Russian APT ‘RomCom’ Exploits Zero-Day Vulnerabilities in Firefox, Tor

November 26, 2024

In early October, the Russian APT group RomCom exploited two zero-day vulnerabilities, one in Mozilla software and the other in Windows, to spread their backdoor to anyone visiting an infected website, requiring no clicks from the victim. The malicious files were first spotted by ESET researchers on October 8 on a server managed by RomCom. The files had been uploaded just five days prior, on October 3.

One of the exploited vulnerabilities, CVE-2024-9680, is a use-after-free issue in Firefox animation timelines. This vulnerability, rated as 'critical' with a 9.8 score by the Common Vulnerability Scoring System (CVSS), also affects Mozilla's open source email client 'Thunderbird' and the Tor browser. In October, RomCom deployed websites designed to instantly trigger CVE-2024-9680 without the need for any victim interaction, leading to the unwitting download of the RomCom backdoor from RomCom-controlled servers.

The malicious domains were made to mimic real sites associated with the ConnectWise and Devolutions IT services platforms, and Correctiv, a German nonprofit newsroom for investigative journalism. RomCom has been known to conduct opportunistic cybercrime and politically motivated espionage. In 2024, its campaigns targeted the insurance and pharmaceutical sectors in the US, and the defense, energy, and government sectors in Ukraine.

The method of social engineering used by RomCom to spread these malicious sites remains unclear. Alongside CVE-2024-9680, RomCom also exploited a second vulnerability, CVE-2024-49039, a high-severity bug in the Windows Task Scheduler that allows for privilege escalation. RomCom used this vulnerability to escape the browser sandbox and gain access to the victim's machine.

The extent of the damage caused by this exploit chain and the exact number of affected individuals remain unknown. Most of the targets were located in North America and Europe, with a few victims in New Zealand and French Guiana. None of the victims tracked by ESET were compromised via Tor. RomCom's primary targets appeared to be corporations, which rarely use Tor.

Both vulnerabilities have been patched, with CVE-2024-9680 patched just 25 hours after Mozilla was notified, and CVE-2024-49039 patched on November 12.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.