Zero-click attacks: everything you need to know

Zero-click attacks can be traced back to the early days of cyber-attacks and whilst we have seen a steady uptick in zero-click attacks over the last few years, 2024 is set to be a year of proliferation for this devastating cyber-attack.

As organisations and individuals become digital-first and device-dependant, understanding, and mitigating the risks associated with these attacks is crucial.

In this comprehensive guide, we will delve into the definition, intricacies, vulnerabilities, real-world incidents, and effective mitigation strategies for zero-click attacks.

Definition and overview of zero-click attacks

Zero-click attacks are a formidable threat that can infiltrate systems without requiring any direct interaction from users. Unlike traditional cyber threats that depend on user-triggered actions, zero-click attacks leverage intricate vulnerabilities in software, networks, and protocols to stealthily breach digital defences.

As zero-click attacks eliminate the need for any affirmative user engagement, they become particularly insidious. The absence of any sort of user interaction in these attacks makes them highly deceptive, as victims remain unaware of the compromise, allowing threat actors to operate covertly and persistently within targeted environments. If you consider that cyber threats are designed to go under the radar for as long as possible (average cyber breach in the UK takes up to 260 days to detect), zero-click attacks aim to take this to the next level.

Often, to run a zero-click attack, a threat actor needs to meticulously craft a malicious payload whilst also understanding the intricacies of the target system, in order to evade detection mechanisms. The payload is then delivered through a variety of means, including weaponised documents, malicious links, or network-based vectors, each carefully selected to exploit the identified vulnerabilities.

Zero-click attacks represent a paradigm shift in cyber security, demanding heightened awareness and proactive defences. It is also evident that a comprehensive understanding of these attacks is essential for individuals, organisations, and cyber security professionals alike.

What does a zero-click attack look like?

To comprehend the anatomy of zero-day attacks, we must explore the various phases involved, from vulnerability exploitation to the discreet achievement of malicious objectives.

1. Identify vulnerability: Zero-click attacks rely on a diverse array of vulnerabilities that permeate the digital landscape. These vulnerabilities include things like unsecured network protocols, operating system flaws mobile OS-specific weaknesses and more that we will discuss and explain further down this guide. The attackers meticulously exploit these vulnerabilities to pave the way for surreptitious entry into the targeted systems.
2. Forming a plan of attack: At the heart of a zero-click attack lies a meticulously crafted payload, a digital weapon tailored to navigate the intricacies of the target system. Cybercriminals invest time and expertise to develop code that not only exploits the identified vulnerabilities but also evades detection by security measures.
3. Delivery mechanism: Zero-click attacks employ diverse delivery mechanisms to infiltrate systems. This can range from the deployment of weaponised documents and malicious links in emails to network-based attacks that exploit vulnerabilities in routers or firewalls. The chosen method depends on the attackers' objectives and the vulnerabilities they have identified.
4. Triggering the exploit: What sets zero-click attacks apart is their ability to operate autonomously, devoid of any user interaction. The exploit is triggered automatically when specific conditions are met, either through system-initiated actions or the mere act of connecting to a compromised network. This hands-off approach enhances the effectiveness of the attack, allowing threat actors to remain undetected during the initial phases.
5. Objective obtained: Once the exploit is successful, zero-click attacks can accomplish a range of malicious objectives. This includes the exfiltration of sensitive data, installation of malware for persistent access, or gaining unauthorised control over critical systems. The seamless execution of these objectives further emphasises the covert and persistent nature of zero-click attacks.
6. Staying in the shadows: The hallmark of zero-click attacks is their ability to maintain a low profile, often escaping immediate detection. This stealthiness is a strategic advantage, enabling threat actors to operate within compromised systems for extended periods without raising alarm bells - inflicting substantial damage.

Understanding each facet of this intricate process is paramount for individuals, cyber security decision-makers, and organisations seeking to fortify their defences.

