The Russian cybercrime group known as RomCom has recently launched attacks using two zero-day vulnerabilities affecting Firefox and Tor Browser users in Europe and North America. These attacks were meticulously crafted to target specific industries, exploiting security flaws to gain unauthorized access to systems.

Firefox Zero-Day (CVE-2024-9680)

This vulnerability, identified as a use-after-free bug in Firefox's animation timeline, enables arbitrary code execution within the browser's sandbox. Quickly addressed by Mozilla, the flaw was patched on October 9, 2024, following a report from ESET.

Windows Zero-Day (CVE-2024-49039)

Involving a privilege escalation flaw in the Windows Task Scheduler, this vulnerability allowed RomCom attackers to execute code outside the browser sandbox. Microsoft's security update on November 12 resolved this issue. RomCom employed these vulnerabilities in a zero-day chain, effectively granting them remote code execution capabilities without needing user interaction.

Attack Methodology The attackers set up malicious websites designed to exploit these vulnerabilities. Potential victims only needed to visit these sites for the RomCom backdoor to be installed on their systems, highlighting the ease and sophistication of the attack method. ESET researcher Damien Schaeffer explained: “The compromise chain includes a fake website redirecting potential victims to an exploit server. Once the exploit is successful, shellcode is executed to download and install the RomCom backdoor.”

Targeted Industries and Impact

RomCom's campaign primarily focused on organizations in Ukraine, Europe, and North America. Affected sectors include government, defense, energy, pharmaceuticals, and insurance. The use of chained zero-days underscores the group's ability to develop and deploy advanced threat capabilities.

Historical Context

RomCom is no stranger to zero-day exploitation. In July 2023, they targeted the NATO Summit in Vilnius with a different zero-day vulnerability in Windows and Office products. Known by various aliases, including Storm-0978 and UNC2596, the group has orchestrated financially motivated campaigns involving ransomware and extortion while targeting credential theft for espionage purposes. RomCom’s recent focus has shifted to espionage against European and Ukrainian government entities, as well as energy and defense sectors within Ukraine. By leveraging these vulnerabilities, RomCom continues to demonstrate its capacity and intent to execute sophisticated cyber attacks with significant geopolitical implications.

The link has been copied!