ESET Identifies Significant Vulnerabilities Exploited by the Russian RomCom Hacking Group
Two critical vulnerabilities affecting Mozilla products and Windows have been identified as actively exploited by RomCom, a cybercriminal group affiliated with the Kremlin. This group has a history of conducting espionage and cyberattacks on various sectors, including defense and energy. The findings, disclosed by ESET researchers, underscore the ongoing threat posed by sophisticated attackers leveraging software weaknesses.
Among the vulnerabilities discovered is a use-after-free flaw tracked as CVE-2024-9680, which enables code execution in several Mozilla applications, including Firefox and Thunderbird, as well as the Tor Browser. Another vulnerability, identified as CVE-2024-49039, pertains to a privilege escalation flaw in Windows that circumvents Firefox’s sandboxing efforts. Mozilla released a fix for the former on October 9, 2024, while Microsoft addressed the latter on November 12, 2024.
The exploitation of these vulnerabilities in tandem has allowed attackers to execute arbitrary code, a tactic utilized by the RomCom group to install a backdoor capable of executing commands and deploying additional modules on compromised systems. Damien Schaeffer, the researcher who uncovered these vulnerabilities, noted that the malicious process typically begins with a fake website that redirects users to an exploit server, which then executes shellcode to implant the backdoor.
Schaeffer emphasized the concerning ease of this process, stating, “Although the method of distributing the link to the fake website is unclear, if a user accesses the page via a vulnerable browser, the payload is dropped and executed without requiring user interaction.” This represents RomCom’s second known zero-day exploit following its earlier attack utilizing CVE-2023-36884, related to a flaw in Windows search functionality in June 2023.
The exploited vulnerabilities carry severe CVSS scores of 9.8 and 8.8, which highlight their critical nature. RomCom’s cyber operations have targeted various sectors, including defense and pharmaceuticals within the US, demonstrating a wide-ranging impact on both national and international levels, notably within organizations connected to Ukraine’s government and defense systems.
Previous reports have associated RomCom with cyberespionage activities at high-profile European conferences, including the Women Political Leaders summit in Brussels in 2023. Satnam Narang, senior research engineer at Tenable, commented on the evolving tactics used by threat actors. He observed that the combination of browser vulnerabilities and privilege escalation techniques illustrates the increasing sophistication needed to penetrate modern browser defenses, underscoring the significance of the threats that organizations face today.
By leveraging the MITRE ATT&CK framework, one can discern the likely adversary tactics involved in these incidents, which may include initial access through social engineering, the development of persistence mechanisms via backdoors, and privilege escalation through exploiting security weaknesses in both the browser and operating system. As cybersecurity threats continue to evolve, it remains crucial for businesses to stay informed and vigilant against the sophisticated techniques employed by attackers.
