The following text comes from a press release and in no way reflects the opinion of the editorial staff.
• Exploit analysis discovered the first vulnerability, assigned to CVE-2024-9680: a use-after-free bug in Firefox’s animation timeline feature. ESET reported the vulnerability to Mozilla on October 8, 2024; it was corrected during the day.
• This critical vulnerability has a score of 9.8 out of 10.
• Further analysis revealed another zero-day vulnerability in Windows: a privilege escalation bug, assigned to CVE 2024 49039, which allows code to execute outside of the Firefox sandbox. Microsoft released a fix for this bug on November 12, 2024.
• Together, the two zero-day vulnerabilities provided RomCom with an exploit that requires no user interaction other than browsing a specially crafted website.
• Potential victims who visited websites hosting the exploit were primarily located in Europe and North America.
MONTREAL, BRATISLAVA, November 26, 2024 — ESET researchers discovered CVE-2024-9680 in Mozilla products, a previously unknown vulnerability exploited by the Russia-linked APT RomCom group. Further analysis revealed another zero-day vulnerability in Windows: a privilege escalation bug, now assigned to CVE-2024-49039. When in a successful attack a victim views a web page containing the exploit, an adversary can execute arbitrary code – without any user interaction (zero clicks) – leading to the installation of the gate stolen RomCom from the victim’s computer. This door used by the group is capable of executing commands and downloading additional modules to the victim’s device. The Mozilla-related vulnerability discovered on October 8 by ESET Research has a CVSS score of 9.8 on a scale of 0 to 10. By 2024, RomCom hit Ukraine and other European countries, as well as the United States . According to ESET telemetry, from October 10, 2024 to November 4, 2024, potential victims who visited the websites that host the exploit were primarily in Europe and North America.
On October 8, 2024, ESET researchers discovered the CVE-2024-9680 vulnerability. This is a use-after-free bug in Firefox’s animation timeline feature. Mozilla patched the vulnerability on October 9, 2024. Further analysis revealed another zero-day vulnerability in Windows: a privilege escalation bug, now assigned to CVE 2024 49039, which allows code to execute outside from the Firefox sandbox. On November 12, 2024, Microsoft released a patch for this second vulnerability.
The CVE-2024-9680 vulnerability, discovered on October 8, allows vulnerable versions of Firefox, Thunderbird and the Tor browser to execute code in the restricted context of the browser. With the still-unknown Windows vulnerability CVE-2024-49039 – which has a CVSS score of 8.8 – arbitrary code can be executed in the context of the logged in user. Used together the two zero-day vulnerabilities provide RomCom with an exploit requiring no user interaction. This level of sophistication demonstrates RomCom’s intent and means to obtain or develop stealth capabilities. Additionally, successful exploitation attempts have successfully implemented the RomCom backdoor in what appears to be a large-scale campaign.
RomCom (also known as Storm-0978, Tropical Scorpius or UNC2596) is a pro-Russian group that conducts opportunistic campaigns against selected industries and targeted espionage operations. The group now focuses on espionage operations to gather intelligence, alongside more conventional cybercrime operations. In 2024, ESET discovered RomCom’s cyberespionage and cybercrime operations against government entities, the defense and energy sectors in Ukraine, the pharmaceutical and insurance sectors in the US, the legal sector in Germany and government entities in Europe.
“The compromise chain consists of a fake website that redirects the potential victim to the server hosting the exploit, and if this is successful, shellcode is executed that downloads and executes the RomCom backdoor. We do not know how the link to the fake website is distributed. If the page is reached using a vulnerable browser, a payload is dropped and executed on the victim’s computer without any user interaction being required,” says Damien Schaeffer, the researcher at ESET, which discovered both vulnerabilities. And added: “We thank the Mozilla team for their great responsiveness and impressive work ethic in releasing a patch within a day.” Each vulnerability has been fixed, respectively by Mozilla and Microsoft.
This is at least the second time that RomCom has been caught exploiting a significant zero-day vulnerability ‘in the wild’, following the abuse of CVE-2023-36884 via Microsoft Word in June 2023.
For a more detailed analysis and technical analysis of the discovered vulnerabilities, check out the latest ESET Research blog “RomCom exploits Firefox and Windows zero days in the wild” at www.welivesecurity.com. Also follow ESET Research on Twitter ESET Research on Twitter (today known as X) for the latest research news.
