A Russia-aligned hacking group, known as RomCom (also identified as Storm-0978, Tropical Scorpius, or UNC2596), has been making headlines for successfully exploiting two zero-day vulnerabilities—one in Mozilla Firefox and another in Microsoft Windows Task Scheduler. These vulnerabilities, identified as CVE-2024-9680 and CVE-2024-49039, were chained together to allow the group to execute arbitrary code and install malicious backdoors on affected systems.
The first vulnerability, CVE-2024-9680, is a critical use-after-free bug discovered in Firefox’s animation timeline feature. This flaw, with a CVSS score of 9.8, affects various versions of Mozilla browsers, including Firefox, Thunderbird, and Tor Browser. This vulnerability allowed attackers to execute arbitrary code within the browser’s restricted context, potentially leading to the installation of malware. Mozilla acted promptly to patch this vulnerability on October 9, 2024, ensuring the security of affected browsers.
Further investigation uncovered a second previously unknown vulnerability in Windows, designated as CVE-2024-49039. This privilege escalation vulnerability in the Windows Task Scheduler received a CVSS score of 8.8. When combined with the Firefox vulnerability, threat actors could execute code in the context of the logged-in user, enabling them to run malicious code without any user interaction. Microsoft addressed this by releasing a patch for CVE-2024-49039 on November 12, 2024.
RomCom, a threat actor with ties to Russia and a history of cyber espionage and cybercrime activities, demonstrated advanced capabilities in this attack. By exploiting the vulnerabilities in Firefox and Windows without requiring user interaction, the group showcased a shift towards sophisticated and stealthy tactics. The attack involved luring victims to a fake website, redirecting them to a server hosting the exploit, and executing shellcode to drop a backdoor onto the victim’s system, granting persistent access to the attackers.
The widespread impact of this campaign targeting Firefox and Windows vulnerabilities was felt across Europe and North America, with victims primarily located in these regions. Additionally, RomCom has previously been associated with cyber espionage activities targeting various industries and sectors worldwide, showcasing a combination of cybercrime and traditional espionage objectives.
The exploit chain used by RomCom highlights the group’s determination and expertise in breaching browser defenses. It underscores the critical importance of timely security updates and the risks posed by zero-day vulnerabilities. While Mozilla swiftly patched the Firefox vulnerability, the delay in Microsoft’s patch for the Windows Task Scheduler vulnerability left systems vulnerable for over a month, emphasizing the need for prompt security measures.
In conclusion, the RomCom hacking group’s successful exploitation of zero-day vulnerabilities in popular browsers and operating systems signifies the evolving landscape of cybersecurity threats and the constant need for vigilance and timely patching to defend against malicious actors. It serves as a stark reminder of the ongoing battle between cybersecurity professionals and threat actors seeking to exploit vulnerabilities for their gain.