What is a Zero-click Exploit
For years, cybersecurity experts have advised businesses to train their employees to spot common digital threats. That made good sense, considering that up to 82% of data breaches stem from a human element. The conventional wisdom, therefore, held that education was key to defending digital business assets against most types of attacks.
Today, however, there is a new type of threat that businesses can’t teach their employees to spot. They are called zero-click exploits, and as their name suggests, they can compromise a targeted system without any interaction by a human operator.
The appearance of multiple zero-click exploits in the wild now means businesses face what could be the gravest threat to their cybersecurity yet. To help them prepare, here is an overview of zero-click exploits. We’ll cover what they are, examples of them in action, and share some advice on mitigation tactics.
The Anatomy of a Zero-click Exploit
True to their name, zero-click exploits can lead to the compromise of a wide array of network-connected devices without warning or explicit actions by an insider. Most of them take advantage of code vulnerabilities that lay undiscovered — or undisclosed — within applications. They also tend to target applications that process untrusted data. Common examples include SMS software, email applications, and other communications apps.
The reason for that is simple. Applications designed to process untrusted data are uniquely vulnerable because their whole purpose is to accept unknown input from outsiders. There is no real way to wall them off from attack short of not using them at all. That is why hackers comb through the code of such software, looking for vulnerabilities in the way they handle unknown inputs.
When they find one, exploiting it could require nothing more than sending a purposefully malformed text message or email to the targeted application. To the end user, the attack would look like nothing more than a random spam message or an accidental bit of communication. However, they would remain unaware as the message helped grant the attacker access to execute code on their system.
Well-known Examples of Zero-click Exploits
The unfortunate reality is that most zero-click exploits go unnoticed for far longer than other types of digital intrusion. That is by design. It doesn’t mean, however, that they escape detection forever. Several notable examples of zero-click exploits came to light in recent years.
NSO Group’s Pegasus Spyware
The most well-known example of a zero-click exploit is the Pegasus spyware developed and deployed by Israeli technology firm NSO Group. Pegasus is an extremely powerful surveillance tool that can silently deploy on both Android and iOS-powered smartphones. Once installed, it grants invisible, untraceable remote access to everything on the device.
According to representatives at NSO Group, Pegasus is only sold to governments, which means it is at least not in the hands of cybercriminals and their like. The problem is that there is no way to verify if it escaped into the wild — until someone other than a nation puts it to use.
Pegasus relies on multiple zero-click exploits to gain access to devices. On iOS, it reportedly exploited vulnerabilities known as Kismet and ForcedEntry to take control of various devices. On Android, it took advantage of framaroot exploits to gain elevated privileges and install itself under the name Chrysaor. Although those exploits are now patched out, it is still unknown if Pegasus variants continue to spread using additional zero-click exploit vectors.
WhatsApp VoIP Buffer Overflow
Another recent example of a zero-click exploit came to light in 2019, when Meta — then Facebook — announced a vulnerability in its WhatsApp messaging platform. The vulnerability, which had already enabled a zero-click attack on countless devices, triggered a plea from Meta to the 1.5 billion users of the app to update immediately. To this day, it is still unclear how many users fell victim to the attack, which underscores the severity of the threat posed by zero-click exploit vectors.
Hikvision IoT Firmware Exploit
Mobile devices aren’t alone in facing the zero-click exploit threat. More recently, IoT device manufacturer Hikivision disclosed a zero-click vulnerability in its network-attached cameras. It enabled the silent spread of the Moobot botnet in late 2021, and at least 80,000 still-vulnerable devices remained online as of August 2022. The flaw makes it possible for an external actor to commandeer control of the devices to manipulate them at will.
Defending Against Zero-click Exploits
Due to the clandestine nature of the threat, businesses face an uphill climb in trying to defend against zero-click exploits. Since most zero-click exploits rely on unknown or still-present vulnerabilities, it is impossible to close the proverbial door on them entirely. However, there are some steps businesses can take to reduce the odds of falling victim to a zero-click exploit.
Remove All Unused Software
The first thing businesses can do is reduce their attack surface by removing unused software from all network-attached devices. Doing so reduces the number of potential unpatched vulnerabilities an attacker might target for a zero-click exploit. Also, it is advisable to enforce strict prohibitions against employees using unapproved software on company-owned devices.
Make Software Patches Mandatory
Although most software now includes automatic update functionality, it is not at all uncommon for business users to delay updates in the name of stability. It is a habit that should end in the face of the zero-click threat. Software vendors are now working at an increased tempo to patch vulnerabilities as they find them. By not applying all security patches as quickly as possible, businesses leave themselves unnecessarily vulnerable to zero-click exploits.
Use Zero-trust Segmentation
In recognition that preventing all zero-click exploits is close to impossible, it is also useful for businesses to try and contain the fallout should one occur. In a business network, the best way to do that is to use zero-trust segmentation. The idea behind the approach is to design a network based on the assumption that connected devices — even known entities — are inherently untrustworthy.
This means grouping devices with similar security characteristics into individual network segments via VLANs or their equivalents and strictly controlling interactions between them. Doing so can compartmentalize the network and prevent the lateral movement of an attacker in the event of a successful zero-click exploit. In other words, the damage wouldn’t spread from vulnerable devices to other non-vulnerable devices within the network.
Consider Micropatching Solutions
Last but not least, it is a good idea to consider a micropatching solution. Micropatching is a new form of crowdsourced vulnerability protection that is rapidly gaining traction in the cybersecurity space. It is meant to address the countless software vulnerabilities that security researchers find which go unpatched by software vendors. Micropatching works as a kind of software band-aid to catch vulnerability exploits and block them at runtime. It requires no alteration to existing software code, making it particularly useful for businesses who use legacy software they are either unwilling or unable to upgrade.
Confronting an Invisible Threat
The scale of the zero-click exploit threat is likely to grow in the coming years. It represents an attack vector that businesses can’t eliminate or defend against using traditional methods. Worse still, zero-click exploits are quite difficult to detect even while they’re in progress.
For businesses, zero-click exploits represent a serious escalation in their battle with would-be data thieves and other digital ne’er-do-wells. The correct response right now is for them to increase their cyber defense posture and take some of the preventative measures detailed above. The experts here at Outsource IT stand ready to help with those efforts and are just a phone call away. So contact an Outsource IT account manager today to enlist our help in your business’s fight against zero-click exploits.