For a quick window of time in October, Russian hackers had the flexibility to launch arbitrary code towards anybody on the earth utilizing Firefox or Tor.
On Oct. 8, researchers from ESET first noticed malicious recordsdata on a server managed by the Russian superior persistent menace (APT) RomCom (aka Storm-0978, Tropical Scorpius, UNC2596). The recordsdata had gone on-line simply 5 days earlier, on Oct. 3. Evaluation confirmed that they leveraged two zero-day vulnerabilities: one affecting Mozilla software program, the opposite Home windows. The consequence: an exploit that unfold the RomCom backdoor to anybody who visited an contaminated web site, no clicks required.
Fortunately, each points have been remediated rapidly. “The attackers solely had a extremely small window to attempt to compromise computer systems,” explains Romain Dumont, malware researcher with ESET. “Sure, there was a zero-day vulnerability. However, nonetheless, it was patched actually quick.”
Darkish Studying has reached out to Mozilla for touch upon this story.
A Zero-Day in Firefox & Tor
The primary of the 2 vulnerabilities, CVE-2024-9680, is a use-after-free alternative in Firefox animation timelines — the browser mechanism that handles how animations play out based mostly on person interactions with web sites. Its energy to afford attackers arbitrary command execution earned it a “vital” 9.8 score from the Widespread Vulnerability Scoring System (CVSS).
Importantly, CVE-2024-9680 impacts extra than simply Firefox. Mozilla’s open supply e-mail shopper “Thunderbird” can also be impacted, as is the ultrasecretive Tor browser, which is constructed from a modified model of Firefox’s Prolonged Help Launch (ESR) browser.
In October, RomCom deployed specifically crafted web sites that will immediately set off CVE-2024-9680 with out the necessity for any sufferer interplay. Victims would unknowingly obtain the RomCom backdoor from RomCom-controlled servers, then rapidly be redirected to the unique web site they thought they have been visiting all alongside.
These malicious domains have been made to imitate the actual websites related to the ConnectWise and Devolutions IT companies platforms, and Correctiv, a nonprofit newsroom for investigative journalism in Germany. That these organizations are each political and financial in nature may not shock these conversant in RomCom, which has all the time performed opportunistic cybercrime, however in more moderen instances has added politically motivated espionage to its agenda. Its exercise in 2024 has included campaigns towards the insurance coverage and pharmaceutical sectors within the US, but additionally the protection, vitality, and authorities sectors in Ukraine.
It is unclear by what technique of social engineering RomCom may need unfold these malicious websites.
What We Know of RomCom’s Marketing campaign
Not content material with solely working code in a sufferer’s browser, nevertheless, RomCom additionally employed a second vulnerability, CVE-2024-49039. This high-severity 8.8 CVSS-rated bug within the Home windows Activity Scheduler permits for privilege escalation, due to an undocumented distant process calls (RPC) endpoint unintentionally accessible to low stage customers. On this case, RomCom used CVE-2024-49039 to flee the browser sandbox and onto a sufferer’s machine at massive.
The injury which may’ve been executed with such a robust exploit chain, and precisely who was affected by it final month, stays unknown. What’s clear at this level is that the overwhelming majority of targets have been situated in North America and Europe — notably the Czech Republic, France, Germany, Poland, Spain, Italy, and the US — plus scattered victims in New Zealand and French Guiana.
Additionally, notably, not one of the victims tracked by ESET have been compromised through Tor. “Tor has some predefined settings that differ from Firefox, so possibly it will not have labored,” Damien Schaeffer, senior malware researcher at ESET speculates. He notes, too, that RomCom’s major targets seemed to be firms, which hardly ever use Tor.
Each CVE-2024-9680 and CVE-2024-49039 have since been patched — the previous on Oct. 9, simply 25 hours after Mozilla was notified of the difficulty, and the latter on Nov. 12.
“By now, I hope, the issue is kind of executed,” Schaeffer says. Nonetheless, for any given group, “It’s going to rely on their insurance policies. When you’ve got good patch administration, this may have been fastened in someday or so. But it surely’s as much as folks to repair their stuff.”