‘RomCom’ APT Mounts Zero-Day, Zero-Click Browser Escapes in Firefox, Tor

'RomCom' APT Mounts Zero-Day, Zero-Click Browser Escapes in Firefox, Tor

November 26, 2024 at 04:44PM

In October, Russian hackers exploited two zero-day vulnerabilities affecting Firefox and Windows, allowing them to deploy malicious code via infected websites. The vulnerabilities were swiftly patched, limiting potential damage, primarily impacting targets in North America and Europe. The attackers utilized fake domains related to IT services to spread the malware.

**Meeting Takeaways:**

1. **Zero-Day Vulnerabilities Identified**:
– In October 2023, two significant zero-day vulnerabilities were discovered affecting Firefox and Windows:
– **CVE-2024-9680**: A critical vulnerability in Firefox affecting animation timelines, rated 9.8 on the CVSS.
– **CVE-2024-49039**: A high-severity vulnerability in the Windows Task Scheduler, rated 8.8 on the CVSS.

2. **Exploitation by RomCom**:
– The Russian APT group RomCom exploited these vulnerabilities to deploy the RomCom backdoor through specially crafted websites with no user interaction required.
– Malicious domains mimicked trusted services (ConnectWise, Devolutions, Correctiv) to trick victims.

3. **Quick Response and Patch Deployment**:
– Both vulnerabilities were patched swiftly:
– CVE-2024-9680 was patched on Oct. 9, just 25 hours after notification to Mozilla.
– CVE-2024-49039 was patched on Nov. 12.

4. **Target Demographics and Impact**:
– Most victims were located in North America and Europe, particularly in countries such as the Czech Republic, Germany, and the US.
– Corporate entities were the main targets, and as per ESET research, none of the victims were compromised via Tor.

5. **Future Implications**:
– Organizations are encouraged to maintain robust patch management policies to quickly address known vulnerabilities.
– The potential risk levels for those who delay in applying patches could be significant, depending on their risk management protocols.

6. **Next Steps**:
– Continuous monitoring and prompt application of security updates are essential.
– Further investigation into the methods used by RomCom for spreading malicious sites may provide additional insights.

7. **Media Engagement**:
– Dark Reading has reached out to Mozilla for comments regarding the vulnerabilities and their impact.

These points summarize the critical information surrounding the vulnerabilities, their exploitation, and the necessary actions moving forward.

Full Article