What is a Zero-Day Vulnerability?

The term "zero-day" refers to the fact that the vendor or developer has only just learned of the flaw which means they have “zero days” to fix it. A zero-day attack takes place when hackers exploit the flaw before developers have a chance to address it.

What happened?

On May 31, 2023, Progress Software Corporation announced a vulnerability in their MOVEit file transfer software used by thousands of organizations and federal agencies. The FBI and CISA released a joint Cybersecurity Advisory to disseminate known ransomware and identified through FBI investigations as recently as June 2023. Several organizations whose supply chains use the MOVEit app have suffered a data breach as a result, with customer data being stolen. Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases.

Note: ServiceNow does not use the MOVEit transfer software in our environments hosting customer instances. For more information, see: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1362314 

CISA Recommended Actions

1. Take an inventory of assets and data, identifying authorized and unauthorized devices and software.
   Recommended solution: IT Operations Management and IT Asset Management/Software Asset Management Professional
2. Grant admin privileges and access only when necessary, establishing a software allow list that only executes legitimate applications.
   Recommended solution: Adopt a Zero Trust methodology
3. Monitor network ports, protocols, and services, activating security configurations on network infrastructure devices such as firewalls and routers
   Recommended solution: ITSM, Security Incident Response Professional, and Configuration Compliance
4. Regularly patch and update software and applications to their latest versions and conduct regular vulnerability assessments.
   Recommended solution: Vulnerability Response Professional or Enterprise

Note: items in italicas are ServiceNow solutions or key methodologies

(image: example of how ServiceNow workflows help respond to a zero-day vulnerability)

What Can I Do to Protect My Organization?

Using ServiceNow, there are many ways you can workflow a vulnerability assessment across multiple teams. The following is one such example:

1. A Vulnerability Manager learns from a workflow alert routed from the software asset management (SAM) team that a zero-day vulnerability involving three different versions from a major software vendor is running on 73 laptops, including the CFO’s device. She starts up Software Exposure Assessment within Vulnerability Response and sees attributes such as Publisher, Product, Version, and Edition. This verifies the intelligence provided by the SAM team is real and needs immediate corrective action
2. The Vulnerability Manager quickly creates records for each vulnerable asset, and combines them together into a work task called a Vulnerability Group. All of this took only a few minutes
3. The Vulnerability Group is automatically assigned to IT staff and/or software application owners, who will remediate the affected assets; the workflow will also help track the remediation activities as they are completed for the Vulnerability Manager
4. IT pushes out an immediate patch and schedules a patch for production systems
5. The vulnerability has a high or critical priority, so an alert is created in case other devices come onto the network later and the vulnerability can be patched automatically
6. Security Operations closes the case and updates a knowledge article for future vulnerability assessments