For a quick window of time in October, Russian hackers had the power to launch arbitrary code towards anybody on the earth utilizing Firefox or Tor.
On Oct. 8, researchers from ESET first noticed malicious information on a server managed by the Russian superior persistent risk (APT) RomCom (aka Storm-0978, Tropical Scorpius, UNC2596). The information had gone on-line simply 5 days earlier, on Oct. 3. Evaluation confirmed that they leveraged two zero-day vulnerabilities: one affecting Mozilla software program, the opposite Home windows. The consequence: an exploit that unfold the RomCom backdoor to anybody who visited an contaminated web site, no clicks required.
Fortunately, each points had been remediated rapidly. “The attackers solely had a extremely small window to attempt to compromise computer systems,” explains Romain Dumont, malware researcher with ESET. “Sure, there was a zero-day vulnerability. However, nonetheless, it was patched actually quick.”
Darkish Studying has reached out to Mozilla for touch upon this story.
A Zero-Day in Firefox & Tor
The primary of the 2 vulnerabilities, CVE-2024-9680, is a use-after-free alternative in Firefox animation timelines — the browser mechanism that handles how animations play out based mostly on person interactions with web sites. Its energy to afford attackers arbitrary command execution earned it a “essential” 9.8 ranking from the Widespread Vulnerability Scoring System (CVSS).Â
Importantly, CVE-2024-9680 impacts extra than simply Firefox. Mozilla’s open supply e mail shopper “Thunderbird” can be impacted, as is the ultrasecretive Tor browser, which is constructed from a modified model of Firefox’s Prolonged Help Launch (ESR) browser.
In October, RomCom deployed specifically crafted web sites that will immediately set off CVE-2024-9680 with out the necessity for any sufferer interplay. Victims would unknowingly obtain the RomCom backdoor from RomCom-controlled servers, then rapidly be redirected to the unique web site they thought they had been visiting all alongside.
These malicious domains had been made to imitate the true websites related to the ConnectWise and Devolutions IT providers platforms, and Correctiv, a nonprofit newsroom for investigative journalism in Germany. That these organizations are each political and financial in nature may not shock these conversant in RomCom, which has all the time performed opportunistic cybercrime, however in more moderen instances has added politically motivated espionage to its agenda. Its exercise in 2024 has included campaigns towards the insurance coverage and pharmaceutical sectors within the US, but additionally the protection, power, and authorities sectors in Ukraine.
It is unclear by what technique of social engineering RomCom may need unfold these malicious websites.
What We Know of RomCom’s Marketing campaign
Not content material with solely working code in a sufferer’s browser, nonetheless, RomCom additionally employed a second vulnerability, CVE-2024-49039. This high-severity 8.8 CVSS-rated bug within the Home windows Activity Scheduler permits for privilege escalation, due to an undocumented distant process calls (RPC) endpoint unintentionally accessible to low degree customers. On this case, RomCom used CVE-2024-49039 to flee the browser sandbox and onto a sufferer’s machine at giant.
The injury that may’ve been finished with such a strong exploit chain, and precisely who was affected by it final month, stays unknown. What’s clear at this level is that the overwhelming majority of targets had been situated in North America and Europe — notably the Czech Republic, France, Germany, Poland, Spain, Italy, and the US — plus scattered victims in New Zealand and French Guiana.
Additionally, notably, not one of the victims tracked by ESET had been compromised by way of Tor. “Tor has some predefined settings that differ from Firefox, so perhaps it might not have labored,” Damien Schaeffer, senior malware researcher at ESET speculates. He notes, too, that RomCom’s main targets gave the impression to be firms, which hardly ever use Tor.
Each CVE-2024-9680 and CVE-2024-49039 have since been patched — the previous on Oct. 9, simply 25 hours after Mozilla was notified of the problem, and the latter on Nov. 12.
“By now, I hope, the issue is kind of finished,” Schaeffer says. Nonetheless, for any given group, “It will depend upon their insurance policies. If in case you have good patch administration, this is able to have been mounted in sooner or later or so. But it surely’s as much as individuals to repair their stuff.”
