Russian RomCom Hackers Chain Firefox and Windows Zero-Days in Complex Backdoor Attacks
RomCom, a Russian-aligned cybercrime group, has leveraged two zero-day vulnerabilities in Firefox and Windows Task Scheduler in a recent attack campaign. The vulnerabilities CVE-2024-9680 and CVE-2024-49039 were chained together to execute an exploit that required no user interaction. The result was the deployment of a RomCom backdoor on the victim's system, giving attackers full remote access. The exploit was widespread, targeting sectors such as government, defense, and pharmaceuticals across North America and Europe. Despite the prompt fixes released by Mozilla and Microsoft, the attack highlights the growing sophistication and persistence of state-aligned threat actors.
Russian Hackers Exploit Firefox and Windows Zero-Days in New Cyberattack Campaign
In a sophisticated cyberattack campaign, the Russian-aligned hacking group RomCom (also known as Storm-0978, Tropical Scorpius, or UNC2596) has exploited two zero-day vulnerabilities in widely used software Mozilla Firefox and Microsoft Windows. These vulnerabilities were chained together to form a zero-click exploit, enabling attackers to bypass security measures and gain remote control of targeted systems. The group leveraged these vulnerabilities to install a backdoor that granted them unrestricted access to compromised devices.
The Exploit Chain: Firefox and Windows Zero-Days
The attack began with the exploitation of CVE-2024-9680, a use-after-free vulnerability found in Firefox’s animation timeline feature. This flaw affects not only Firefox but also Mozilla Thunderbird and the Tor Browser, both of which are based on Firefox. When exploited, the vulnerability allows an attacker to execute arbitrary code within the restricted environment of the browser’s sandbox. This was a critical flaw, scoring 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS) due to its potential to allow remote code execution without any user interaction.
The second vulnerability, CVE-2024-49039, was a privilege escalation flaw within the Windows Task Scheduler. This vulnerability allowed the attackers to bypass the sandbox protections in Firefox, essentially escaping the browser’s confinement and executing arbitrary code in the victim’s operating system. With this flaw, RomCom gained the ability to run privileged code outside the browser and deploy their payload on the victim’s machine. This vulnerability, too, was rated highly critical, with a CVSS score of 8.8.
Once chained together, these flaws formed a powerful exploit that could silently install a backdoor on a victim’s computer without any user involvement. The combination of browser-level and OS-level flaws enabled RomCom to bypass multiple layers of security, making the attack significantly more dangerous and harder to detect.
The Zero-Click Exploit: No User Interaction Required
What made this attack particularly insidious was that it did not require any user interaction. The attackers crafted malicious websites designed to exploit the vulnerabilities automatically when a victim visited them. The compromise chain was simple but effective: once the victim accessed a malicious website, the CVE-2024-9680 flaw in Firefox would trigger automatically, leading to the execution of a shellcode. This shellcode then downloaded and executed the RomCom backdoor on the system. The CVE-2024-49039 flaw in Windows Task Scheduler escalated privileges, allowing the attackers to run malicious code outside of the browser sandbox.
Once the backdoor was installed, the attackers could remotely control the victim’s system, execute commands, install additional malware, or exfiltrate sensitive data. The simplicity and effectiveness of the attack—requiring no user interaction—made it particularly difficult to defend against, as victims had no immediate signs of compromise.
Widespread Targets: Europe and North America Hit Hard
ESET, the cybersecurity firm that uncovered the vulnerabilities and analyzed the attack, reported that the targeted victims were mainly located in Europe and North America, with countries like Germany, France, the United States, and Poland among the hardest hit. The attack appeared to be widespread, affecting various organizations, particularly those in sectors like government, defense, energy, pharmaceuticals, and insurance. The malicious websites hosting the exploit were designed to redirect victims to servers that contained the zero-click exploit, and it was through these redirections that RomCom was able to deliver its payload.
ESET also noted that Tor Browser users were specifically targeted, as indicated by the use of a JavaScript exploit (named main-tor.js) found in the malicious sites. This suggests that the attackers may have been attempting to target individuals who use Tor for anonymity purposes, potentially to steal sensitive or politically motivated information.
A History of Sophistication: RomCom’s Evolving Tactics
RomCom has been known for its sophisticated tactics and its dual focus on cybercrime and cyberespionage. This recent campaign marks the second time the group has successfully exploited zero-day vulnerabilities in the wild. In June 2023, the group utilized CVE-2023-36884, a vulnerability in Windows and Microsoft Office products, to target organizations attending the NATO Summit in Vilnius, Lithuania.
RomCom’s primary targets include governmental agencies, defense contractors, and critical infrastructure sectors, especially those in Ukraine, but their activities extend beyond geopolitically sensitive targets. The group has also been linked to ransomware campaigns and extortion attacks against companies in various industries, including the pharmaceutical and insurance sectors in the United States.
The group’s ability to chain together multiple zero-day vulnerabilities to bypass security systems reflects its growing sophistication and capability. By targeting both browser vulnerabilities and OS-level flaws, RomCom demonstrated a level of technical proficiency that underscores their intent to develop advanced, stealthy tactics for sustained espionage or financial gain.
Rapid Response: Patches and Fixes
Both Mozilla and Microsoft moved quickly to address the vulnerabilities after they were discovered. Mozilla issued a patch for CVE-2024-9680 on October 9, 2024—just one day after ESET reported the flaw. A fix for Mozilla Thunderbird followed shortly thereafter, although Mozilla clarified that scripting is disabled in the Thunderbird email client, meaning this particular flaw could not be exploited through email.
Microsoft released a patch for CVE-2024-49039 on November 12, 2024. However, despite these rapid responses, the attack highlighted the risks associated with zero-day vulnerabilities, especially those that can be exploited without requiring user interaction. Such attacks can be highly damaging, particularly for organizations that fail to implement timely patch management.
Conclusion: A Growing Threat Landscape
The successful exploitation of zero-day vulnerabilities in widely used software like Firefox and Windows demonstrates the growing sophistication of cybercriminal groups like RomCom. Their ability to combine multiple vulnerabilities to execute a no-click exploit chain shows a troubling evolution in their tactics, which can bypass multiple layers of security.
While patches have been deployed, the speed and complexity of these attacks highlight the ongoing challenges in defending against advanced persistent threats (APTs). For organizations and individuals alike, ensuring timely updates and robust security practices are critical to mitigating the risks posed by such advanced attack techniques.
RomCom’s expanding capabilities and increasing targets across North America, Europe, and Ukraine underscore the importance of vigilance and preparedness in the face of modern cyber threats. With more targeted attacks on the horizon, understanding and addressing these vulnerabilities is essential for cybersecurity professionals worldwide.