Russian hacking group RomCom orchestrated a sophisticated cyber attack by exploiting previously unknown security flaws in Mozilla Firefox and Windows, requiring no user interaction to compromise targeted systems.
The attack chain, discovered by cybersecurity firm ESET, combined two "zero-day" vulnerabilities - CVE-2024-9680 in Firefox and CVE-2024-49039 in Windows Task Scheduler. This allowed attackers to execute malicious code and establish backdoor access on victims' computers simply by having them visit compromised websites.
"The attack required absolutely no user interaction - just visiting an infected website was enough to trigger the exploit chain," explained ESET researcher Damien Schaeffer, who uncovered both vulnerabilities.
The campaign primarily targeted organizations in Europe and North America between October 10-November 4, 2024. Victims were redirected from fake websites to servers hosting the exploit code, though researchers haven't determined how victims were initially lured to these sites.
Once installed, RomCom's backdoor gave attackers the ability to run commands and download additional malicious modules onto compromised systems, demonstrating their advanced capabilities.
After ESET reported the Firefox vulnerability on October 8, Mozilla quickly released patches within 25 hours. Microsoft followed with a fix for the Windows Task Scheduler flaw on November 12.
The RomCom group, also known as Storm-0978, has a history of targeting government entities, defense contractors, and various business sectors across Ukraine, the US, Germany and other European countries. This marks their second major zero-day exploit campaign, following a Microsoft Word vulnerability abuse in 2023.
This incident highlights the growing sophistication of state-aligned hacking groups and their ability to chain multiple vulnerabilities for maximum impact. Users are advised to keep their Firefox browsers and Windows systems updated with the latest security patches.