Russian Hackers Exploit Firefox and Windows 0-Days to Deploy Backdoor

****SUMMARY****

• RomCom Exploits Double Zero-Day: RomCom, a Russia-linked group used previously unknown vulnerabilities in Firefox and Windows in a sophisticated attack campaign.

• Attack Chain: Visiting a malicious webpage triggered a Firefox flaw, and then a Windows bug allowed the installation of RomCom’s backdoor.

• Targeted Sectors: RomCom targeted government, pharmaceutical, legal, and other sectors in Europe and North America for espionage and cybercrime.

• Quick Patches: Mozilla and Microsoft rapidly released updates to fix the vulnerabilities, highlighting the importance of software updates.

• Sophisticated Threat: The attack shows the advanced capabilities of state-sponsored cyber groups and the need for strong cybersecurity measures.

Cyber security researchers at ESET have exposed a malicious campaign by the Russia-linked RomCom group, which combined two previously unknown (zero-day) vulnerabilities to compromise targeted systems including Windows and Firefox.

The attack chain, first detected on October 8th, started with a vulnerability in Mozilla Firefox, Thunderbird, and Tor Browser (CVE-2024-9680, CVSS score 9.8). If a user with a vulnerable browser visited a customized webpage, malicious code could run within the browser’s restricted environment without any user interaction. This vulnerability, a “use-after-free” bug in the animation feature of Firefox, was quickly addressed by Mozilla within 24 hours of being notified by ESET.

However, the attack didn’t stop there. RomCom chained this browser vulnerability with another zero-day flaw in Windows (CVE-2024-49039, CVSS score 8.8) to bypass the browser’s security “sandbox.” This second vulnerability allowed the attackers to run code with the privileges of the logged-in user, taking control of the system. Microsoft released a fix for this issue on November 12th.

The exploit chain worked by first redirecting users to fake websites, which used domains designed to appear legitimate and included the names of other organizations, before sending them to a server hosting the exploit code.

These fake sites often used the prefix or suffix “redir” or “red” to a legitimate domain, and the redirection at the end of the attack took the victims to the legitimate website, hiding the attack. Once the exploit successfully ran, it installed RomCom’s custom backdoor, giving the attackers remote access and control over the infected machine.

Exploit flow (Via ESET)

ESET’s investigation shows that RomCom targeted various sectors, including government entities in Ukraine, the pharmaceutical industry in the US, and the legal sector in Germany, for both espionage and cybercrime purposes. The group, also known as Storm-0978, Tropical Scorpius, or UNC2596, is known for both opportunistic attacks and targeted espionage.

From October 10th to November 4th, ESET’s data showed that users visiting these malicious websites were primarily located in Europe and North America, with the number of victims ranging from one to as many as 250 in some countries.

This cyberattack campaign goes on to show the importance of quick vulnerability disclosure and patching. It also emphasises the need for users to remain alert and keep their software up to date to prevent exploitation of zero-day vulnerabilities.

1. Russian Cyber Offensive Shifts Focus to Ukraine’s Military
2. Russian APT29 Use NSO Group-Style Exploits in Attacks, Google
3. Russian Malware Targets Ukrainian Military Recruits via Telegram
4. Russian Hackers Phish Critical Sectors with Microsoft, AWS Lures
5. Russian Midnight Blizzard Breached UK Home Office via Microsoft