New Windows Cyber Attack Warning As 0-Click Russian Backdoor Confirmed

3 mn read

A cyber attack chaining two zero-day security vulnerabilities together, one with a severity rating of 9.8 and the other 8.8, has been confirmed by security researchers as being by a known Russian state-sponsored threat group called RomCom after the malware family it exploits. The cyber attack, using these previously unknown security vulnerabilities, exploited both the Mozilla Firefox web browser and Windows itself in order to install a backdoor capable of executing commands and downloading further malware onto the target computer. Here’s what we know about the RomCom hack-attack against Windows users.

The RomCom Zero-Click Cyber Attack Explained

With potential victims primarily located in Europe and North America, security researchers from ESET have published a detailed analysis of what they referred to as being a widespread campaign. To get an idea of how big a deal this cyber attack was, it involved the use of not one but two zero-day vulnerabilities chained together in a powerful exploit that could end up installing a Russian hacker-controlled backdoor on Windows computers.

The Mozilla vulnerability, CVE-2024-9680, with an extremely high common vulnerabilities and exposures risk severity berating of 9.8 out of 10, was a use-after-free memory flaw in the Firefox animation timeline feature. Meanwhile, the Windows zero-day, CVE‑2024‑49039, rated at 8.8 out of 10, was a privilege of escalation flaw that could enable malicious code to operate outside of the Mozilla Firefox browser security sandbox. Chaining these two together, in what was a zero-click exploit, is about as close to a 10 out of 10 danger rating as I can think of.

“The compromise chain is composed of a fake website that redirects the potential victim to the server hosting the exploit, and should the exploit succeed, shellcode is executed that downloads and executes the RomCom backdoor,” Damien Schaeffer, the ESET researcher who discovered both vulnerabilities, said.

What Is Known About Storm-0978, Also Known As RomCom, The Threat Actor Behind The Zero-Click Cyber Attack

The threat actor behind the Firefox and Windows zero-click exploit chain that installs a backdoor onto Windows systems is known as RomCom but it also has many other names. Also known as Storm-0978, Tropical Scorpius, and UNC2596, RomCom is a “Russia-aligned group that conducts both opportunistic campaigns against selected business verticals and targeted espionage operations,” according to the ESET report.

As well as the now-to-be-expected targeting of government, defense and energy sectors in Ukraine by such a Russian-affiliated threat group, RomCom has also targeted the pharmaceutical and insurance sectors in the US; the legal sector in Germany; and governmental entities in Europe.

“The group’s focus has shifted to include espionage operations collecting intelligence,” ESET said, “in parallel with its more conventional cybercrime operations.”

Threat intelligence from the Palo Alto Unit 42 group published in Sept. 2024, discovered RomCom malware strains dating back to Dec. 2023 but noted the threat actor had been actively using the malware since at least 2022. “RomCom RAT is a malware family that has evolved over the years to include different features and attack methods,” Unit 42 researchers Yaron Samuel and Dominik Reichel, said, “they engage in ransomware, extortion and targeted credential gathering, likely to support intelligence-gathering operations.”

Putting A Stop To The RomCom Cyber Attack Demanded Quick Action

Both the vulnerabilities have now been patched by the respective vendors, and Schaeffer thanked the Mozilla team in particular “for being very responsive and to highlight their impressive work ethic to release a patch within a day.” The vulnerability in Firefox was patched on Oct. 09 after being reported on Oct. 08.

The Windows vulnerability, meanwhile, was fixed as part of the latest Patch Tuesday security roundup on Nov. 12. Although this appears, on first glance, to be a concerning delay, remember that this was a chained cyber attack exploit requiring both unpatched vulnerabilities to exist in order to be successfully exploited.

However, this is no time to sit on your laurels and think the cyber attack danger is over, especially if you are not on top of your software and operating system update game as Mike Walters, president and co-founder of Action1, said. “The exploitation techniques used by the RomCom attackers pose notable risks to other organizations, highlighting several vulnerabilities and potential attack vectors Walters went on to state that organizations running outdated versions of software, such as Firefox or Windows, that haven’t been patched for known vulnerabilities are “at significant risk.”

Leave a Reply

Interesting media and relevant content those who seek to rise above the ordinary.

Discover Xiarra Media

We’re an author oriented platform for interesting media and content. A place where your opinions matter. Start with Xiarra Media to discover your information needs community stories.

Build relationships

Connect with like minds as well as differing viewpoints while exploring all the content from the Xiarra community network. Forums, Groups, Members, Posts, Social Wall and many more. Boredom is not an option!

Join Xiarra Today!

Get unlimited access to the best articles on Xiarra Media and/or support our  cohort of authors. Upgrade Now

©2024 XIARRA MEDIA