Zero click Windows and Firefox attack chain confirmed
GettyA cyber attack chaining two zero-day security vulnerabilities together, one with a severity rating of 9.8 and the other 8.8, has been confirmed by security researchers as being by a known Russian state-sponsored threat group called RomCom. The cyber attack, using these previously unknown security vulnerabilities, exploited both the Mozilla Firefox web browser and Windows itself in order to install a backdoor capable of executing commands and downloading further malware onto the target computer. Here’s what we know about the RomCom hack-attack against Windows users.
The RomCom Zero-Click Cyber Attack Explained
With potential victims primarily located in Europe and North America, security researchers from ESET have published a detailed analysis of what they referred to as being a widespread campaign. To get an idea of how big a deal this cyber attack was, it involved the use of not one but two zero-day vulnerabilities chained together in a powerful exploit that could end up installing a Russian hacker-controlled backdoor on Windows computers.
The Mozilla vulnerability, CVE-2024-9680, with an extremely high common vulnerabilities and exposures risk severity berating of 9.8 out of 10, was a use-after-free memory flaw in the Firefox animation timeline feature. Meanwhile, the Windows zero-day, CVE‑2024‑49039, rated at 8.8 out of 10, was a privilege of escalation flaw that could enable malicious code to operate outside of the Mozilla Firefox browser security sandbox. Chaining these two together, in what was a zero-click exploit, is about as close to a 10 out of 10 danger rating as I can think of.
“The compromise chain is composed of a fake website that redirects the potential victim to the server hosting the exploit, and should the exploit succeed, shellcode is executed that downloads and executes the RomCom backdoor,” Damien Schaeffer, the ESET researcher who discovered both vulnerabilities, said.
Putting A Stop To The RomCom Cyber Attack Demanded Quick Action
Both the vulnerabilities have now been patched by the respective vendors, and Schaeffer thanked the Mozilla team in particular “for being very responsive and to highlight their impressive work ethic to release a patch within a day.” The vulnerability in Firefox was patched on Oct. 09 after being reported on Oct. 08.
The Windows vulnerability, meanwhile, was fixed as part of the latest Patch Tuesday security roundup on Nov. 12. Although this appears, on first glance, to be a concerning delay, remember that this was a chained cyber attack exploit requiring both unpatched vulnerabilities to exist in order to be successfully exploited.
However, this is no time to sit on your laurels and think the cyber attack danger is over, especially if you are not on top of your software and operating system update game as Mike Walters, president and co-founder of Action1, said. “The exploitation techniques used by the RomCom attackers pose notable risks to other organizations, highlighting several vulnerabilities and potential attack vectors Walters went on to state that organizations running outdated versions of software, such as Firefox or Windows, that haven’t been patched for known vulnerabilities are “at significant risk.”
