Russian RomCom Group Leverages Zero-Day Vulnerabilities in Cyber Campaign
Cybersecurity researchers from ESET have uncovered a sophisticated attack campaign attributed to the Russia-linked group known as RomCom, which exploited two previously unknown vulnerabilities—commonly referred to as zero-day flaws—in widely used software platforms, namely Firefox and Windows. This complex operation highlights the growing sophistication of cyber threats faced by various sectors, particularly in Europe and North America.
The attack chain initiated on October 8th began with a vulnerability in Mozilla Firefox, impacting not only the browser but also related applications such as Thunderbird and the Tor Browser. This vulnerability, identified as CVE-2024-9680 with a CVSS score of 9.8, could be exploited by prompting a user to visit a specially crafted webpage, thereby allowing execution of malicious code within the browser’s restricted environment without any input from the user. ESET reported that Mozilla responded quickly, issuing a patch within 24 hours after being informed of the vulnerability.
However, the RomCom group advanced their attack by linking the browser vulnerability to another zero-day flaw present in the Windows operating system, designated as CVE-2024-49039 and assigned a CVSS score of 8.8. This second flaw allowed attackers to bypass the security measures of the browser and execute code with the privileges of the user currently logged into the system. Microsoft addressed this security breach with a fix released on November 12th.
Users navigating to fake websites encountered domains crafted to appear authentic, often incorporating the names of legitimate organizations. The attack employed redirection tactics that initially misled victims into believing they were accessing genuine sites. Ultimately, once the exploit was triggered, RomCom’s custom backdoor was installed, granting the attackers remote access and control over the compromised systems.
ESET’s investigation revealed that the RomCom group strategically targeted diverse sectors, such as government agencies in Ukraine, the pharmaceutical industry in the United States, and legal firms in Germany, for purposes of espionage and cybercrime activities. This group, also referred to as Storm-0978 or UNC2596, exhibits a dual strategy of opportunistic and targeted attacks, underscoring the fluid nature of modern cyber threats.
The data indicated a significant number of users, estimated to be between one and up to 250 in certain regions, fell victim to this malicious campaign between October 10th and November 4th. This highlights the critical need for organizations to maintain vigilance and prompt application of security updates.
This incident serves as a stark reminder of the necessity for rapid disclosure and patching of vulnerabilities to ward off exploitation of zero-day flaws. Cybersecurity experts stress the importance of organizations ensuring that their software is continuously updated to protect against these sophisticated attacks that leverage advanced tactics and techniques identified in the MITRE ATT&CK framework, including initial access via compromised web traffic and privilege escalation through code execution.
In conclusion, the actions of the RomCom group reveal a significant escalation in state-sponsored cyber activities, primarily targeting critical infrastructure and key industries. As the landscape of cyber threats continues to evolve, business owners must remain proactive in fortifying their defenses and adopting stringent cybersecurity practices to mitigate the risks posed by such advanced adversaries.
