Civil War general Robert E.

Lee said famously that it was a good thing war was so terrible, otherwise we
should grow too fond of it.
― Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon

RESEARCH PAPER

Vaibhav Singh
Noida International University , Sector 17 A , Greater Noida
[email protected]

Abstract

This paper explores the growing threat of zero-day exploits and their profound impact on national
infrastructure and security. Zero-day vulnerabilities, undiscovered by software vendors, allow
attackers to exploit critical systems without immediate detection. By examining real-world examples
such as Stuxnet and WannaCry, the research highlights how these exploits target government, military,
and essential services. The paper also discusses current detection methods, mitigation strategies, and
the role of AI in identifying emerging vulnerabilities. With Cyber threats evolving, the study
emphasizes the need for proactive security measures to safeguard national interests against this hidden
danger.
Keywords: Zero-Day vulnerabilities , Stuxnet and WannaCry , Cyber Threats

Understanding Zero-Day Exploits

A zero day (or 0-day) vulnerability is a security risk in a piece of software that is not publicly known
about and the vendor is not aware of. A zero- day exploit is the method an attacker uses to access the
vulnerable system. These are severe security threats with high success rates as businesses do not have
defenses in place to detect or prevent them.
A zero day attack is so-called because it occurs before the target is aware that the vulnerability exists.
The attacker releases malware before the developer or vendor has had the opportunity to create a
patch to fix the vulnerability.
A zero-day attack begins with a hacker discovering a zero-day vulnerability, which is an error in code
or software that the target has yet to discover. The attacker then works on a zero-day exploit, a method
of attack, that they can use to take advantage of the existing vulnerability.

Top 10 Routinely Exploited Vulnerabilities in 2023 (Considered As A Zero-Day )

Exploited CVEs of 2023 Are :
1. CVE-2023-3519 : Critical Vulnerability , allows an unauthenticated user to use a HTTP GET
request to cause a stack buffer overflow in the NetScaler Packet Processing Engine (nsppe).
Attackers can leverage this exploit to upload malicious files that enable remote control
execution, privilege escalation, and credential access.
2. CVE-2023-4966 : Critical Vulnerability , allows attackers to read memory outside buffers,
including session tokens (session token leakage), allowing attackers to impersonate
authenticated users. Once the attacker has exploited this vulnerability, they can use it to
perform reconnaissance on hosts and networks, harvest credentials .
3. CVE-2023-20198 : The attacker first exploited CVE-2023-20198 to gain initial access and
issued a privilege 15 command to create a local user and password combination. This allowed
the user to log in with normal user access. The attacker then exploited another component of
the web UI feature, leveraging the new local user to elevate privilege to root and write the
implant to the file system.
4. CVE-2023-20273 : High Risk , Targets Cisco IOS XE, building upon CVE-2023-20198. It
leverages CVE-2023-20198 by using command injections to escalate privileges to root
privileges.
5. CVE-2023-27997 : It’s a heap-based buffer overflow in FortiGate's SSL VPN component
which has been demonstrated to be exploitable for pre-authentication RCE. Since this a
memory corruption bug, we to be able to detect vulnerable versions without crashing
the sslvpnd process and disconnecting active users.
6. CVE-2023-34362 : CVE-2023-34362 is a significant vulnerability that could potentially
enable an unauthenticated attacker to access and manipulate a business's database through a
method known as SQL injection. If left unaddressed, this vulnerability could lead to
significant data breaches, loss of sensitive information, and severe disruption of services.
The vulnerability arises from an insecure SQL query in
the UserEngine.UserGetUsersWithEmailAddress() function (defined in
MOVEit.DMZ.ClassLib), which is built by concatenating strings supplied as parameters to
the function : Readmore… - Reference From The HackTheBox.
7. CVE-2023-22515 : Severity Critical (9.8) - Atlassian Confluence is affected by this CVE an
Authentication Bypass vulnerability. The root cause of this vulnerability is the existence of an
access path that does not have authentication checks. An attacker can access the /server-
info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false path, which
requires no authentication, to set the application in Setup Mode. In this mode, the attacker can
create an admin user with no authentication requirements. Using this newly created user the
attacker has full access to the web interface of the Atlassian Confluence target.
8. CVE-2021-44228 : A remote code execution (RCE) vulnerability in Apache Log4j 2 was
identified being exploited in the wild. Public proof of concept (PoC) code was released and
subsequent investigation revealed that exploitation was incredibly easy to perform. By
submitting a specially crafted request to a vulnerable system, depending on how the system is
configured, an attacker is able to instruct that system to download and subsequently execute a
malicious payload. Due to the discovery of this exploit being so recent, there are still many
servers, both on-premises and within cloud environments, that have yet to be patched. Like
many high severity RCE exploits, thus far, massive scanning activity for CVE-2021-44228
has begun on the internet with the intent of seeking out and exploiting unpatched systems. We
 highly recommend that organizations upgrade to the latest version (2.17.1) of Apache Log4j 2
for all systems. This version also patches the additional vulnerabilities CVE-2021-45046,
found on Dec. 14; CVE-2021-45105, found on Dec. 17; and CVE-2021-44832, found on Dec.
28
9. CVE-2023-2868 : This Vulnerability , targets the Barracuda Networks Email Security
Gateway (ESG) Appliance. It allows bad actors to leverage input validation and sanitization
errors to obtain unauthorized access and remotely execute system commands . This is Under
Critical Vulnerability
10. CVE-2022-47966 : This Vulnerability allow remote code execution due to use of Apache
Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by
design in that version, make the application responsible for certain security protections, and
the ManageEngine applications did not provide those protections. This affects Access
Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081,
ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150,
Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security
Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before
10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6,
Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713,
Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote
Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before
10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter
Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18.

