EXECUTIVE BRIEF

The Rise of Zero Days

Intro
Zero-day threats have been rapidly increasing, and that’s to cybercriminals. That’s why 75% of zero-day exploits target
dangerous for organizations and government agencies alike. In Microsoft, Apple and Google products. Software with a higher
2022, SonicWall observed 35 zero-day threats being actively adoption rate offers greater opportunities for bad actors to
exploited. Threat actors have been ramping up their search for steal credentials and personal information, deploy ransomware,
zero-day vulnerabilities due to the higher reward potential a and more — which means more financial gain if they’re
zero-day exploit has. successful. A good zero-day exploit can fetch millions of dollars
on the open market.
To mitigate risk, businesses of all sizes need to be aware of
zero-day exploits and prepared for a scenario in which their
The Blurred Lines of the Zero-day Market
organization is targeted. You can help protect your assets by
Zero-day exploits are a hot commodity. It’s not just criminals
learning more about zero-day exploits and gaining a higher
who want to purchase zero days — there are white-market
level of insight into your risk posture.
brokers, gray-market brokers and black-market brokers all
Defining A Zero Day Threat competing to purchase and sell zero-day threats.
News outlets tend to sensationalize any unpatched vulnerability The white market typically pays the least. This market is made
by calling it a “zero-day threat,” but truthfully, until it’s actively up of security researchers offering bug bounties for any
being exploited by a threat actor, it’s only research. A true vulnerability a person can find. The white market is typically
zero-day threat is an unpatched, undiscovered vulnerability that made up of the original developers of a software.
is being leveraged in the wild to exploit a business right now.
The gray market is made of companies that bid large amounts
That’s not just an opinion, either — the National Institute of
to purchase zero-day threats. Some companies offer millions
Standards and Technology (NIST) defines a zero-day as follows:
of dollars for the highest-risk vulnerabilities with active
An attack that exploits a previously unknown hardware, exploits. Once purchased, those organizations then resell the
firmware or software vulnerability. data to companies that need to protect themselves from the
vulnerability. The gray market has overlap from both the black
Any vulnerability can be serious, but if the vulnerability isn’t yet
and white market. Gray market buyers can also be clients from
being actively exploited, it gives your security team more time
the private sector, brokers who are looking to resell exploits or
to implement a thoughtful solution to the problem.
even governments who are looking to utilize the exploits for
The Drive Behind Zero Days intelligence gathering or something else.

