Press Center

Malware and antivirus software

News

ESET Research discovers Mozilla and Windows zero day & zero click vulnerabilities exploited by Russia-aligned RomCom APT group

Created: 2024-11-29 03:48:41

  • ESET researchers discovered two previously unknown vulnerabilities, one in Mozilla and the other in Windows, being exploited by the Russia-aligned RomCom Advanced persistent threat (APT) group.
  • Analysis of the exploit led to the discovery of the first vulnerability, now assigned CVE-2024-9680: a use-after-free bug in the animation timeline feature in Firefox. ESET reported the vulnerability to Mozilla on October 8, 2024; it was patched within a day.
  • This critical vulnerability has a score of 9.8 out of 10.
  • Further analysis revealed another zero-day vulnerability in Windows: a privilege escalation bug, now assigned CVE 2024 49039, that allows code to run outside of Firefox's sandbox. Microsoft released a patch for this second vulnerability on November 12, 2024.
  • The two zero-day vulnerabilities chained together armed RomCom with an exploit that requires no user interaction other than browsing to a specially crafted website.
  • Potential victims who visited websites hosting the exploit were located mostly in Europe and North America.

MONTREAL, BRATISLAVANovember 26, 2024 — ESET researchers discovered a previously unknown vulnerability, CVE-2024-9680, in Mozilla products, exploited in the wild by Russia-aligned APT group RomCom. Further analysis revealed another zero-day vulnerability in Windows: a privilege escalation bug, now assigned CVE-2024-49039. In a successful attack, if a victim browses a web page containing the exploit, an adversary can run arbitrary code – without any user interaction required (zero click) – which in this case led to the installation of RomCom’s backdoor on the victim’s computer. The backdoor used by the group is capable of executing commands and downloading additional modules to the victim’s machine. The Mozilla-related critical vulnerability discovered by ESET Research on October 8 has a CVSS score of 9.8 on a scale from 0 to 10. In 2024, RomCom struck in Ukraine and other European countries, as well as the United States. According to our telemetry, from October 10, 2024 to November 4th, 2024, potential victims who visited websites hosting the exploit were located mostly in Europe and North America.

On October 8, 2024, ESET researchers discovered vulnerability CVE-2024-9680. It is a use-after-free bug in the animation timeline feature in Firefox. Mozilla patched the vulnerability on October 9, 2024. Further analysis revealed another zero-day vulnerability, in Windows: a privilege escalation bug, now assigned CVE 2024 49039, that allows code to run outside Firefox’s sandbox. Microsoft released a patch for this second vulnerability on November 12, 2024.

The vulnerability CVE-2024-9680 discovered on October 8 allows vulnerable versions of Firefox, Thunderbird, and the Tor Browser to execute code in the restricted context of the browser. Chained with the previously unknown vulnerability in Windows, CVE-2024-49039, which has a CVSS score of 8.8, arbitrary code can be executed in the context of the logged-in user. Chaining together two zero-day vulnerabilities armed RomCom with an exploit that requires no user interaction. This level of sophistication demonstrates the threat actor’s intent and means to obtain or develop stealthy capabilities. Furthermore, successful exploitation attempts delivered the RomCom backdoor in what looks like a widespread campaign.

RomCom (also known as Storm-0978, Tropical Scorpius, or UNC2596) is a Russia-aligned group that conducts both opportunistic campaigns against selected business verticals and targeted espionage operations. The group’s focus has shifted to include espionage operations collecting intelligence, in parallel with its more conventional cybercrime operations. In 2024, ESET discovered cyberespionage and cybercrime operations of RomCom against governmental entities, defense, and energy sectors in Ukraine, the pharmaceutical and insurance sectors in the US; the legal sector in Germany; and governmental entities in Europe.

“The compromise chain is composed of a fake website that redirects the potential victim to the server hosting the exploit, and should the exploit succeed, shellcode is executed that downloads and executes the RomCom backdoor. While we don’t know how the link to the fake website is distributed, however, if the page is reached using a vulnerable browser, a payload is dropped and executed on the victim’s computer with no user interaction required,” says ESET researcher Damien Schaeffer, who discovered both vulnerabilities. “We would like to thank the team at Mozilla for being very responsive and to highlight their impressive work ethic to release a patch within a day,” he adds. Each vulnerability was fixed by, respectively, Mozilla and Microsoft.

This is at least the second time that RomCom has been caught exploiting a significant zero-day vulnerability in the wild, after the abuse of CVE-2023-36884 via Microsoft Word in June 2023.

For a more detailed analysis and technical breakdown of the discovered vulnerabilities, check out the latest ESET Research blogpost “RomCom exploits Firefox and Windows zero days in the wild” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

Heatmap of potential victims

 




About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.

Why ESET?

ESET has over 25 years' experience of helping people to Enjoy Safer Technology. Our software is light on hardware, but hard on malware.

Our Technology

ESET’s award-winning NOD32® Antivirus technology is at the cutting edge of digital security. It’s updated daily to keep you secure.

Free Support

Enjoy your free, industry-leading customer support locally. For technical, sales and marketing enquires dial +65 6296 4268.