A Russia-aligned hacking group, generally known as RomCom (additionally recognized as Storm-0978, Tropical Scorpius, or UNC2596), has efficiently exploited two zero-day vulnerabilities—one in Mozilla Firefox and one other in Microsoft Home windows Process Scheduler. These vulnerabilities, recognized as CVE-2024-9680 and CVE-2024-49039, had been chained collectively to permit the group to execute arbitrary code and set up malicious backdoors on affected techniques.
The primary vulnerability, CVE-2024-9680, is a vital use-after-free bug found in Firefox’s animation timeline function. This flaw, which has a CVSS rating of 9.8, impacts a number of variations of Mozilla browsers, together with Firefox, Thunderbird, and Tor Browser. The flaw permits attackers to execute arbitrary code within the restricted context of the browser, which may result in the set up of malware. Mozilla swiftly patched this vulnerability on October 9, 2024, addressing the problem for affected browsers.
Further analysis revealed a second, beforehand unknown vulnerability in Home windows, assigned CVE-2024-49039. This privilege escalation vulnerability within the Home windows Process Scheduler acquired a CVSS rating of 8.8. When mixed with the Firefox vulnerability, this flaw permits attackers to execute code within the context of the logged-in person. Which means that, even with none interplay from the person, malicious code may be run, giving risk actors management over the affected system. Microsoft launched a patch for CVE-2024-49039 on November 12, 2024.
RomCom Menace Actor Makes use of Subtle Exploit Chain
RomCom, a risk actor with hyperlinks to Russia, has been beforehand noticed conducting each cyber espionage and cybercrime actions. This newest assault demonstrates the group’s superior capabilities and its shift towards extra subtle, stealthy techniques. By chaining these two vulnerabilities collectively, RomCom was capable of exploit the failings with out requiring any person interplay, which will increase the probabilities of a profitable assault.
The assault begins when victims are lured to a faux web site, which then redirects them to a server internet hosting the exploit. As soon as the sufferer’s susceptible browser accesses the exploit, shellcode is executed to drop the backdoor onto the system. This backdoor permits the attackers to execute instructions and obtain further malicious modules, offering the group with persistent entry to the compromised machine.
The shortage of person interplay wanted for this assault highlights its sophistication and the risk actor’s intent to keep away from detection. The sort of assault, involving chained zero-day vulnerabilities, is a transparent indication of RomCom’s capacity to develop complicated exploit chains for extremely focused operations.
Widespread Impact and Affected Regions
The campaign targeting Firefox and Windows vulnerabilities appears to be widespread, with potential victims across Europe and North America. From October 10, 2024, to November 4, 2024, numerous users who visited compromised websites hosting the exploit were located primarily in these regions. While the exact method of how victims are initially directed to the fake website remains unclear, the large-scale nature of the attack suggests a well-organized effort by RomCom.
In 2024, the same threat actor has been linked to cyber espionage actions focusing on governmental entities, the protection and power sectors in Ukraine, the pharmaceutical and insurance coverage industries within the U.S., and the authorized sector in Germany. These assaults are a part of a broader technique by the group, which now combines cybercrime with extra conventional espionage aims.
Satnam Narang, Senior Employees Analysis Engineer, Tenable, shared insights into the exploitation. “With the adoption of sandbox expertise in trendy browsers, risk actors have to do extra than simply exploit a browser vulnerability alone. By combining a browser-based exploit together with a privilege escalation flaw, the RomCom risk actor was capable of bypass the Firefox sandbox”, acknowledged Narang.
The RomCom group (Storm-0978) exploited a series of vulnerabilities together with two zero-day focusing on widespread each Firefox and Home windows customers. “This exploit chain highlights the sheer dedication of risk actors and the challenges of breaching browser defenses”, denoted Satnam.
Exploit Particulars and the Significance of Patching
The RomCom marketing campaign exemplifies the risks of unpatched vulnerabilities in broadly used software program. Whereas Mozilla acted swiftly to patch the Firefox flaw, Microsoft’s patch for the Home windows Process Scheduler vulnerability got here later in November, leaving techniques uncovered for over a month. This delay in patching highlights the vital significance of well timed security updates and the dangers related to zero-day vulnerabilities.
CVE-2024-9680, the Firefox vulnerability, was assigned a CVE on October 9, 2024, simply at some point after it was found. Mozilla’s response was notably fast, with a repair rolled out for affected browsers inside two days. However, CVE-2024-49039, the Home windows vulnerability, was found shortly thereafter, and a repair wasn’t launched till November 12, 2024.
Associated
