Russian Hackers Target Mozilla, Windows in New Exploit Chain
Eset Discovers 2 Major Vulnerabilities Exploited by Russian RomCom Hacking GroupTwo vulnerabilities in Mozilla products and Windows are being actively exploited by RomCom, a Kremlin-linked cybercriminal group known for targeting businesses and conducting espionage, warn security researchers from Eset.
See Also: Core Elements of Modern Workforce Identity Security
Researchers identified two critical vulnerabilities in Mozilla Foundation products. One, tracked as CVE-2024-9680, is a use-after-free flaw allowing code execution in the Firefox and the Thunderbird email client. It also affects the Tor Browser, which is a modified version of Firefox. The other flaw CVE‑2024‑49039 is a Windows privilege escalation bug bypassing the Firefox sandbox. Mozilla patched the first on Oct. 9, and Microsoft announced a fix for the second on Nov. 12.
Exploiting the two flaws together enables attackers to execute arbitrary code, an ability that RomCom hackers used to install a backdoor that can run commands and deploy additional modules on the victim's system, said Damien Schaeffer, the researcher who discovered both vulnerabilities. The attack chain uses a fake website to redirect victims to an exploit server that executes shellcode to deploy the backdoor.
"We don’t know how the link to the fake website is distributed; however, if the page is reached using a vulnerable browser, a payload is dropped and executed on the victim’s computer with no user interaction required," Schaeffer said in a statement sent to Information Security Media Group. Eset said this is RomCom’s second known zero-day exploit, following its June 2023 exploitation of CVE-2023-36884, a flaw in the Windows search function.
The vulnerabilities carry CVSS scores of 9.8 and 8.8. RomCom has carried out cybercrime and espionage campaigns against the defense, energy and government sectors in Ukraine, as well as the pharmaceutical and insurance sector in the United States, among other global victims (see: Ukrainian Agencies, NATO Targeted With RATs Ahead of Summit).
Reports have also previously attributed the Russian hacking group with a series of cyberespionage operations targeting attendees of several high-profile European conferences, including the 2023 Women Political Leaders summit in Brussels. Satnam Narang, senior research engineer at Tenable, said the attack underscores both the persistence of threat actors and the increasing difficulty of breaching browser defenses.
"With the adoption of sandbox technology in modern browsers, threat actors need to do more than just exploit a browser vulnerability alone," Narang said in a statement. "By combining a browser-based exploit along with a privilege escalation flaw, the RomCom threat actor was able to bypass the Firefox sandbox."