The healthcare and public health sector has been warned to take steps to reduce the risk of cyberattacks exploiting zero-day vulnerabilities. A zero-day vulnerability is a software flaw that has only just been brought to the attention of a software developer, often as a result of a threat actor exploiting the flaw in real-world attacks or when a bug in software has been identified by a white hat security researcher. They are called zero-days because developers have had no time to develop a fix.
Zero-day vulnerabilities may have been introduced during the development of software or may have been unwittingly introduced during a software update. A zero-day attack involves a weaponized exploit for a zero-day vulnerability, and these are among the hardest types of cyberattacks to mitigate since no patch is initially available to correct the flaw.
The number of exploited zero-day vulnerabilities has increased significantly in recent years. In 2019, just under 30 zero-day flaws were actively exploited before a patch was released. In 2021, more than 60 zero-day vulnerabilities have already been exploited.
There are several reasons why this is the case. Software is being developed faster, more software solutions are being released, and big bucks are paid to individuals who discover zero-day vulnerabilities.. and even more if they have developed working exploits for those flaws.
Bug bounty programs can give white hat hackers considerable rewards for identifying zero-day vulnerabilities, and threat groups are more than willing to pay out for exploits that can be used to attack large numbers of organizations. There are also many more threat groups with pockets deep enough to pay big bucks for working exploits than there were a few years ago. It is now not uncommon for a zero-day exploit to be sold for more than $1 million.
In 2017, a zero-day vulnerability was used in a phishing campaign distributing the Dridex banking Trojan. Normal phishing campaigns require an individual to open an email, double click on an attached Word document, then enable content and editing to allow a malicious macro to run. That macro then downloads a malware payload. In this campaign, the zero-day exploit incorporated in the attack meant the only user interaction required was the user double-clicking on the attachment.
In 2021, a zero-day vulnerability in the SonicWall SMA 100 Series VPN was exploited by a threat group tracked as UNC2447. That attack delivered FiveHands ransomware to SonicWall customers. Several zero-day vulnerabilities have been identified that directly impact healthcare organizations. Earlier this year, a zero-day vulnerability was identified in a pneumatic tube system that is used to rapidly transfer samples, test results, and medications around hospitals. While the flaw was not exploited, an attacker could have exploited the flaw to take control of the system and conduct a denial-of-service or ransomware attack. Such an attack would have caused major disruption and considerable delays to patient care.
Due to the nature of vulnerabilities, patches are not immediately available. Oftentimes mitigations need to be implemented to prevent exploitation while a patch is developed, then the patch needs to be applied, tested, and then fully rolled out. That can take time. A 2019 study by the Ponemon Institute suggests the average time from the discovery of the vulnerability to fully deploying a patch is 97 days. During that time, the flaw could easily be exploited.
Defending against zero-day attacks is a challenge, especially in healthcare. Zero-day vulnerabilities may be identified in medical and IoT devices, which are notoriously difficult to patch as they are often used in critical care and are not easy to take offline.
According to a recent alert issued by the HHS’ Health Sector Cybersecurity Coordination Center (HC3), the best defense against zero-day attacks is to “patch early, patch often, patch completely.” When patches are released, it is vital that zero-day vulnerabilities are prioritized and patches are applied promptly on all vulnerable devices.
In addition to prompt patching, HC3 recommends network segmentation, implementing a web-application firewall to review incoming traffic and filter out malicious input, and using runtime application self-protection (RASP) agents that sit inside the runtime of applications and can detect anomalous behavior.