Researchers have discovered previously unknown vulnerabilities in Mozilla and Microsoft products that have been exploited in the wild by the Russia-aligned hacker group RomCom. This critical vulnerability allows code execution in restricted contexts such as Firefox, Thunderbird, and the Tor Browser and has been assigned a CVSS score of 9.8. Another vulnerability in Windows, scored 8.8, elevates privileges allowing arbitrary code execution in the logged-in user’s context. On October 8, 2024, researchers identified a zero-day vulnerability in Mozilla products.
Analysis led to the discovery of a use-after-free bug in the animation timeline feature in Firefox, which Mozilla quickly patched on October 9. Further analysis revealed a second vulnerability in Windows, a privilege escalation bug, which Microsoft patched on November 12. These combined exploits delivered the RomCom backdoor in a widespread campaign.
RomCom (aka Storm-0978, Tropical Scorpius, or UNC2596) is known for both opportunistic attacks against business verticals and targeted espionage. Their backdoor can execute commands and download additional malicious modules. The compromise chain starts with a fake website redirecting victims to a server hosting the exploit.
If successful, the shellcode executes and downloads the RomCom backdoor onto the victim’s machine without any user interaction. The exploit uses a JavaScript redirection through `window.location.href` giving the code time to run before redirecting to the original, legitimate website, making it less likely for victims to detect the attack. From October 10 to October 16, numerous Command and Control (C&C) servers were found hosting the exploit.
These servers used domain names similar to legitimate sites to evade suspicion, as shown below:
| Fake Server | Final Redirect to | Website Purpose |
|————-|——————-|—————–|
| redircorrectiv[.]com | correctiv.org | Nonprofit newsroom |
| devolredir[.]com | devolutions.net | Remote access solutions |
| redirconnectwise[.]cloud | connectwise.com | IT management software |
The discovered vulnerabilities center on the following points:
– **CVE-2024-9680**: A use-after-free vulnerability in the Firefox animation timeline that allows code execution in the browser’s content process.
New zero-day vulnerabilities exploited
– **Triggered by Main JavaScript Files**: Specific scripts (e.g., `main-128.js`, `main-129.js`) that exploit the Firefox versions and a sandbox escape to download and execute the RomCom backdoor.
Telemetry indicated that the potential victims, ranging from single individuals to large groups, were predominantly located in Europe and North America. 1. **October 8, 2024:**
– Discovery and initial analysis of the vulnerabilities.
– Vulnerability reported to Mozilla. – Mozilla acknowledged and assigned the vulnerability. 2.
**October 9, 2024:**
– Mozilla patched the vulnerabilities in Firefox and Tor Browser. – Additional affected versions patched over subsequent days. 3.
**November 12, 2024:**
– Microsoft patched the related Windows vulnerability. Swift action in patching the vulnerability underscores the importance of rapid response in mitigating zero-day threats. The RomCom group’s exploitation of these vulnerabilities underscores the continuous evolution and sophistication of cyber threats.
Collaboration between security researchers and software vendors remains critical in defending against such high-impact attacks.
