The innocuously named Russian-sponsored cyber threat actor has combined critical and serious vulnerabilities in Windows and Firefox products in a zero-click code execution exploit.
For a brief window of time in October, Russian hackers had the ability to launch arbitrary code against anyone in the world using Firefox or Tor.
On Oct. 8, researchers from ESET first spotted malicious files on a server managed by the Russian advanced persistent threat (APT) RomCom (aka Storm-0978, Tropical Scorpius, UNC2596). The files had gone online just five days earlier, on Oct. 3. Analysis showed that they leveraged two zero-day vulnerabilities: one affecting Mozilla software, the other Windows. The result: an exploit that spread the RomCom backdoor to anyone who visited an infected website, no clicks required.
Luckily, both issues were remediated quickly. “The attackers only had a really small window to try to compromise computers,” explains Romain Dumont, malware researcher with ESET. “Yes, there was a zero-day vulnerability. But, still, it was patched really fast.”
Dark Reading has reached out to Mozilla for comment on this story.
A Zero-Day in Firefox & Tor
The first of the two vulnerabilities, CVE-2024-9680, is a use-after-free opportunity in Firefox animation timelines — the browser mechanism that handles how animations play out based on user interactions with websites. Its power to afford attackers arbitrary command execution earned it a “critical” 9.8 rating from the Common Vulnerability Scoring System (CVSS).
