Cybersecurity researchers from the Slovak company ESET have discovered two (previously unknown) 0-day vulnerabilities in Mozilla Firefox and Windows products. In a report published on November 26, they explain that these two flaws, combined in the form of a 0-click exploit (without user interaction), allowed Russian hackers to target several hundred devices in Europe and in North America.
A simple website visit to deploy the malware
The first flaw detected by ESET, titled CVE-2024-9680, presents a critical severity score (CVSS at 9.8). This is a usability bug in Mozilla Firefox’s animation timeline feature, allowing malicious code to be executed in the browser’s sandbox. The second, with a severity score of 8.8, is related to a privilege escalation error in the Windows Task Scheduler functionality. It gives hackers the ability to execute malicious code directly in the user’s environment.
Hacker group RomCom combined these two vulnerabilities to create a 0-click exploit. All it took was for its targets to visit a malicious website for a backdoor to be downloaded and executed. The malware thus deployed allowed cybercriminals to execute commands remotely but also to deliver new malicious payloads. “While we do not know how the link to the fake website is distributed, if the page is reached using a vulnerable browser, a payload is dropped and executed on the victim’s computer”note ESET.
France would be the second most affected country
The 0-day flaws have since been patched by Mozilla on October 9 and by Microsoft on November 12. According to telemetry carried out by the cybersecurity company, the number of potential targets (who visited websites hosting the malware) ranges from 1 to 250, across Europe, North America and New Zealand. Without knowing the exact number, France is in second place among the most affected states (see image below), behind the Czech Republic and ahead of Germany.
Also known as Storm-0978 and “Tropical Scorpius,” the RomCom hacker group primarily targets government and defense organizations for espionage purposes. Some of its activities are also linked to ransomware operations and credential theft as part of intelligence campaigns. In July 2023, RomCom had already exploited a 0-day flaw in several Microsoft Windows and Office products, targeting organizations participating in the NATO summit in Vilnius (Lithuania).
Selected for you
