Zero-day and Zero click on Firefox and Windows

ESET researchers have identified a previously unknown vulnerability, CVE-2024-9680, in Mozilla products that is being exploited by the Russian-linked Advanced Persistent Threat (APT) RomCom group.

Further analysis revealed another zero-day vulnerability in Windows: a privilege escalation bug, named CVE-2024-49039. In a successful attack, if the victim browses to a web page containing the exploit, the attacker can execute arbitrary code – without requiring any user interaction (zero click) – which in this case leads to the installation of the RomCom backdoor on the victim's computer.

The backdoor that ται είναι ικανό να εκτελεί εντολές και να κατεβάζει πρόσθετα modules στον υπολογιστή του θύματος. Η κρίσιμη ευπάθεια που σχετίζεται με τη Mozilla και ανιχνεύτηκε από την ESET on October 8 it has a CVSS score of 9,8 on a scale of 0 to 10. In 2024, the RomCom group attacked Ukraine and other European countries, as well as the United States.

According to ESET telemetry, from October 10, 2024 to November 4, 2024, potential victims who visited websites hosting the exploit were primarily located in Europe and North America.

On October 8, 2024, ESET researchers discovered the CVE-2024-9680 vulnerability. This is a use-after-free bug in Firefox's timeline animation feature. Mozilla patched the vulnerability on October 9, 2024.

Further analysis revealed another zero-day vulnerability in Windows: an escalation of privilege bug, named CVE 2024 49039, that allows code to run outside the Firefox sandbox. Microsoft released a patch for this second vulnerability on November 12, 2024.

Vulnerability CVE-2024-9680 discovered on October 8 allows vulnerable versions of Firefox, Thunderbird and Tor Browser to execute code in the browser's restricted context.

Combined with the previously unknown vulnerability in Windows, CVE-2024-49039, which is rated CVSS 8,8, arbitrary code can be executed in the context of the logged in user.

The connection zero-day vulnerabilities equipped the RomCom team with an exploit that requires no user interaction. This level of sophistication demonstrates the threat actor's intent and means to acquire or develop hidden capabilities. In addition, successful exploit attempts attributed the RomCom backdoor to a campaign that appears to be widespread.

The APT RomCom group (also known as Storm-0978, Tropical Scorpius, or UNC2596) is a Russian-linked group that conducts both opportunistic campaigns against select business sectors and targeted espionage operations.

The group's focus has shifted to include intelligence-gathering espionage operations alongside more conventional cybercrime operations. In 2024, ESET discovered RomCom cyberespionage and cybercrime operations against government agencies, the defense and energy sectors in Ukraine, the pharmaceutical and insurance sectors in the US, the legal sector in Germany, and government agencies in Europe.

“The campaign consists of a fake website that directs the potential victim to the server hosting the exploit, and if the exploit is successful, shellcode is executed that downloads and executes the RomCom backdoor. Although we don't know how the link to the fake website is distributed, however, if someone visits the page using a vulnerable browser, a payload is loaded and executed on the victim's computer without requiring user interaction," says the ESET researcher Damien Schaeffer, who discovered both vulnerabilities.

"We would like to thank the Mozilla team for their very good response and highlight their impressive work ethic that led them to release a patch within a day." Each vulnerability was patched by Mozilla and Microsoft.

This is at least the second time that the RomCom APT team has been found exploiting a significant zero-day vulnerability, following the exploitation of CVE-2023-36884 via Microsoft in June 2023.

Detailed information and analysis of identified vulnerabilities:

RomCom exploits Firefox and Windows zero days in the wild

iGuRu.gr The Best Technology Site in Greeceggns

Get the best viral stories straight into your inbox!















guest

Written by guest

Guest Post: I saw openly and entered!

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).