Security Operations

Russian Hackers Target Mozilla, Windows in New Exploit Chain

Eset Discovers 2 Major Vulnerabilities Exploited by Russian RomCom Hacking Group
Russian Hackers Target Mozilla, Windows in New Exploit Chain
Eset said it uncovered critical vulnerabilities in Mozilla products and Windows exploited by the RomCom group to deploy a backdoor. (Image: Mozilla Foundation)

Two vulnerabilities in Mozilla products and Windows are being actively exploited by RomCom, a Kremlin-linked cybercriminal group known for targeting businesses and conducting espionage, warn security researchers from Eset.

See Also: Beyond MFA: The Trick to Securing Machine Identities

Researchers identified two critical vulnerabilities in Mozilla Foundation products. One, tracked as CVE-2024-9680, is a use-after-free flaw allowing code execution in the Firefox and the Thunderbird email client. It also affects the Tor Browser, which is a modified version of Firefox. The other flaw CVE‑2024‑49039 is a Windows privilege escalation bug bypassing the Firefox sandbox. Mozilla patched the first on Oct. 9, and Microsoft announced a fix for the second on Nov. 12.

Exploiting the two flaws together enables attackers to execute arbitrary code, an ability that RomCom hackers used to install a backdoor that can run commands and deploy additional modules on the victim's system, said Damien Schaeffer, the researcher who discovered both vulnerabilities. The attack chain uses a fake website to redirect victims to an exploit server that executes shellcode to deploy the backdoor.

"We don’t know how the link to the fake website is distributed; however, if the page is reached using a vulnerable browser, a payload is dropped and executed on the victim’s computer with no user interaction required," Schaeffer said in a statement sent to Information Security Media Group. Eset said this is RomCom’s second known zero-day exploit, following its June 2023 exploitation of CVE-2023-36884, a flaw in the Windows search function.

The vulnerabilities carry CVSS scores of 9.8 and 8.8. RomCom has carried out cybercrime and espionage campaigns against the defense, energy and government sectors in Ukraine, as well as the pharmaceutical and insurance sector in the United States, among other global victims (see: Ukrainian Agencies, NATO Targeted With RATs Ahead of Summit).

Reports have also previously attributed the Russian hacking group with a series of cyberespionage operations targeting attendees of several high-profile European conferences, including the 2023 Women Political Leaders summit in Brussels. Satnam Narang, senior research engineer at Tenable, said the attack underscores both the persistence of threat actors and the increasing difficulty of breaching browser defenses.

"With the adoption of sandbox technology in modern browsers, threat actors need to do more than just exploit a browser vulnerability alone," Narang said in a statement. "By combining a browser-based exploit along with a privilege escalation flaw, the RomCom threat actor was able to bypass the Firefox sandbox."


About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.