November 26, 2024 at 06:28AM
The Russian-based RomCom cybercrime group exploited two zero-day vulnerabilities targeting Firefox and Tor Browser users, allowing remote code execution without user interaction. Their attacks, focusing on organizations in Ukraine, Europe, and North America, utilized a malicious website to deploy the RomCom backdoor, indicating sophisticated capabilities and targeted espionage motives.
### Meeting Takeaways from ESET’s Findings on RomCom Cybercrime Group
1. **Attack Overview**:
– The Russian-based RomCom cybercrime group exploited two chained zero-day vulnerabilities targeting Firefox and Tor Browser users across Europe and North America.
2. **Vulnerabilities Identified**:
– **CVE-2024-9680**: A use-after-free vulnerability in Firefox’s animation timeline, patched by Mozilla on October 9, 2024.
– **CVE-2024-49039**: A privilege escalation flaw in Windows Task Scheduler, patched by Microsoft on November 12, 2024.
3. **Exploitation Details**:
– RomCom utilized these vulnerabilities in a zero-day chain exploit to gain remote code execution without user interaction.
– Victims were lured to a malicious website that executed the RomCom backdoor upon visiting.
4. **Attack Execution**:
– The attack flow involved a fake website redirecting victims to an exploit server, resulting in shellcode execution if the user accessed it with a vulnerable browser.
5. **Target Industries**:
– Attacks primarily targeted organizations in Ukraine, Europe, and North America, including sectors like government, defense, energy, pharmaceuticals, and insurance.
6. **Historical Context**:
– RomCom has a record of using zero-day exploits, including a previous incident in July 2023 targeting NATO Summit attendees with a different zero-day vulnerability.
7. **Group Motivation**:
– RomCom is identified as a financially motivated cybercrime group that has engaged in ransomware and extortion attacks, as well as credential theft linked to intelligence operations.
8. **Recent Focus**:
– The group has recently shifted towards targeted espionage attacks, particularly against European and Ukrainian governmental and defense entities.
9. **Sophistication of Attacks**:
– The chaining of these vulnerabilities indicates a high level of sophistication and a strong capability for stealthy attacks by the threat actor.
10. **Further Observations**:
– ESET emphasized the implications of the widespread nature of these attacks, highlighting the ongoing threats posed by RomCom and similar groups in the cyber landscape.