RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks

RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks

November 26, 2024 at 06:18AM

The Russia-aligned group RomCom has exploited two zero-day vulnerabilities in Mozilla Firefox and Microsoft Windows to install their backdoor malware on victim systems without user interaction. The attacks utilize a fake website to redirect users, highlighting RomCom’s advanced capabilities and its history of cybercrime since 2022.

### Meeting Takeaways – Nov 26, 2024: Vulnerability / Cybercrime

1. **Threat Actor Identification**: The Russia-aligned group RomCom (also known as Storm-0978, Tropical Scorpius, etc.) has been linked to the exploitation of two significant zero-day vulnerabilities.

2. **Exploited Vulnerabilities**:
– **CVE-2024-9680**: A high-severity use-after-free vulnerability in Firefox’s Animation component (CVSS score: 9.8). Patched by Mozilla in October 2024.
– **CVE-2024-49039**: A privilege escalation vulnerability in Windows Task Scheduler (CVSS score: 8.8). Patched by Microsoft in November 2024.

3. **Attack Mechanism**:
– Victims navigating to a specific fake website (economistjournal[.]cloud) can trigger the exploit if using a vulnerable version of Firefox.
– The attack chain facilitates the installation of the RomCom Remote Access Trojan (RAT) via a zero-click method, allowing arbitrary code execution without user interaction.

4. **Malware Capabilities**: RomCom RAT can execute commands and download additional malicious modules onto compromised systems.

5. **Geographic Impact**: Most victims identified were located in Europe and North America.

6. **Multiple Threat Actors**: The fact that CVE-2024-49039 was reported by Google’s Threat Analysis Group indicates that there may be multiple actors exploiting the vulnerability as a zero-day.

7. **Historical Context**: This is the second instance where RomCom has been reported exploiting a zero-day vulnerability; they previously exploited CVE-2023-36884 in June 2023.

8. **Indication of Sophistication**: The chaining of two zero-day vulnerabilities demonstrates RomCom’s advanced capabilities and intent in executing stealthy cyber attacks.

9. **Action Item**: Stay updated on vulnerabilities and security patches for Firefox and Microsoft Windows to mitigate risks associated with such exploits.

Feel free to reach out for further details or clarifications on any specific point!

Full Article