Hacker Group Launches Targeted Attacks Using New Software Vulnerabilities

Russian-linked hacker group RomCom has capitalized on zero-day vulnerabilities in Firefox and Windows, unleashing sophisticated attacks without user interaction.

At a Glance

  • RomCom exploited zero-day vulnerabilities affecting Firefox and Windows users.
  • The attacks involved sophisticated “zero click” methods targeting Ukraine supporters.
  • Security patches from Mozilla and Microsoft addressed the vulnerabilities.
  • RomCom’s attacks highlight the need for robust cybersecurity defenses.

Zero-Day Vulnerabilities Used by RomCom

RomCom has exploited two critical zero-day vulnerabilities, one discovered in Firefox and another in Windows. ESET, a leading cybersecurity firm, identified the vulnerabilities as a “use-after-free” bug in Firefox’s animation timeline (CVE-2024-9680), patched on October 9, as well as a privilege escalation flaw in Windows Task Scheduler (CVE-2024-49039), addressed on November 12. These vulnerabilities facilitated “zero click” attacks across Europe and North America, particularly affecting entities supporting Ukraine.

The RomCom group employed these vulnerabilities as a zero-day chain exploit, enabling remote code execution without user interaction. The attack involved a fake website that redirected victims to a server hosting the exploit, ultimately leading to the execution of the RomCom backdoor. This sophistication indicates the group’s capacity to orchestrate stealthy and impactful cyber campaigns targeting high-value targets involved in defense, energy, and other critical sectors.

Targeting and Impact

The attack specifically targeted Tor Browser versions, affecting numerous users who accessed certain websites controlled by the hackers. Once compromised, the malware allowed attackers to run commands and deploy additional payloads on victims’ devices. The campaign was extensive, with potential targets ranging from single victims per country to as many as 250, according to ESET telemetry.

“This level of sophistication demonstrates the threat actor’s capability and intent to develop stealthy attack methods,” ESET researchers Damien Schaeffer and Romain Dumont stated.

RomCom’s history is instrumental in understanding the extent of their capabilities. Previously, they exploited zero-day vulnerabilities, including an attack during the NATO Summit in July 2023. Their financial motivations are evident, with history linking them to ransomware, extortion, and theft, specifically targeting organizations allied with Ukraine.

Response and Recommendations

Mozilla promptly patched the first vulnerability, whereas Microsoft’s response extended over a month. Google’s Threat Analysis Group involvement hints at possible use in other government-backed hacking efforts, and experts advise users to update their systems immediately to safeguard against such threats.

“The compromise chain is composed of a fake website that redirects the potential victim to the server hosting the exploit, and should the exploit succeed, shellcode is executed that downloads and executes the RomCom backdoor,” Damien Schaeffer added.