15 common vulnerabilities exploited by zero-click attacks

Zero-click attacks capitalise on a diverse range of vulnerabilities within digital infrastructures. Let us explore both common and emerging points of exploitation:

1. Unsecured network protocols: Insecure network protocols provide fertile ground for exploitation. Zero-click attacks may target vulnerabilities in protocols like HTTP, FTP, or DNS, exploiting weaknesses in communication channels to facilitate unauthorised access or information exfiltration.
2. Memory corruption flaws: Memory corruption flaws represent prime targets for zero-click attacks. By manipulating memory allocation, attackers can execute arbitrary code, enabling them to compromise the integrity of a system and gain unauthorised access.
3. Buffer overflows: Buffer overflows, a classic vulnerability, continue to be exploited in zero-click attacks. By inundating a program's memory with data beyond its capacity, attackers can overwrite critical data and execute malicious code, circumventing security measures.
4. Software logic errors: Zero-click attacks often exploit logical flaws within software. These errors, arising from faulty programming logic, can be manipulated to divert the expected execution flow, providing attackers with an avenue to execute malicious actions without user interaction.
5. Insecure deserialization: Vulnerabilities related to insecure deserialization present an avenue for attackers to manipulate the handling of serialized data. By exploiting flaws in how data is reconstructed, threat actors can inject malicious code, bypassing traditional security measures.
6. Zero-day vulnerabilities: Zero-click attacks frequently target zero-day vulnerabilities—undisclosed, unpatched vulnerabilities that threat actors exploit before developers can provide a fix. This makes these attacks particularly potent, as they leverage unknown weaknesses. And considering 35% of all malware identified is zero-day malware, you can understand why this is a very commonly targeted vulnerability.
7. Operating system flaws: Operating systems, serving as the backbone of digital ecosystems, are frequent targets for zero-click attacks. Exploiting vulnerabilities in the operating system allows attackers to compromise the entire system, potentially gaining control over critical functionalities.
8. Third-party libraries and components: Zero-click attacks often exploit vulnerabilities in third-party libraries and components integrated into software applications. As these components may not be scrutinised as thoroughly as core functionalities, they become attractive targets for attackers seeking points of compromise.
9. Mobile OS-specific flaws: With the proliferation of mobile devices, both personally and professionally, vulnerabilities specific to mobile operating systems (iOS and Android) are prime targets for zero-click attacks. These can include flaws in app permissions, secure enclave vulnerabilities, or weaknesses in mobile communication protocols.
10. Supply chain attacks: Zero-click attacks may extend to the software supply chain, compromising trusted sources and injecting malicious code into legitimate software updates. By exploiting vulnerabilities in the supply chain, attackers can compromise a wide range of systems simultaneously.
11. Hardware vulnerabilities: Hardware vulnerabilities, such as those related to microprocessor design flaws or firmware vulnerabilities, can be leveraged in zero-click attacks. These vulnerabilities may provide attackers with low-level access to critical system components.
12. Cryptographic vulnerabilities: Flaws in cryptographic implementations can serve as a gateway for zero-click attacks. Weaknesses in encryption algorithms or poor key management practices can be exploited to compromise the confidentiality and integrity of sensitive data.
13. Web application vulnerabilities: Web applications, being ubiquitous in the digital landscape, present many opportunities for zero-click attacks. Vulnerabilities like SQL injection, cross-site scripting (XSS), or CSRF (Cross-Site Request Forgery) can be exploited to compromise user data or execute unauthorised actions.
14. IoT device vulnerabilities: As the Internet of Things (IoT) continues to expand, vulnerabilities in IoT devices become attractive targets for zero-click attacks. Compromising these devices can lead to unauthorised access to networks or disruption of critical services.
15. Social engineering: Human factors play a crucial role in zero-click attacks. Social engineering exploits, such as phishing or pretexting, can be combined with technical vulnerabilities to achieve a seamless compromise without user interaction.

Understanding the breadth of vulnerabilities exploited by zero-click attacks is imperative for organisations and individuals seeking to bolster their defences. It highlights the importance of continuous vigilance, robust patch management, and proactive security measures.

A timeline of zero-click attack incidents

Zero-click attacks have left a trail of insidious incidents in their wake, highlighting the evolving sophistication of cyber threats. Let us run through some notable zero-click attack incidents.

