Russian hackers exploit Firefox, Windows zero-days in wild

A "Russia-aligned group" known as RomCom exploited Firefox and Windows Task Scheduler zero-day vulnerabilities in the wild, according to research from antimalware vendor ESET.

In a blog post published Tuesday, ESET analyzed two previously unknown vulnerabilities that were chained together into a zero-click exploit. One is CVE-2024-9680, a critical vulnerability with a CVSS score of 9.8 that enables "vulnerable versions of Firefox, Thunderbird, and the Tor Browser to execute code in the restricted context of the browser." When chained with Windows Task Scheduler flaw CVE-2024-49039, which received a CVSS score of 8.8, ESET said "arbitrary code can be executed in the context of the logged-in user."

RomCom, otherwise known as Storm-0978, Tropical Scorpius or UNC2596, is a Russia-aligned actor that has previously been observed conducting cyberespionage operations as well as more conventional cybercrime against businesses. In this campaign, RomCom actors used a fake website to lure victims and redirect them to the server hosting the exploit. Shellcode is then executed to install RomCom's backdoor on systems running a vulnerable browser.

"In a successful attack, if a victim browses to a web page containing the exploit, an adversary can run arbitrary code -- without any user interaction required -- which in this case led to the installation of RomCom's eponymous backdoor on the victim's computer," ESET malware researchers Damien Schaeffer and Romain Dumont wrote.

The vendor's telemetry found that victims were primarily based in Europe and North America. "The number of potential targets runs from a single victim per country to as many as 250," ESET claimed.

ESET researchers discovered CVE-2024-9680, a use-after-free vulnerability in Firefox's animation timeline feature, on Oct. 8. ESET reported the issue to Mozilla on Oct. 8, Mozilla acknowledged the issue the same day, and the vulnerability was assigned a CVE on Oct. 9. Vulnerable Mozilla browsers, including certain versions of Firefox, Tor Browser, Tails and Thunderbird, were patched on Oct. 9 and 10. Technical details are available in ESET's blog post as well as a separate one independent researcher Dimitri Fourny published earlier this month.

As part of the discovery of CVE-2024-9680, ESET on Oct. 8 shared a possible sandbox escape exploit observed in conjunction with the above flaw. ESET said Mozilla confirmed the sandbox escape on Oct. 14, determined it to be the result of a Windows security flaw and reported the issue to Microsoft Security Response Center. On Nov. 12, Microsoft published an advisory and corresponding patch for CVE-2024-49039.

In Microsoft's advisory, the company credited Mozilla, an anonymous researcher, and Vlad Stolyarov and Bahare Sabouri of Google's Threat Analysis Group with the discovery of the vulnerability. According to ESET, Google researchers discovered the flaw independently.

CVE-2024-49039 is an escalation of privilege vulnerability in Windows Task Scheduler, and the exploit takes the form of a malicious library that uses an undocumented remote procedure call endpoint to implement a sandbox escape and "launch a hidden PowerShell process that downloads a second stage from a C&C [command and control] server," ESET said.

"Based on the code, the malicious library creates a scheduled task that will run an arbitrary application at medium integrity level, allowing the attackers to elevate their privileges on the system and break out of the sandbox. This is possible due to the lack of restrictions imposed on the security descriptor applied to the RPC interface during its creation," the blog post read.

Dumont told TechTarget Editorial that although the circumstances behind CVE-2024-49039's multiple-attribution discovery are not necessarily common, certain factors made them more likely.

"I would not say that it is common for two sets of researchers to find the same vulnerability at the same time. However, as the attack was widespread and since the files related to the exploit were made available online around the October 3rd, it is possible, even very likely, that two sets of researchers obtained and analyzed the same samples or some variants around the same period of time," Dumont said in an email. "It is therefore possible that two (or even more) independent researchers report the same vulnerability at approximately the same time." 

ESET noted that this is at least the second known occasion that RomCom has weaponized a zero-day vulnerability in attacks. In 2023, Microsoft said the threat group was behind the exploitation of CVE-2023-36884, a remote code execution zero-day flaw in Windows Search. RomCom used the vulnerability in both an espionage-focused phishing campaign as well as financially motivated ransomware attacks.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.