Russian Group RomCom Used Firefox, Windows Zero Days in Recent Attacks

A Russian threat group known as RomCom recently used zero day vulnerabilities in both Mozilla Firefox and Windows to target organizations in several countries, including Ukraine and the United States, in a campaign that delivered a backdoor for intelligence gathering and cybercrime operations. 

The group, which is also known as Storm-0978, is known to conduct a variety of different operations, including cyberespionage, cybercrime, and ransomware, against organizations in several industries, such as government, defense, and pharmaceuticals. The recent campaign uncovered by researchers at ESET exploited previously unknown flaws in Firefox and Windows through a simple exploit chain that used a series of phishing sites. 

CVEs: CVE-2024-9680 in Firefox; CVE-2024-49039 in Windows

Why it Matters: The RomCom threat actor has been exploiting this flaw since at least early October, when ESET first identified the attacks, and has targeted companies and government agencies around the world. The attacks show that the group has the capability to either conduct its own vulnerability research or has access to another team doing that work. Drive-by download exploits against Firefox and Windows can be quite dangerous, especially for users who don’t update their software often. 

Key Details: 

• ESET discovered the attacks on Oct. 8 and reported the Firefox bug to Mozilla the same day

• Mozilla released a fix for CVE-2024-9680 on Oct. 9 

• Further investigation into the exploit revealed that there was a second vulnerability involved, a privilege escalation bug in the Windows Task Scheduler

• MIcrosoft patched CVE-2024-49039 on Nov. 12

• CISA has added both flaws to its Known Exploited Vulnerabilities catalog

“The compromise chain is composed of a fake website that redirects the potential victim to the server hosting the exploit, and should the exploit succeed, shellcode is executed that downloads and executes the RomCom backdoor – an example of which is depicted in Figure 1. While we don’t know how the link to the fake website is distributed, however, if the page is reached using a vulnerable browser, a payload is dropped and executed on the victim’s computer with no user interaction required. Finally, a JavaScript redirection is performed using window.location.href after a few seconds, giving the exploit time to run,” the ESET analysis says. 

“Chaining together two zero-day vulnerabilities armed RomCom with an exploit that requires no user interaction. This level of sophistication shows the threat actor’s will and means to obtain or develop stealthy capabilities.”

What to Do Now: Update Firefox and install the Windows patch as quickly as possible, as active exploitation is still underway.