Real-World Case Studies

- Malicious campaigns, which leveraged zero-day vulnerabilities.
- Table below contains description of all major incidents occurred within the last
11 years between 2006 and 2016.

Name Description Vulnerability

AdGholas The attacks were active since Multiple vulnerabilities in

at least October 2015. To Microsoft Internet Explorer
avoid detection the hackers and Edge
use steganography and file CVE-2016-3351
whitelisting techniques. Multiple vulnerabilities in
Microsoft Internet Explorer
CVE-2016-3298
Information disclosure in
Microsoft XML Core
Services
CVE-2017-0022
Amnesty International Hong The hackers compromised Multiple vulnerabilities in
Kong site breach the website and were Adobe Reader and Acrobat
delivering Trojan Gh0st RAT. CVE-2010-2884
Remote code execution in
 Microsoft XML Core
Services
CVE-2012-1889

Ice Dagger attack The attack is called “Ice Information disclosure in

Dagger” by Adallom security Microsoft Office
firm due to its sophistication. CVE-2013-5054

Luckycat attacks The campaign has been Remote code execution in

active since at least June Adobe Flash Player
2011 and linked to 90 attacks CVE-2010-3654
against Indian and Japan
institution.
Operation Russian Doll The operation refers to the Multiple vulnerabilities in
Russian Hacker group Microsoft Windows
APT28. The hackers are CVE-2015-1701
suspected to target German
parliament, French television
network TV5Monde, the
White House, and NATO.

The Real Story Of Stuxnet

Computer cables snake across the floor. Cryptic flowcharts are scrawled across various whiteboards
adorning the walls. A life-size Batman doll stands in the hall. This office might seem no different than
any other geeky workplace, but in fact it’s the front line of a war—a cyberwar, where most battles
play out not in remote jungles or deserts but in suburban office parks like this one.
Recognition of such threats exploded in June 2010 with the discovery of Stuxnet, a 500-kilobyte
computer worm that infected the software of at least 14 industrial sites in Iran, including a uranium-
enrichment plant. Although a computer virus relies on an unwitting victim to install it, a worm spreads
on its own, often over a computer network.
About This Worm : Stuxnet could spread stealthily between computers running Windows—even those
not connected to the Internet. If a worker stuck a USB thumb drive into an infected machine, Stuxnet
could, well, worm its way onto it, then spread onto the next machine that read that USB drive.
Because someone could unsuspectingly infect a machine this way, letting the worm proliferate over
local area networks, experts feared that the malware had perhaps gone wild across the world.
Illustration: L-Dopa

In October 2012, U.S. defense secretary Leon Panetta warned that the United States was vulnerable to
a “cyber Pearl Harbor” that could derail trains, poison water supplies, and cripple power grids. The
next month, Chevron confirmed the speculation by becoming the first U.S. corporation to admit that
Stuxnet had spread across its machines.

