How to Prevent and Detect Zero-Click Attacks

Organizations face an increasingly challenging cybersecurity landscape with threat actors using progressively complex and cloaked techniques to infiltrate devices, organizational systems and networks. One of the most elusive dangerous threats, zero-click attacks, can be hard to spot and pose a significant risk to individuals and organizations. 

In a zero-click attack, all threat actors need to do is send a message or file to a device connected to your systems or network, and the malware does its work. Little to no traces are left behind, escaping detection to the user and organization. 

This pieces details how zero-click attacks work, why they are undetectable and provides best practices to mitigate risk to both individuals and the organization. 

What is a Zero-Click Attack? 

Zero-click attacks are executed without any interaction from the victim unlike phishing or smishing attacks that rely upon social engineering or other actions that mislead users. This method of attack doesn’t require links to be clicked or malicious files to be downloaded. Essentially, it’s invisible, making it challenging for even the best of security teams. 

Zero-click attacks focus on organizations, governments, small businesses and individuals. Many state-sponsored attacks use the zero-click methodology to infiltrate businesses with the goal of landing big payoffs, either by selling data or ransoming it. Third parties—contractors, suppliers and vendors of organizations—are a significant risk because they can serve as a means of data exfiltration.

Zero-Click vs. Zero-Day Attacks   

Zero-click attacks often rely on zero-day attacks to execute. While they sound similar, zero-click attacks and zero-day attacks are quite different. Zero-click attacks are an exploit that requires no user input or engagement. Zero-click attacks commonly target messaging apps since they receive large amounts of data from unknown sources without requiring any device, data or owner validation.  Zero-day attacks help open the door to zero-day attacks. 

Zero-day attacks are software and platform vulnerabilities not yet known to software providers, which makes it less likely a patch is already available to provide a fix. When developers learn of the vulnerability, they patch it most likely after the damage is done. Since zero-click attacks enable hackers to infiltrate victims without them taking an action, even the most tech-savvy security conscious individuals and organizations can be prone to attack until the threat is identified. 

READ:  Data Exfiltration: Threats, Challenges and Prevention 

How Zero-Click Attacks Happen 

Zero-click attacks work by exploiting existing vulnerabilities in operating systems and applications, especially mobile apps. Zero-click attacks are executed in the following steps: 

• Attackers exploit existing loopholes in the data-verification function of apps and operating systems. 
• Bad or malware code is easily hidden in emails, messaging apps, PDFs, images and texts. 
• Once received, the code is activated, infecting the device with spyware to gain access to data on the device, including sensitive emails, phone calls, texts, system logins and more. 

Successful zero-click attacks can provide attackers with open access to both the individual and their organization’s data and emails on targeted devices. Even if the original source email is deleted, the infection can persist. 

Zero-Click Attack Examples 

Recent zero-click attacks have focused on high-profile mobile device apps: 

• Recently, a zero-click iPhone spyware exploit was discovered in Apple’s iMessage program. The exploit was installed on endpoints belonging to members of the European Parliament, as well as legislators, jurists, journalists and members of civil organizations and their families. 
• Another iPhone exploit, called BlastDoor, took advantage of an undocumented security vulnerability in Apple’s iMessage. It too involved spyware. 
• Three years ago, WhatsApp was hit with a zero-click attack that was triggered by a missed phone call. It allowed attackers to load spyware in the data exchanged between the two devices. 

Common Zero-Click Techniques 

Victims are usually unaware they’ve been exploited, and cybercriminals gain access to the entirety of their mobile devices (including password apps and photos) without detection, since the data is automatically validated by the delivery method. 

User interaction isn't needed to launch a zero-click attack, so any traces of malicious activity or intrusion are invisible. Once threat actors execute their attack, they then begin to collect information about the user. Device breaches and data compromise can include: 

• Collecting user information, including location, browsing history, contacts and essentially anything else on the device. 
• Installing surveillance software to listen to conversations. 
• Encrypting user files and demanding ransom. 
• Copying all the content in an inbox before deleting itself. 

To date, some of the most notable attacks include Pegasus software, which has been used in several attacks since its initial discovery in 2016, along with other zero-click attacks. 

Challenges in Zero-Click Attacks 

Unfortunately, zero-click attacks are designed to bypass endpoint security, which means it’s incredibly difficult for users to protect themselves. Mobile devices used by employees for both personal and work purposes are particularly worrisome, because they are especially susceptible to zero-click attacks. 

Employees using BYOD devices can be infected through iMessage, Facebook Messenger, WhatsApp and other applications, ultimately giving hackers access to their own devices and to their employers’ systems by extension. 

It’s also common for hackers to use infected devices for cyberespionage and ransomware activities because zero-click attacks don’t leave the same digital footprints other types of attacks do. 

Detecting and Preventing Zero-Click Attacks 

While it’s difficult to detect zero-click attacks, there are several steps you can take to mitigate the risks associated with this malicious attack. 

1. Educate your organization about zero-click attacks and best practices for mobile and computer security. 
2. Update your operating systems and apps regularly. Restart mobile devices periodically. 
3. Install only necessary apps from official stores (fewer apps equates to fewer risks). 
4. Pay close attention to the developers of any apps prior to installation (educate employees as well). 
5. Use MFA when accessing websites, email, social media and other types of accounts. 
6. Practice network, application and user segmentation, diligent traffic monitoring, good information security hygiene, and advanced security analytics. 
7. Install extensions to block popups and spam, or configure browser settings on your devices to prevent them from popping up. 
8. Block employees from reusing old passwords or using the same password across multiple platforms; provide training for best password practices. 
9. Install good anti-malware and antivirus protection, and run regular scans. 

If your organization does have BYOD policies, be sure to add in restrictions. Alternatively, don’t allow BYOD but offer work-issued phones or devices to be used strictly for work where you have more control. 

Bad actors have made it quite clear they are not slowing down compromising both individuals and organizations. By being proactive and understanding zero-click attacks and its related cyber threats, you can improve your security posture and help mitigate organizational risk. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.