Zero-Day Vulnerabilities Affect Users and Put Systems at Risk
ESET’s cybersecurity experts have discovered a very advanced attack by the Russia-affiliated hacker group RomCom, which targets systems worldwide, including Windows and Firefox, by exploiting two at that point undiscovered vulnerabilities. Users have been put at danger by this effort, as hackers have gained unauthorised access by taking advantage of serious security holes in widely used software.
Now, the attackers may watch, take data, or even control the compromised system as though they were physically present at the computer.
Key Details of the Vulnerabilities
Vulnerability | Affected Software | Severity Score | CVE Identifier | Fix Released |
---|---|---|---|---|
Use-after-free bug in Firefox | Mozilla Firefox, Thunderbird, Tor Browser | 9.8 | CVE-2024-9680 | Fixed in 24 hours |
Windows vulnerability | Microsoft Windows | 8.8 | CVE-2024-49039 | Fixed on Nov 12, 2024 |
The Hacker Group: RomCom
RomCom, sometimes referred to as Storm-0978, Tropical Scorpius, or UNC2596, has been connected to cybercrime and spying. According to ESET’s analysis, this gang targeted well-known industries, such as:
- Ukrainian government agencies
- US pharmaceutical companies
- Germany’s legal sectors
Both intelligence collection and cybercriminal activities, such stealing confidential information or tampering with vital operations, were directed towards these areas.
The Attack’s Two-Step Exploitation
Windows and Firefox Together: A Risky Combination
Two “zero-day” vulnerabilities that were previously unknown to both users and developers, are the foundation of the attack, which was initially identified on October 8, 2024. The first bug impacts the browsers Tor, Thunderbird, and Mozilla Firefox. The “use-after-free” vulnerability (CVE-2024-9680) is a serious fault in the browser’s animation function that has a high-risk score of 9.8.
It is concerning that people can visit malicious websites and exploit this vulnerability without having to click anything. The system may be compromised if malicious code is run within the browser’s environment just by opening the website.
After ESET notified Mozilla, they quickly resolved the problem within a day to safeguard users. However, RomCom had already linked this vulnerability to another vulnerability in order to escalate the attack by that point.
The Second Windows vulnerability
The browser bug was not the end of the attack. Another Microsoft Windows zero-day vulnerability (CVE-2024-49039), which has a severity score of 8.8, was exploited by the hackers.
What Danger Was There?
Because of this flaw, hackers were able to get beyond the browser’s security features, or “sandbox.” Then, using the same rights as the logged-in user, the attackers may execute code on the victim’s machine.
RomCom had complete control of the system by exploiting this second vulnerability, which allowed them to steal confidential data and carry out other illegal activities.
Chain of Exploits: How the Attack Started
Clever Redirection and False Websites
The first step in the multi-step exploit chain used in the RomCom cyberattack was to trick victims into visiting fake websites. By implementing domain names that resembled those of trustworthy websites, these websites were made to appear entirely authentic. The attackers frequently added well-known domain names with “red” or “redir.”
A website like example.com, for instance, might show up as redir-example.com or example-red.com, giving it a trustworthy appearance at first glance.
Users were taken to a legitimate website after visiting these fake ones, concealing the attack’s evil intent. By using this technique, security systems were able to avoid detection and bypass individuals doubt.
Taking Advantage of Weaknesses to Get Access
The exploit code started running in the background as soon as the user visited the fake website. The malicious code exploited the previously found zero-day vulnerabilities in Windows and Firefox to operate secretly within the browser. After the vulnerability was effective, RomCom’s unique backdoor was installed on the compromised device. The attackers had complete control over the victim’s computer and remote access because of the backdoor.