Russian RomCom Hackers Exploit Critical Firefox and Windows Zero-Days. Here is what to know.

Russian RomCom Hackers Exploit Critical Firefox and Windows Zero-Days. Here is what to know.

In a recent cyber-espionage campaign, the Russian-based RomCom hacking group exploited two critical zero-day vulnerabilities in Firefox and Windows. These vulnerabilities allowed the attackers to execute malicious code on victims’ computers without any user interaction.

29972713206_4ebc7778c8_b Russian RomCom Hackers Exploit Critical Firefox and Windows Zero-Days. Here is what to know.

The Vulnerabilities

The first vulnerability, identified as CVE-2024-9680, affected Mozilla products, including Firefox, Thunderbird, and Tor Browser. This use-after-free bug in the animation timeline feature allowed code execution within the browser’s sandbox. Mozilla patched this vulnerability on October 9, 2024, just one day after it was reported by ESET.

The second zero-day vulnerability, CVE-2024-49039, was a privilege escalation flaw in the Windows Task Scheduler service. This flaw enabled attackers to execute code outside the Firefox and Tor Browser sandbox. Microsoft addressed this security vulnerability on November 12, 2024.

The Attack Chain

RomCom hackers chained these two vulnerabilities to create a zero-day exploit chain. This chain allowed them to gain remote code execution without requiring user interaction. Victims only needed to visit an attacker-controlled website, which then downloaded and executed the RomCom backdoor on their systems.

ESET researcher Damien Schaeffer explained, “The compromise chain is composed of a fake website that redirects the potential victim to the server hosting the exploit. If the exploit succeeds, shellcode is executed that downloads and executes the RomCom backdoor”.

Targeted Attacks

The RomCom group focused their attacks on organizations in Ukraine, Europe, and North America. They targeted various industries, including government, defense, energy, pharmaceuticals, and insurance. This campaign demonstrated the group’s capability to conduct sophisticated cyber-espionage operations.

Previous Exploits

This isn’t the first time RomCom has exploited zero-day vulnerabilities. In July 2023, they exploited a zero-day (CVE-2023-36884) in multiple Windows and Office products to attack organizations attending the NATO Summit in Vilnius, Lithuania. RomCom, also known as Storm-0978, Tropical Scorpius, or UNC2596, has been linked to financially motivated campaigns, ransomware, and extortion attacks.

Conclusion

The recent exploitation of Firefox and Windows zero-days by the RomCom hacking group highlights the ongoing threat posed by sophisticated cyber-espionage actors. Organizations must remain vigilant and ensure their systems are up-to-date with the latest security patches to protect against such attacks.


You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it

Share this content:

Post Comment