Threat actors exploit zero-day vulnerabilities to infiltrate widely

adopted technology and software. The more users a given app,
operating system or other software has, the more valuable it is
The black market is made up of threat actors and cybercriminal High-Profile Zero-day Events
gangs. They have the capital to bid against the gray-market We’ve taken an in-depth look into the economic factors driving
companies pay top-dollar for the most sought-after exploits on the purchases of zero-day exploits, so now let’s examine a few
the market. Cybercriminals view purchasing zero-days the same of the most devastating zero-day events in history. These events
way a business owner views investing money back into their are notable because they didn’t just affect a few organizations —
business. they affected millions of people around the world.
This is one of the reasons people think businesses should be WannaCry: In 2017, someone in Europe downloaded an email
banned from paying ransoms to cybercriminals who have taken attachment that released the WannaCry ransomware onto that
their data and assets hostage: it perpetuates cybercrime. At the person’s device. Hackers demanded a $300 ransom to unlock
RSA conference last year, the director of cybersecurity at the the computer, and when all was said and done, over 300,000
National Security Agency (NSA) suggested that by paying those devices had been infected globally. Some of the affected
ransoms, businesses are propping up these ransomware gangs computers were on the UK’s National Health System (NHS),
in the black market and enabling them to buy more zero-day leaving NHS staff unable to access important documents
exploits and steal more data. It’s a vicious cycle. and patient records. The UK was forced to shut down multiple
On the perimeter of this zero-day market are nation states. medical facilities while trying to stop the spread of WannaCry.
Nation-states can be good guys or bad guys in this market. WannaCry also affected rail systems, factories , shipping
Some nation-states may be purchasing zero days to use companies, banks and countless other types of businesses
maliciously, such as the Lazarus ransomware gang largely around the world. WannaCry leveraged an exploit called
thought to be run by the North Korean government. EternalBlue that had originally been developed by the U.S.
Other governments purchase zero days to hold for intelligence National Security Agency (NSA). The NSA’s hacking tools were
gathering or to keep off the cybercriminal market. The United leaked online in 2016 by a group known as the Shadow Brokers,
States now has a system called the Vulnerability Equity which led to the WannaCry event.
Process (VEP) which was created as a result of the WannaCry SolarWinds: In 2020, a zero-day exploit that compromised
ransomware attack in 2017. When a U.S. intelligence agency systems from a company called SolarWinds led to data
discovers an unknown vulnerability, it goes through the VEP breaches at several federal agencies as well as hundreds of
to determine if the agency should keep the vulnerability a major corporations. The SolarWinds attack cost affected
secret or disclose it to the public so companies can protect companies an average of $12 million each.
themselves. This agency attempts to balance national security,
law enforcement and intelligence gathering with citizen- and Log4j: In December of 2021, a security researcher in
industry-level security objectives. China found vulnerabilities in Log4j, a highly popular Free
and Open-Source Software (FOSS) logging library. This
The zero-day market has a diverse group of buyers and sellers. discovery sent shockwaves throughout the cybersecurity
Whether they are acting maliciously or working to help protect world, and it continues to wreak havoc to this day. The Log4j
people’s data, they all contribute to the market of zero-day vulnerability existed for eight years before it was announced.
threats. The vulnerability has affected millions of products in nearly all
industries. In 2022 alone, SonicWall saw a total of 1.12 billion
Dark Web Markets intrusion attempts against the Log4j vulnerabilities.
While much of the white market for vulnerabilities is transparent
and exists out in the open, gray-market and black-market Despite the massive number of intrusion attempts in 2022,
transactions are typically going to take place on the dark web. there is a fear that the worst has yet to come. It’s estimated
The dark web can only be accessed using specific browsers and that 70,000 open-source projects have Log4j as a direct
software, and we don’t condone visiting it. dependency, and an additional 174,000 projects have it as a
transitive dependency. Only time will tell what the future of the
Threat actors use the dark web, and these markets in particular, Log4j vulnerabilities will look like, but knowing if and where Log4j
like a sort of hacker flea market. With a special web browser and exists in your systems could go a long way toward protecting
a bit of know-how, threat actors can purchase zero-day exploits your organization from a potential exploitation.
almost instantly.

2 | The Rise of Zero Days

 'Nevereore een' Malware Variants Discovered by RTDMI
500K

400K

300K

200K

100K

0 153,909 268,362 442,151 465,501

2019 2020 2021 2022
www.sonicwall.com
Zero-Day Risk Levels Preventative Measures
As scary as zero-day threats are, they actually make up a There are a multitude of options for businesses looking to
relatively small percentage of all vulnerabilities. As previously protect their networks, users and assets against not only zero-
mentioned, in 2022 SonicWall observed just 35 zero-day day threats, but all vulnerabilities. SonicWall’s Real-Time Deep
vulnerabilities being exploited out of a pool of over 25,000 Memory Inspection ™ (RTDMI) harnesses the power of artificial
observed vulnerabilities. While zero-day exploits can be intelligence to identify both known and zero-day exploits. The
much more dangerous than other vulnerabilities, businesses combination of SonicWall’s Capture ATP multi-engine sandbox
shouldn’t focus all their efforts on preventing a zero-day exploit with RTDMI can even detect threats that don’t yet show signs
when most of the vulnerabilities leveraged by threat actors of being malicious.
already have patches or other remedies available.
Aside from hardware and software solutions, businesses can
also protect themselves with actionable threat intelligence and
thoughtful procedures.

3 | The Rise of Zero Days

 Deploy Monitor for
Threat hunt with
mitigating exploitation
known IOA/IOCs
controls (WAF) IDS/IPS/EDR

Is your
Does this YES Does this Is there environment
Is there a PoC being targeted
vulnerability impact critical exploitation
available? for
impact you? infrastructure? ‘In the Wild’?
exploitation?

VULNERABILITY NO NO
IS DISCLOSED
Schedule for Schedule for
Schedule for Block known
No further patching as patching with
patching with attacker
action Low-Moderate Emergency
High Priority infrastructure
priority Priority

Figure 1

Know Your Systems: Business leaders need to understand CISA also operates zero-cost Cyber Hygiene Services for
their risk posture and attack surfaces in depth. If you have a businesses. They’ll provide you free vulnerability scanning of
solid grasp on your own risk posture, you can narrow down your perimeter, free pen testing and free WebApp security
which threats present a greater danger to your specific scans. If you’re a business with limited resources, CISA
industry or geographic location. Actionable threat intelligence provides some valuable resources completely free of charge.
is key to fully understanding industry-specific risks and what to
Education is key when it comes to protecting your devices,
be watching for on your perimeter.
data and users. Many cybersecurity companies provide
Prioritize Patching: If your cybersecurity team finds a annual reports on the latest threat intelligence and trends
vulnerability in your systems that isn’t currently being in cybersecurity, and these reports can help organizations
exploited, take a thoughtful approach to implementing a patch. know what the greatest threats to their particular industry and
If you rush out an emergency patch, you may create even more geographical region are. SonicWall’s 2023 Cyber Threat Report
vulnerabilities down the line. Prioritizing thoughtful patching is available to download for free right now.
when it’s an option is an important part of ensuring your attack
surfaces remain as small as possible.
Conclusion
Threat actors, nation-states and researchers will continue to
Vulnerability Procedures: It’s a business imperative to have search for zero days, and the zero-day economy isn’t going
precise procedures in place in the event that your team away any time soon. Despite that, with actionable threat
does find a vulnerability in your systems. SonicWall’s PSIRT intelligence, thoughtful procedures and technology solutions
Operational Senior Manager, Immanuel Chavoya, created this like SonicWall’s patented RTDMI, businesses can gain some
flowchart that can be utilized by businesses as a starting point peace of mind. While there’s no such thing as guaranteed
for their own procedures (see figure 1). protection from any cyber threat, businesses who put time and
While businesses may need to tailor this chart to fit their own effort into building out a robust cybersecurity program will be
needs, this can be a valuable jumping-off point for prioritization much better off than businesses ignoring the threats that are
in their own security posture. lurking in their own networks.

Utilize Free Resources: The Cybersecurity & Infrastructure

Security Agency (CISA) has multiple free resources that can
act in tandem with your other security measures to benefit
your organization. CISA has an email list for Known Exploited
Vulnerabilities (KEV) that is free to sign up for. The KEV list is
a continuously updated list of exploits that are being seen in
the wild. It’s completely free, actionable threat intelligence that
your business can utilize.

4 | The Rise of Zero Days

About SonicWall
SonicWall delivers Boundless Cybersecurity for the hyper-distributed era and a work reality where everyone is remote, mobile
and unsecure. By knowing the unknown, providing real-time visibility and enabling breakthrough economics, SonicWall
closes the cybersecurity business gap for enterprises, governments and SMBs worldwide. For more information, visit
www.sonicwall.com.

SonicWall, Inc.
1033 McCarthy Boulevard | Milpitas, CA 95035
Refer to our website for additional information.
www.sonicwall.com

© 2023 SonicWall Inc. ALL RIGHTS RESERVED.

SonicWall is a trademark or registered trademark of SonicWall Inc. and/or its affiliates in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their
respective owners. The information in this document is provided in connection with SonicWall Inc. and/or its affiliates’ products. No license, express or implied, by estoppel or otherwise, to any
intellectual property right is granted by this document or in connection with the sale of SonicWall products. Except as set forth in the terms and conditions as specified in the license agreement for this
product, SonicWall and/or its affiliates assume no liability whatsoever and disclaims any express, implied or statutory warranty relating to its products including, but not limited to, the implied warranty
of merchantability, fitness for a particular purpose, or non- infringement. In no event shall SonicWall and/or its affiliates be liable for any direct, indirect, consequential, punitive, special or incidental
damages (including, without limitation, damages for loss of profits, business interruption or loss of information) arising out of the use or inability to use this document, even if SonicWall and/or its
affiliates have been advised of the possibility of such damages. SonicWall and/or its affiliates make no representations or warranties with respect to the accuracy or completeness of the contents of
this document and reserves the right to make changes to specifications and product descriptions at any time without notice. SonicWall Inc. and/or its affiliates do not make any commitment to update
the information contained in this document.

ExecBrief-RiseofZeroDays-JK-8068