In October, a critical security threat emerged when Russian hackers managed to exploit two zero-day vulnerabilities in Firefox and Windows, allowing them the potential to launch arbitrary code against anyone in the world who used the affected software. The malicious files were first discovered on a server managed by the Russian advanced persistent threat group RomCom (also known as Storm-0978, Tropical Scorpius, UNC2596) on Oct. 8, only five days after they had been uploaded on Oct. 3.
The vulnerabilities, CVE-2024-9680 and CVE-2024-49039, posed serious risks to users of Mozilla’s Firefox browser, its email client “Thunderbird,” and the Tor browser, which is based on Firefox’s Extended Support Release (ESR) browser. The exploit quickly spread the RomCom backdoor to unsuspecting visitors of infected websites, without the need for any user interaction. Victims would download the backdoor from RomCom-controlled servers and then be redirected to the intended website they were visiting.
These crafted websites targeted high-profile organizations such as ConnectWise, Devolutions IT services, and Correctiv, a nonprofit investigative journalism newsroom in Germany, reflecting RomCom’s shift towards politically motivated espionage in recent times. RomCom’s cyber-espionage activities have extended to sectors such as insurance, pharmaceuticals in the US, as well as defense, energy, and government in Ukraine.
The impact of these vulnerabilities remains unknown, although the majority of targets were concentrated in North America and Europe, with specific focus on the Czech Republic, France, Germany, Poland, Spain, Italy, and the US. Surprisingly, victims tracked by ESET were not compromised via the Tor browser due to its distinct settings compared to Firefox. RomCom primarily targeted corporations, which are less likely to use Tor.
Fortunately, both vulnerabilities have since been patched, with CVE-2024-9680 addressed on Oct. 9, just 25 hours after being notified to Mozilla, and CVE-2024-49039 fixed on Nov. 12. Despite this remediation effort, the responsibility lies with organizations to ensure prompt patch management to protect against such threats in the future.
Overall, the exploitations by Russian hackers via RomCom underscore the ever-present cybersecurity risks faced by users worldwide, emphasizing the importance of swift action and vigilance in safeguarding against potential threats in the digital landscape.