• [2010] Stuxnet worm: Discovered in 2010, and although not a traditional zero-click attack, it displayed the unprecedented capability of malware to manipulate physical systems. Stuxnet targeted supervisory control and data acquisition (SCADA) systems, specifically aiming at Iran's nuclear program. Its sophisticated design and ability to propagate autonomously within air-gapped networks demonstrated the potential of highly advanced cyber threats to bypass conventional security measures, setting a precedent for future attacks.
• [2015] Android STAGEFRIGHT Vulnerability: The STAGEFRIGHT vulnerability in Android, discovered in 2015, marked a significant zero-click attack vector. By exploiting flaws in the processing of multimedia messages, attackers could compromise Android devices remotely without any user interaction. This vulnerability exposed millions of Android users to potential exploitation.
• [2016] Project Raven: A team of former U.S. government intelligence operatives working for the United Arab Emirates (UAE) hacked into the iPhones of activists, diplomats, and rival foreign leaders with the help of a sophisticated spying tool called Karma. Those targeted include the Emir of Qatar, a senior Turkish official, a Nobel Peace laureate, and human-rights activist in Yemen.
• [2018] Jeff Bezos' Phone Hack: In a high-profile incident, the personal phone of Amazon's CEO, Jeff Bezos, fell victim to a zero-click attack in 2018. The attack exploited a vulnerability in the WhatsApp messaging app, allowing the installation of malware. This incident underscored the potential for zero-click attacks to compromise even the devices of prominent individuals.
• [2019] WhatsApp SRTCP Attack: Not content with just Jeff Bezos’ data, threat actors hit WhatsApp with a zero-click attack that exploited a vulnerability in the Session Initiation Protocol (SIP) implementation used for secure Real-Time Communication Protocol (SRTP) key exchanges. This attack allowed threat actors to compromise the app without any user interaction, potentially exposing users' private messages and multimedia content.
• [2020] iOS Mail Vulnerability: Apple's iOS Mail app encountered a zero-click vulnerability in 2020. This flaw allowed attackers to send a specially crafted email that, upon receipt, triggered the exploit without requiring any action from the user. The vulnerability potentially enabled unauthorised access to the user's mailbox and sensitive email contents.
• [2021] Apple FORCEDENTRY Exploit: Apple faced a zero-click attack through the FORCEDENTRY exploit. This attack targeted Apple's iMessage app and exploited a vulnerability related to the way the app processed images. The exploit allowed threat actors to compromise iPhones without any user interaction, emphasising the need for robust security measures in messaging applications. This attack was notable for its ability to bypass Apple’s BlastDoor security feature, which was designed to prevent such attacks.
• [ONGOING] Pegasus Spyware by NSO Group: The Pegasus spyware, developed by Israeli NSO Group, has been at the forefront of zero-click attacks. This spyware, designed to infiltrate mobile devices without any user interaction, has been implicated in various high-profile cases such as the hacking of Bahraini human rights activist’s iPhone.

These incidents collectively underscore the dynamic and persistent nature of zero-click attacks. Organisations and individuals must remain vigilant, implementing proactive security measures to mitigate the risks posed by these stealthy and sophisticated cyber threats.

15 ways to mitigate the risk of zero-click attacks

Let us explore an extensive set of strategies to mitigate the risk of falling victim to these sophisticated and covert cyber threats.