The Potential Damage of WannaCry Ransomware Attack

- The widespread of the malware, and the damage it caused, meant that the three-day
attack carried an estimated global cost in the billions.

- However, the damage caused by Wannacry was not evenly spread across different
businesses and industries. Organizations like the UK’s National Health Service
(NHS), which was running a large number of vulnerable machines, were especially
hard hit. The cost of Wannacry to the NHS alone is estimated to be US$100 million.

- The 2017 outbreak was only stopped by the discovery of a “kill switch” within the
WannaCry code, which, when triggered, stopped the malware from spreading further
or encrypting the data stored on any additional machines. Since the 2017 outbreak,
additional attacks by modified versions of WannaCry have occurred. However, none
of them have achieved the same footprint, cost, or recognition as the original
outbreak.

How WannaCry Works ?

1. Infection : Unlike many other ransomware variants, WannaCry spreads on its own rather than
being carried by malicious emails or installed via malware droppers.

WannaCry’s worm functionality comes from its use of the EternalBlue exploit, which takes
advantage of a vulnerability in Windows’ Server Message Block (SMB) protocol. The
vulnerability was first discovered by the National Security Agency (NSA) and publicly
leaked by the Shadow Brokers.
Machines infected with WannaCry scan the Internet for other machines running a vulnerable
version of SMB. If one is found, the infected computer uses EternalBlue to send and run a
copy of WannaCry on the targeted computer. At this point, the malware could begin
encryption of the computer’s files. However, first it checks for the existence of a particular
website. If the website exists, then the malware does nothing. The presence of this “kill
switch” is theorized to be either a way to stop the spread of WannaCry (which spreads
independently once launched) or as a means of making forensic analysis more difficult (since
most cybersecurity lab environments will pretend that any website that the malware requests
exists). If the requested domain is not found, WannaCry proceeds to the encryption stage.
2. Encryption
WannaCry is designed to deny a user access to their files on a computer unless a ransom is
paid. This is accomplished through the use of encryption, where the malware transforms the
data in a way that is only reversible with knowledge of the secret key. Since WannaCry’s
secret key is only known to the ransomware operator, this forces a victim to pay the ransom
to retrieve their data.
WannaCry is designed to search for and encrypt a set list of file extension types on a
computer. This is done to minimize the malware’s impact on a system’s stability. A computer
may not be able to run if the wrong files are encrypted, making it impossible for the victim to
pay a ransom or retrieve their files.

3. Ransom
The WannaCry malware demanded a ransom of US$300 from its victims. However, the
ransom demand was to pay in Bitcoin, not fiat money. As a cryptocurrency, Bitcoin is less
traceable than traditional types of currency, which is helpful for ransomware operators since
it allows them to embed a payment address (similar to a bank account number) in a ransom
message without it immediately alerting the authorities to their identity.
If a victim of a WannaCry attack pays the ransom, they should be provided with a decryption
key for their computer. This enables a decryption program provided by the cybercriminals to
reverse the transformation performed on the user’s files and return access to the original data.

