A cyber attack chaining two zero-day security vulnerabilities together, one with a severity rating of 9.8 and the other 8.8, has been confirmed by security researchers as being by a known Russian state-sponsored threat group called RomCom after the malware family it exploits. The cyber attack, using these previously unknown security vulnerabilities, exploited both the Mozilla Firefox web browser and Windows itself in order to install a backdoor capable of executing commands and downloading further malware onto the target computer. Here’s what we know about the RomCom hack-attack against Windows users.
The RomCom Zero-Click Cyber Attack Explained
With potential victims primarily located in Europe and North America, security researchers from ESET have published a detailed analysis of what they referred to as being a widespread campaign. To get an idea of how big a deal this cyber attack was, it involved the use of not one but two zero-day vulnerabilities chained together in a powerful exploit that could end up installing a Russian hacker-controlled backdoor on Windows computers.
The Mozilla vulnerability, CVE-2024-9680, with an extremely high common vulnerabilities and exposures risk severity berating of 9.8 out of 10, was a use-after-free memory flaw in the Firefox animation timeline feature. Meanwhile, the Windows zero-day, CVE‑2024‑49039, rated at 8.8 out of 10, was a privilege of escalation flaw that could enable malicious code to operate outside of the Mozilla Firefox browser security sandbox. Chaining these two together, in what was a zero-click exploit, is about as close to a 10 out of 10 danger rating as I can think of.
“The compromise chain is composed of a fake website that redirects the potential victim to the server hosting the exploit, and should the exploit succeed, shellcode is executed that downloads and executes the RomCom backdoor,” Damien Schaeffer, the ESET researcher who discovered both vulnerabilities, said.
What Is Known About Storm-0978, Also Known As RomCom, The Threat Actor Behind The Zero-Click Cyber Attack
The threat actor behind the Firefox and Windows zero-click exploit chain that installs a backdoor onto Windows systems is known as RomCom but it also has many other names. Also known as Storm-0978, Tropical Scorpius, and UNC2596, RomCom is a “Russia-aligned group that conducts both opportunistic campaigns against selected business verticals and targeted espionage operations,” according to the ESET report.
As well as the now-to-be-expected targeting of government, defense and energy sectors in Ukraine by such a Russian-affiliated threat group, RomCom has also targeted the pharmaceutical and insurance sectors in the US; the legal sector in Germany; and governmental entities in Europe.
“The group’s focus has shifted to include espionage operations collecting intelligence,” ESET said, “in parallel with its more conventional cybercrime operations.”
Threat intelligence from the Palo Alto Unit 42 group published in Sept. 2024, discovered RomCom malware strains dating back to Dec. 2023 but noted the threat actor had been actively using the malware since at least 2022. “RomCom RAT is a malware family that has evolved over the years to include different features and attack methods,” Unit 42 researchers Yaron Samuel and Dominik Reichel, said, “they engage in ransomware, extortion and targeted credential gathering, likely to support intelligence-gathering operations.”
Putting A Stop To The RomCom Cyber Attack Demanded Quick Action
Both the vulnerabilities have now been patched by the respective vendors, and Schaeffer thanked the Mozilla team in particular “for being very responsive and to highlight their impressive work ethic to release a patch within a day.” The vulnerability in Firefox was patched on Oct. 09 after being reported on Oct. 08.
The Windows vulnerability, meanwhile, was fixed as part of the latest Patch Tuesday security roundup on Nov. 12. Although this appears, on first glance, to be a concerning delay, remember that this was a chained cyber attack exploit requiring both unpatched vulnerabilities to exist in order to be successfully exploited.
However, this is no time to sit on your laurels and think the cyber attack danger is over, especially if you are not on top of your software and operating system update game as Mike Walters, president and co-founder of Action1, said. “The exploitation techniques used by the RomCom attackers pose notable risks to other organizations, highlighting several vulnerabilities and potential attack vectors Walters went on to state that organizations running outdated versions of software, such as Firefox or Windows, that haven’t been patched for known vulnerabilities are “at significant risk.”