology for October’s Patch Tuesday, five were rated critical for zero-day flaws.

Oct. 3. Dell EMC customers were issued patches after Digital Defense discovered five zero-day vulnerabilities in Dell EMC’s vApp Manager for Unisphere for VMAX, a web application used to manage all of EMC’s storage platforms.

Oct. 2. A JPEG 2000 image file format vulnerability reported by Cisco Talos security experts posed risks that, if exploited, could have had serious impacts. The file format used to share pictures in a variety of file types through several different hosts, making it possible for attackers to exploit the flaw through email and cloud storage.

Stay tuned for the Q1 2017 edition of the Zero Day Diary.

Kacy Zurkus is a freelance writer for Cybersecurity Ventures and has contributed to several other publications. She covers a range of cybersecurity and cybercrime topics.



Send this to a friend