Impact on National Security

Zero-day attacks, which exploit previously unknown vulnerabilities, pose significant threats
to national security. These attacks can compromise sensitive government data, disrupt critical
infrastructure, and undermine public trust. Here are some notable instances and analyses
highlighting their impact:
Stuxnet Worm (2010)
Stuxnet is a prime example of a zero-day attack with profound national security implications.
Discovered in 2010, this sophisticated worm exploited multiple zero-day vulnerabilities to
target Iran's nuclear enrichment facilities, causing significant disruptions. The attack
underscored the potential of zero-day exploits in cyber warfare, demonstrating how they can
be used to achieve strategic objectives without traditional military engagement.
en.wikipedia.org
Shadow Brokers Leak (2016)
In 2016, a group known as the Shadow Brokers released a cache of sophisticated zero-day
exploits allegedly stolen from the U.S. National Security Agency (NSA). Among these was
"EternalBlue," which was later used in widespread attacks like WannaCry and NotPetya,
causing global disruptions. This incident highlighted the risks associated with stockpiling
zero-day vulnerabilities, as their exposure can lead to widespread exploitation.
en.wikipedia.org

Chinese Cyber Espionage Activities

Chinese state-sponsored hacking groups have been implicated in numerous cyber espionage
campaigns targeting various countries' critical infrastructure. For instance, in April 2021,
suspected Chinese hackers exploited a zero-day vulnerability in Pulse Connect Secure
devices to spy on government and defense industry targets in the U.S. and Europe. Such
activities underscore the persistent threat posed by zero-day exploits in international cyber
espionage.
en.wikipedia.org

Identify, Protect, Detect, Respond, Recover – National Securtiy Agency | United States Of America

Detection and Mitigation Strategies

- NSA’S Top 10 Cybersecurity Mitigation Strategies :

1. Update and Upgrade Software Immediately

2. Defend Privileges and Accounts
3. Enforce Signed Software Execution Policies
4. Exercise a System Recovery Plan
5. Actively Manage Systems and Configurations
6. Continuously Hunt for Network Intrusions
7. Leverage Modern Hardware Security Features
8. Segregate Networks Using Application-Aware Defenses
9. Integrate Threat Reputation Services
 10. Transition to Multi-Factor Authentication

Future Trends and Challenges

Remote working cybersecurity risks : The Covid-19 pandemic forced most organizations to
shift their workforces to remote work, often quite rapidly.
Working from home poses new cybersecurity risks and is one of the most talked-about new
trends in cyber security. Home offices are often less protected than centralized offices, which
tend to have more secure firewalls, routers, and access management run by IT security teams.
In the rush to keep things operational, traditional security vetting may not have been as
rigorous as usual – with cybercriminals adapting their tactics to take advantage.

The Internet of Things (IoT) evolving : The expanding Internet of Things (IoT) creates
more opportunities for cybercrime. The Internet of Things refers to physical devices other
than computers, phones, and servers, which connect to the internet and share data.
It is estimated that by 2026, there will be 64 billion IoT devices installed around the world.
The trend towards remote working is helping to drive this increase.
IoT devices have fewer processing and storage capabilities. This can make it harder to
employ firewalls, antivirus, and other security applications to safeguard them. As a result, IoT
attacks are amongst the discussed cyber-attack trends

The rise of ransomware : Ransomware isn’t a new threat – it’s been around for about two decades
– but it is a growing one. It’s estimated that there are now over 120 separate families of ransomware,
and hackers have become very adept at hiding malicious code. Ransomware is a relatively easy way
for hackers to gain financial rewards, which is partly behind its rise. Another factor was the Covid-19
pandemic. The accelerated digitization of many organizations, coupled with remote working, created
new targets for ransomware. Both the volume of attacks and the size of demands increased as a result.

Extortion attacks involve criminals stealing a company’s data and then encrypting it so they
can’t access it. Afterward, cybercriminals blackmail the organization, threatening to release
its private data unless a ransom is paid. The burden of this cyberthreat is significant given the
sensitive data at stake as well as the economic impact of paying the ransom.

Increase in cloud services and cloud security threats : Cloud vulnerability continues to be
one of the biggest cyber security industry trends. Again, the rapid and widespread adoption of
remote working following the pandemic increased the necessity for cloud-based services and
infrastructure .
Cloud services offer a range of benefits – scalability, efficiency, and cost savings. But they
are also a prime target for attackers. Misconfigured cloud settings are a significant cause of
data breaches and unauthorized access, insecure interfaces, and account hijacking. The
average cost of a data breach is $3.86 million .

