The Russian-aligned group RomCom exploited two critical zero-day vulnerabilities in Mozilla Firefox and Windows in a sophisticated cyber-espionage campaign, allowing attackers to execute malicious code without user interaction.
The first vulnerability, CVE-2024-9680, had a critical score of 9.8 and affected several Mozilla products, including Firefox, Thunderbird, and Tor Browser. This flaw, when paired with a Windows vulnerability, CVE-2024-49039 (with a severity score of 8.8), allowed attackers to run malicious code on targeted systems with user-level privileges, potentially leading to unauthorized access and data breaches.
ESET researchers uncovered the exploit on October 8th, 2024, prompting Mozilla to act quickly and release patches for the affected products within 24 hours.
In response to the combined threat, Microsoft issued a fix for the Windows vulnerability on November 12th through update KB5046612, addressing the security gap across its systems.
The attack began when victims visited compromised sites that redirected them to exploit servers. The group used fake domains resembling real websites, adding terms like “redir” or “red.” The exploit then delivered RomCom’s backdoor, capable of running commands and downloading more malware.
From October 10th to November 4th, 2024, the campaign mainly targeted victims in Europe and North America, with affected numbers ranging from a few individuals to 250 per country. In 2024, RomCom focused on both cybercrime and espionage, targeting several sectors:
- Government agencies in Ukraine and Europe
- Defense sector in Ukraine
- Energy sector in Ukraine
- Pharmaceutical sector in the US
- Legal sector in Germany
- Insurance sector in the US
The Firefox vulnerability was due to a use-after-free bug in the animation timeline feature, while the Windows vulnerability exploited an undocumented RPC endpoint in the Task Scheduler. This combination allowed attackers to bypass Firefox’s sandbox protections and gain elevated privileges on targeted systems.
This is RomCom’s second major zero-day exploit in recent months, following their use of CVE-2023-36884 through Microsoft Word in June 2023. The group, also known as Storm-0978, Tropical Scorpius, or UNC2596, has shown growing sophistication in its attack techniques.
The vulnerabilities have been fixed in these versions:
- Firefox 131.0.2
- Firefox ESR 115.16.1 and 128.3.1
- Tor Browser 13.5.7
- Thunderbird 115.16, 128.3.1, and 131.0.1
- Tails 6.8.1
Users are strongly encouraged to update their systems and browsers to the latest versions to stay protected.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment