November 28, 2024 – A sophisticated cyberattack attributed to a Russia-aligned group has utilized a zero-click exploit chain targeting computers in Europe and North America, deploying the RomCom backdoor.
The attack, which occurred in October, involved previously unknown vulnerabilities in Firefox and Windows. The group, also known as Storm-0978, Tropical Scorpius, and UNC2596, is known for both cybercrime and cyberespionage activities, particularly against government entities in Ukraine and its allies.
Researchers from ESET reported that the RomCom campaigns have previously targeted sectors such as government, defense, energy, pharmaceuticals, and insurance. The October campaign demonstrated a global reach, with a focus on users in the EU and the US.
According to ESET, this marks at least the second instance of RomCom exploiting significant zero-day vulnerabilities, having previously utilized CVE-2023-36884 in Microsoft Word earlier this year. The latest attacks redirected users through rogue websites, where a malicious JavaScript executed a critical vulnerability in Firefox, tracked as CVE-2024-9680, allowing code execution within the Firefox content process.
Mozilla patched the Firefox vulnerability on October 9, 2024, shortly after it was reported. The exploit was executed through a series of redirects to attacker-controlled domains, which included legitimate-looking URLs. The attack was further facilitated by a privilege escalation flaw in the Windows Task Scheduler, tracked as CVE-2024-49039, allowing the attackers to escape the Firefox sandbox and execute payloads on the underlying operating system.
The payload, saved as public.exe, was executed twice with a delay, showcasing the attackers’ capabilities in stealth and sophistication. ESET’s findings highlight the importance of rapid response to vulnerabilities, as demonstrated by Mozilla’s swift patch deployment.
This incident underscores the ongoing threat posed by advanced persistent threat (APT) groups and the critical need for robust cybersecurity measures to defend against such sophisticated attacks.
