In a significant development, security researchers have confirmed a sophisticated cyber attack that exploits two zero-day vulnerabilities, attributed to the Russian state-sponsored threat group known as RomCom. This attack, which targets both the Mozilla Firefox web browser and Windows operating systems, has raised alarms due to its severity ratings of 9.8 and 8.8, respectively.
The RomCom Zero-Click Cyber Attack Explained
Primarily affecting users in Europe and North America, the campaign has been characterized as widespread by ESET researchers. The attack utilizes a dual vulnerability exploit, allowing malicious actors to install a backdoor on Windows systems. The first vulnerability, CVE-2024-9680, is a use-after-free memory flaw in Firefox’s animation timeline feature, while the second, CVE‑2024‑49039, is a privilege escalation flaw in Windows that enables malicious code to bypass security measures. This zero-click exploit is particularly alarming, as it requires no user interaction to execute.
According to Damien Schaeffer, the ESET researcher who uncovered these vulnerabilities, the attack begins with a fake website that redirects users to a server hosting the exploit. If successful, the exploit executes shellcode that downloads and activates the RomCom backdoor.
What Is Known About Storm-0978, Also Known As RomCom, The Threat Actor Behind The Zero-Click Cyber Attack
RomCom, also referred to as Storm-0978, Tropical Scorpius, and UNC2596, is a Russia-aligned group engaged in both opportunistic cybercrime and targeted espionage. ESET’s report highlights that the group has expanded its focus beyond traditional targets in Ukraine’s government and defense sectors to include industries such as pharmaceuticals, insurance, and legal sectors in the US and Germany.
The group’s activities have evolved to encompass intelligence-gathering operations alongside conventional cybercrime tactics. Threat intelligence from Palo Alto’s Unit 42 indicates that RomCom has been active since at least 2022, with malware strains identified as early as December 2023. Researchers Yaron Samuel and Dominik Reichel noted that the RomCom RAT malware family has adapted over time, incorporating various features and attack methods, including ransomware and credential gathering.
Putting A Stop To The RomCom Cyber Attack Demanded Quick Action
In response to the identified vulnerabilities, both Mozilla and Microsoft have released patches to mitigate the risks. Schaeffer commended Mozilla for its swift action, noting that the Firefox vulnerability was patched within a day of being reported. The Windows vulnerability was addressed in the latest Patch Tuesday security updates on November 12. While the timing of the Windows patch may seem delayed, it is important to recognize that the exploit required both vulnerabilities to be unpatched simultaneously.
Despite these fixes, experts caution against complacency. Mike Walters, president and co-founder of Action1, emphasized the ongoing risks posed by the RomCom attackers. Organizations that fail to keep their software and operating systems updated remain vulnerable to similar exploits. Walters warns that outdated software, particularly unpatched versions of Firefox or Windows, places organizations at significant risk of cyber attacks.
