RomCom Group Exploits Firefox and Windows Zero-Day Vulnerabilities in October 2024 Cyberattack

In October 2024, the Russian-aligned advanced persistent threat (APT) group known as RomCom (also identified as Storm-0978, Tropical Scorpius, or UNC2596) orchestrated a sophisticated cyberattack by exploiting two previously unknown vulnerabilities—commonly referred to as zero-day flaws—in Mozilla Firefox and Microsoft Windows. This coordinated exploitation enabled the deployment of RomCom's backdoor malware on targeted systems without any user interaction, highlighting the group's advanced capabilities and the critical importance of timely software updates.

RomCom is a Russia-aligned APT group that has been active since at least 2022, engaging in both cybercrime and cyberespionage operations. Their targets have included government entities, defense and energy sectors, and various industries across Europe and North America. The group's activities underscore a dual focus on opportunistic cybercrime and targeted intelligence collection, particularly against entities supporting Ukraine. (welivesecurity.com)

The first vulnerability, identified as CVE-2024-9680, is a critical use-after-free flaw in Firefox's animation timeline feature. This vulnerability, with a Common Vulnerability Scoring System (CVSS) score of 9.8, affects several Mozilla products, including Firefox, Thunderbird, and Tor Browser. Exploitation of this flaw allows attackers to execute arbitrary code within the browser's restricted context. ESET researchers discovered the vulnerability on October 8, 2024, and promptly reported it to Mozilla, which released a patch on October 9, 2024. (welivesecurity.com)

The second vulnerability, CVE-2024-49039, is a privilege escalation flaw in the Windows Task Scheduler, assigned a CVSS score of 8.8. This vulnerability allows code to execute outside of Firefox's sandbox, enabling attackers to gain higher system privileges. ESET's analysis revealed that RomCom exploited this flaw to escape the browser's sandbox and execute code in the context of the logged-in user. Microsoft released a patch for this vulnerability on November 12, 2024. (welivesecurity.com)

RomCom's attack chain began with the creation of a fake website designed to redirect potential victims to a server hosting the exploit. Upon visiting the compromised site, the exploit was triggered automatically, executing shellcode within the browser's content process. This shellcode facilitated the loading of a malicious library that leveraged the Windows vulnerability to escape the browser's sandbox and execute the RomCom backdoor on the victim's system. The backdoor, capable of executing commands and downloading additional modules, provided RomCom with persistent access to the compromised machine. (welivesecurity.com)

The exploitation of these vulnerabilities underscores the critical importance of timely software updates and the need for robust cybersecurity measures. ESET's telemetry indicated that from October 10 to November 4, 2024, potential victims who visited websites hosting the exploit were primarily located in Europe and North America. The rapid deployment of patches by Mozilla and Microsoft highlights the industry's commitment to addressing such vulnerabilities promptly. However, the success of RomCom's attack chain demonstrates the sophisticated tactics employed by threat actors and the necessity for continuous vigilance and proactive defense strategies. (welivesecurity.com)

The RomCom group's exploitation of zero-day vulnerabilities in Firefox and Windows represents a significant escalation in cyberattack sophistication. It serves as a stark reminder of the evolving threat landscape and the imperative for organizations and individuals to maintain up-to-date systems and implement comprehensive security practices to mitigate such advanced persistent threats.