Social engineering attacks : Social engineering attacks like phishing are not new threats but
have become more troubling amid the widespread remote workforce. Attackers target
individuals connecting to their employer’s network from home because they make easier
targets. As well as traditional phishing attacks on employees, there has also been an uptick
in whaling attacks targeting executive organizational leadership.

SMS phishing – sometimes known as ‘smishing’ – is also gaining prominence, thanks to the
popularity of messaging apps such as WhatsApp, Slack, Skype, Signal, WeChat, and others.
Attackers use these platforms to try to trick users into downloading malware onto their
phones.

Voice phishing – also called ‘vishing’ – which gained prominence in a Twitter hack in 2020.
Hackers posing as IT staff called customer service representatives and tricked them into
providing access to an important internal tool. Vishing has been used to target numerous
companies, including financial institutions and large corporates.

SIM jacking, where fraudsters contact the representatives of the mobile operator of a
particular client and convince them that their SIM card is hacked. This makes it necessary to
transfer the phone number to another card. If the deception is successful, the cybercriminal
gains access to the digital contents of the target’s phone.

Organizations are increasing their protection against phishing, but criminals are always
looking for new ways to stay ahead.

Conclusion
Zero-day attacks, exploiting unknown software vulnerabilities, pose a significant threat to national
security. Their unpredictable nature makes them particularly dangerous, as organizations cannot
prepare for unknown threats, allowing attackers to bypass existing security measures.
lktechnologies.com
The 2010 Stuxnet worm exemplifies this danger, where multiple zero-day exploits were used to target
Iran's nuclear facilities, causing significant disruptions.
contemporarysecuritypolicy.org
Similarly, in 2021, suspected Chinese hackers utilized a zero-day attack against Pulse Connect Secure
devices to spy on government and defense industry targets in the U.S. and Europe. en.wikipedia.org
These incidents highlight the critical need for robust cybersecurity measures and international
cooperation to mitigate the risks associated with zero-day vulnerabilities. Establishing norms against
the use of zero-day exploits could enhance global security.
cyber.army.mil
In conclusion, addressing the challenges posed by zero-day attacks is essential for safeguarding
national security. Proactive strategies, including timely patching of vulnerabilities and international
collaboration, are vital to defend against these covert threats.

References
https://www.cobalt.io/blog/2023-top-routinely-exploited-vulnerabilities
https://www.fortinet.com/resources/cyberglossary/exploit
https://www.fortinet.com/resources/cyberglossary/zero-day-attack
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20198
https://github.com/BishopFox/CVE-2023-27997-check
https://www.hackthebox.com/blog/cve-2023-34362-explained
https://pentest-tools.com/vulnerabilities-exploits/atlassian-confluence-authentication-
bypass_5
https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/
MISC:http://packetstormsecurity.com/files/170882/Zoho-ManageEngine-ServiceDesk-Plus-
14003-Remote-Code-Execution.html
MISC:http://packetstormsecurity.com/files/170925/ManageEngine-ADSelfService-Plus-
Unauthenticated-SAML-Remote-Code-Execution.html
MISC:http://packetstormsecurity.com/files/170943/Zoho-ManageEngine-Endpoint-Central-
MSP-10.1.2228.10-Remote-Code-Execution.html
MISC:https://attackerkb.com/topics/gvs0Gv8BID/cve-2022-47966/rapid7-analysis
MISC:https://blog.viettelcybersecurity.com/saml-show-stopper/
MISC:https://github.com/apache/santuario-xml-security-java/tags?after=1.4.6
MISC:https://github.com/horizon3ai/CVE-2022-47966
MISC:https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a
MISC:https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/
MISC:https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html
https://www.zero-day.cz/research/
https://spectrum.ieee.org/the-real-story-of-stuxnet
https://en.m.wikipedia.org/wiki/Zero-day_vulnerability
https://en.m.wikipedia.org/wiki/Cyberwarfare_by_China
https://www.nsa.gov/portals/75/documents/what-we-do/cybersecurity/professional-
resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf
https://www.kaspersky.com/resource-center/preemptive-safety/cyber-security-trends