Russian Cyber Attack Exploits Firefox and Windows Zero-Days

A new cyber attack has been discovered, linking two severe zero-day vulnerabilities, one rated at 9.8 and the other at 8.8 on the CVSS scale, which security researchers confirm were used by the Russian state-backed hacking group RomCom. This attack targeted both Mozilla Firefox and Windows systems, exploiting previously unknown weaknesses to install a backdoor that allowed hackers to execute commands and download additional malware. This sophisticated, multi-layered attack has raised alarm bells, particularly for users in Europe and North America, with experts stressing the importance of immediate software updates to mitigate the threat.

The RomCom cyber attack is notable not just for its sophistication but for the sheer scale of its potential damage. According to researchers from ESET, who uncovered the attack, the threat campaign was widespread, with the attackers targeting users primarily located in Europe and North America. What makes this attack especially dangerous is that it uses a combination of two zero-day vulnerabilities—flaws in Firefox and Windows—that were chained together into a potent exploit capable of installing a backdoor on compromised systems. The first vulnerability, CVE-2024-9680, was discovered in Mozilla Firefox and carries a severity score of 9.8 out of 10, signaling a critical flaw. This vulnerability lies in the Firefox animation timeline feature, which had a “use-after-free” memory flaw. This type of flaw occurs when a program incorrectly uses a pointer to a memory location that has already been freed, leading to potential system crashes or the ability for attackers to execute arbitrary code.

The second flaw, CVE-2024-49039, is found in the Windows operating system and is classified as a privilege escalation vulnerability, rated 8.8 out of 10 in severity. This flaw allowed malicious code to escape the Firefox browser’s security sandbox, which typically isolates web applications to prevent them from affecting the underlying system. By exploiting this vulnerability, the attackers could execute arbitrary commands on the Windows system, ultimately enabling the installation of the RomCom backdoor. The power of this cyber attack lies in how these two vulnerabilities work together. The attack, a “zero-click” exploit, required no action from the victim to be successful. Simply visiting a malicious website would trigger the exploit chain, allowing the attackers to silently install malware. In the case of this RomCom attack, the exploit would enable the download and execution of the hacker-controlled backdoor, which could then be used to further compromise the system or steal sensitive data.

Damien Schaeffer, the ESET researcher who discovered both vulnerabilities, explained that the attack began with a fake website that redirected victims to a server hosting the exploit. If the exploit was successful, it would execute “shellcode” that downloaded and executed the RomCom backdoor, granting the attackers remote access to the compromised system. After the vulnerabilities were identified, both Mozilla and Microsoft acted quickly to address the issue. The Firefox vulnerability was patched within a day of being reported, on October 9, 2024, just a day after Schaeffer discovered it. Schaeffer specifically praised Mozilla’s promptness, highlighting their impressive response time and the efficiency with which the patch was released. The Windows vulnerability was fixed in the November 2024 Patch Tuesday security updates, released on November 12. While the delay in addressing the Windows vulnerability may initially seem concerning, it’s important to recognize that this exploit relied on both vulnerabilities being unpatched to succeed. With both issues now fixed, the immediate danger of the RomCom cyber attack has been mitigated. However, experts warn that this does not mean the risk is entirely over.

While the vulnerabilities have been patched, the attack has highlighted a significant risk for organizations that fail to regularly update their software. Mike Walters, president and co-founder of Action1, emphasized that the RomCom attack demonstrated how easily cyber criminals can exploit vulnerabilities in outdated software. He noted that organizations using old versions of Firefox or Windows that have not been patched for known vulnerabilities are at heightened risk of future attacks, not just from RomCom but from other threat groups using similar tactics. The fact that these vulnerabilities had existed for some time before being discovered suggests that there may be other flaws in popular software programs that have not yet been identified. This underscores the ongoing need for vigilance in maintaining up-to-date security patches. Walters further stressed that organizations should not assume the attack danger has passed simply because the vulnerabilities have been patched. “Exploitation techniques like those used by the RomCom attackers highlight the critical importance of staying current with software updates to protect against the growing range of potential attack vectors,” he said.

The RomCom attack serves as a reminder of the persistent threat posed by state-sponsored hacking groups. Windows users and Firefox browsers are at risk if they have not yet applied the latest patches. It is critical for all users to update their systems as soon as possible to close these vulnerabilities. By taking these steps, you can help protect your systems from the RomCom backdoor and other emerging cyber threats.