A Russia-aligned hacking group, known as RomCom (also identified as Storm-0978, Tropical Scorpius, or UNC2596), has successfully exploited two zero-day vulnerabilities—one in Mozilla Firefox and another in Microsoft Windows Task Scheduler. These vulnerabilities, identified as CVE-2024-9680 and CVE-2024-49039, were chained together to allow the group to execute arbitrary code and install malicious backdoors on affected systems.
The first vulnerability, CVE-2024-9680, is a critical use-after-free bug discovered in Firefox’s animation timeline feature. This flaw, which has a CVSS score of 9.8, affects several versions of Mozilla browsers, including Firefox, Thunderbird, and Tor Browser. The flaw allows attackers to execute arbitrary code in the restricted context of the browser, which can lead to the installation of malware. Mozilla swiftly patched this vulnerability on October 9, 2024, addressing the issue for affected browsers.
Further analysis revealed a second, previously unknown vulnerability in Windows, assigned CVE-2024-49039. This privilege escalation vulnerability in the Windows Task Scheduler received a CVSS score of 8.8. When combined with the Firefox vulnerability, this flaw allows attackers to execute code in the context of the logged-in user. This means that, even without any interaction from the user, malicious code can be run, giving threat actors control over the affected system. Microsoft released a patch for CVE-2024-49039 on November 12, 2024.
RomCom Threat Actor Uses Sophisticated Exploit Chain
RomCom, a threat actor with links to Russia, has been previously observed conducting both cyber espionage and cybercrime activities. This latest attack demonstrates the group’s advanced capabilities and its shift toward more sophisticated, stealthy tactics. By chaining these two vulnerabilities together, RomCom was able to exploit the flaws without requiring any user interaction, which increases the chances of a successful attack.
The attack begins when victims are lured to a fake website, which then redirects them to a server hosting the exploit. Once the victim’s vulnerable browser accesses the exploit, shellcode is executed to drop the backdoor onto the system. This backdoor allows the attackers to execute commands and download additional malicious modules, providing the group with persistent access to the compromised machine.
The lack of user interaction needed for this attack highlights its sophistication and the threat actor’s intent to avoid detection. This type of attack, involving chained zero-day vulnerabilities, is a clear indication of RomCom’s ability to develop complex exploit chains for highly targeted operations.
Widespread Impact and Affected Regions
The campaign targeting Firefox and Windows vulnerabilities appears to be widespread, with potential victims across Europe and North America. From October 10, 2024, to November 4, 2024, numerous users who visited compromised websites hosting the exploit were located primarily in these regions. While the exact method of how victims are initially directed to the fake website remains unclear, the large-scale nature of the attack suggests a well-organized effort by RomCom.
In 2024, the same threat actor has been linked to cyber espionage activities targeting governmental entities, the defense and energy sectors in Ukraine, the pharmaceutical and insurance industries in the U.S., and the legal sector in Germany. These attacks are part of a broader strategy by the group, which now combines cybercrime with more traditional espionage objectives.
Satnam Narang, Senior Staff Research Engineer, Tenable, shared insights into the exploitation. “With the adoption of sandbox technology in modern browsers, threat actors need to do more than just exploit a browser vulnerability alone. By combining a browser-based exploit along with a privilege escalation flaw, the RomCom threat actor was able to bypass the Firefox sandbox”, stated Narang.
The RomCom group (Storm-0978) exploited a chain of vulnerabilities including two zero-day targeting popular both Firefox and Windows users. “This exploit chain highlights the sheer determination of threat actors and the challenges of breaching browser defenses”, denoted Satnam.
Exploit Details and the Importance of Patching
The RomCom campaign exemplifies the dangers of unpatched vulnerabilities in widely used software. While Mozilla acted swiftly to patch the Firefox flaw, Microsoft’s patch for the Windows Task Scheduler vulnerability came later in November, leaving systems exposed for over a month. This delay in patching highlights the critical importance of timely security updates and the risks associated with zero-day vulnerabilities.
CVE-2024-9680, the Firefox vulnerability, was assigned a CVE on October 9, 2024, just one day after it was discovered. Mozilla’s response was notably quick, with a fix rolled out for affected browsers within two days. On the other hand, CVE-2024-49039, the Windows vulnerability, was discovered shortly thereafter, and a fix wasn’t released until November 12, 2024.