1. Regular updates: Keeping software, operating systems, and applications up to date is a fundamental step in mitigating zero-click attacks. Regular updates often include security patches that address known vulnerabilities, reducing the attack surface available to threat actors.
2. Threat intelligence integration: Integrate threat intelligence feeds to keep yourself and employees informed about emerging threats and tactics employed by threat actors. Proactively adjusting security measures based on real-time threat intelligence enhances the organisation's ability to defend against zero-click attacks.
3. Network segmentation: Implementing network segmentation is crucial for limiting lateral movement within a network. By dividing the network into isolated segments, organisations can contain the impact of a potential breach, preventing attackers from easily traversing the entire infrastructure.
4. Software Composition Analysis (SCA): Regularly conduct software composition analysis to identify and remediate vulnerabilities in third-party libraries and components. Many zero-click attacks exploit weaknesses in these components, making their thorough examination crucial.
5. Employee training and awareness: Education is a powerful defence – we cannot emphasise this enough. Regularly train employees on cyber threats, the risks associated with zero-click attacks, and the importance of vigilant behaviour – keep employees on their toes before a threat actor does it for you! Also, encourage reporting of suspicious activities to enhance the collective defence posture and create a culture of cyber security responsibility.
6. Easily accessible incident response plan: Develop and maintain an easily accessible incident response plan. This plan should provide clear steps for identifying, containing, eradicating, recovering, and lessons learned from security incidents. Rapid response is essential to minimise the impact of a zero-click attack.
7. Antivirus and anti-malware software: Deploy robust antivirus and anti-malware solutions to detect and block malicious activities. Regularly update signature databases and utilise advanced threat detection mechanisms to identify and neutralise evolving threats.
8. Email filtering and sandboxing: Enhance email security by implementing advanced filtering solutions. Sandboxing technology can isolate and analyse potentially malicious attachments or links, preventing zero-click attacks initiated through email channels.
9. Regular security audits and behaviour assessments: Conduct regular security audits to identify and address vulnerabilities in systems and networks. Additionally, perform behaviour assessments to detect anomalies in user activities, as deviations from normal behaviour may indicate a compromise. For example, TSC’s popular SABR (Security Assessment and Behaviour Research) tool is fantastic for providing quality employee data that can inform a targeted and effective awareness and training strategy.
10. Regular data backups and encryption: Implement a robust backup strategy to regularly back up critical data. Ensure that backups are stored in a secure location and regularly test the restoration process. Plus, encryption adds an extra layer of protection to sensitive data, even in the event of a breach.
11. Manage and limit app permissions: Restrict and manage application permissions to the minimum required for functionality. This minimises the potential impact of a successful zero-click attack by limiting the scope of compromised applications.
12. Intrusion Prevention Systems (IPS): Deploy IPS solutions to monitor network and/or system activities for malicious exploits or security policy violations. IPS can detect and block zero-click attacks by analysing traffic patterns and identifying abnormal behaviour.
13. Consider a zero-trust architecture: A zero-trust model is not the right solution for every organisation or industry, but it can be beneficial for some. When adopting a zero-trust security model, you assume that threats can originate from both external and internal sources and every action must be verified before it can be allowed to proceed. Continuous verification and validation of all devices and users reduces the likelihood of unauthorised access.
14. Endpoint Detection and Response (EDR): Implement EDR solutions to detect and respond to advanced threats at the endpoint level. These solutions leverage behavioural analysis and machine learning to identify suspicious activities and mitigate potential zero-click attacks.
15. Web Application Firewalls (WAF): Utilise WAFs to protect web applications from various attacks, including zero-click exploits targeting vulnerabilities in web-based interfaces. WAFs can filter and monitor HTTP traffic between a web application and the internet, identifying and blocking malicious activities.

By adopting a holistic and proactive approach that combines technical defences, employee education, and continuous monitoring, organisations can significantly reduce the risk of falling victim to zero-click attacks.

Final word

In the constantly spinning and shifting dance between cyber security champions and threat actors, mastering the moves to counter zero-click attacks is key to staying on your feet.

From fortifying software vulnerabilities to cultivating a culture of cyber resilience amongst employees, the defence playbook is expansive.

Regular updates, network segmentation, and vigilant employee training form the frontline, while robust incident response plans and advanced security technologies must also be taken into consideration.

So, as we navigate the dynamic landscape of cyber threats, remember this: staying ahead is not just a strategy; it is the ultimate cyber tango, where knowledge, awareness, and proactive defences dance in harmony to outmanoeuvre unseen forces and threat actors.

Working with the right partner

Partnering with a trusted cyber security training and awareness company, such as The Security Company Ltd. (TSC), is crucial. With 25 years of experience, TSC specialises in enhancing security behaviours, fostering a robust security culture, and raising awareness of threats and risks across global organisations.

The dynamic nature of cyber threats necessitates a comprehensive and adaptive cyber security strategy for UK law firms. By understanding the evolving threat landscape and investing in robust training and awareness initiatives, decision-makers can fortify their organisations against potential risks and cyberattacks.

At The Security Company, we specialise in boosting cyber awareness, targeted training, customised projects and role-based solutions. Through our tailored subscription services, targeted and customised eLearning and awareness materials and our behavioural assessments, we're committed to helping organisations like yours instil long-term, security-conscious behaviours.

Our method is distinct. We begin by diving deep into your team's current mindset, pinpointing lax behaviours, security gaps and departments in need of focus and attention. From there, we craft tailored solutions that encourage better cyber practices from your employees. With comprehensive training and seamless integration into your current systems, we're here to fortify your team against modern cyber threats and be your trusted cyber security and awareness partner.

Ready to take the next step?

We can help you to formulate an effective and comprehensive cyber security training and awareness program for your organisation year-round and be your dedicated partner for employee behaviour change and, ultimately, security culture change.

Do not hesitate to contact us for further information.