Russian-aligned hacking group RomCom has been discovered exploiting two critical zero-day vulnerabilities affecting Mozilla Firefox and Windows systems in a sophisticated cyber-espionage campaign.
The vulnerabilities allowed attackers to execute malicious code on victims’ computers without any user interaction.
The first vulnerability, identified as CVE-2024-9680 with a critical CVSS score of 9.8, affected Mozilla products, including Firefox, Thunderbird, and Tor Browser. When combined with a Windows vulnerability (CVE-2024-49039, CVSS 8.8), attackers could execute arbitrary code with user-level privileges.
ESET researchers discovered the exploit on October 8th, 2024, prompting Mozilla to respond immediately and release patches within 24 hours. Microsoft subsequently patched the Windows vulnerability on November 12th through update KB5046612.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
The attack chain began when victims visited compromised websites that redirected them to servers hosting the exploit.
The group used deceptive domain names mimicking legitimate websites, adding prefixes or suffixes like “redir” or “red” to appear authentic. Once successful, the exploit chain delivered RomCom’s signature backdoor, which was capable of executing commands and downloading additional malicious modules.
Between October 10th and November 4th, 2024, the campaign primarily targeted victims in Europe and North America, with affected numbers ranging from single digits to 250 per country. RomCom’s activities in 2024 have shown a dual focus on both cybercrime and espionage operations, targeting various sectors, including:
- Government entities in Ukraine and Europe
- Defense sector in Ukraine
- Energy sector in Ukraine
- Pharmaceutical sector in the US
- Legal sector in Germany
- Insurance sector in the US
The Firefox vulnerability stemmed from a use-after-free bug in the animation timeline feature, while the Windows vulnerability exploited an undocumented RPC endpoint in the Task Scheduler service. The combination of these vulnerabilities allowed attackers to bypass Firefox’s sandbox restrictions and elevate privileges on targeted systems.
This marks RomCom’s second major zero-day exploitation in recent months, following their abuse of CVE-2023-36884 via Microsoft Word in June 2023. The group, also known as Storm-0978, Tropical Scorpius, or UNC2596, has demonstrated increasing sophistication in its attack methods.
The vulnerabilities have been patched in the following versions:
- Firefox 131.0.2
- Firefox ESR 115.16.1 and 128.3.1
- Tor Browser 13.5.7
- Thunderbird 115.16, 128.3.1, and 131.0.1
- Tails 6.8.1
Users are strongly advised to update their systems and browsers to the latest versions to protect against these vulnerabilities.
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.
The post Windows Zero-days & Firefox Vulnerability Exploited by RomCom Hackers Group appeared first on Cyber Security News.
