Security researchers at ESET have uncovered a sophisticated cyber attack campaign orchestrated by the RomCom threat actor, exploiting previously unknown vulnerabilities in Mozilla Firefox and Microsoft Windows. The campaign, targeting organizations across Europe and North America, demonstrates the group’s advanced technical capabilities and persistent threat to critical infrastructure.
Analysis of the Zero-Day Vulnerabilities
The first vulnerability, tracked as CVE-2024-9680, affects Firefox’s Animation timelines component. This use-after-free flaw enables attackers to execute arbitrary code within the browser’s sandbox environment. Mozilla addressed this security issue on October 9, 2024, following ESET’s responsible disclosure. The second vulnerability (CVE-2024-49039) resides in the Windows Task Scheduler, allowing privilege escalation to Medium Integrity level, effectively bypassing Firefox’s sandbox protection.
Advanced Attack Chain and Exploitation Technique
RomCom’s attack methodology reveals sophisticated operational capabilities, combining both vulnerabilities in a seamless attack chain. The compromise begins when victims are redirected to malicious websites hosting the exploit. The attack sequence executes automatically, requiring no user interaction, and culminates in the deployment of RomCom’s custom backdoor malware.
Impact Assessment and Target Analysis
ESET’s telemetry data indicates varying infection rates across different regions, with some countries reporting up to 250 compromised systems. The campaign primarily targets high-value sectors, including:
– Government institutions
– Defense industry organizations
– Energy sector companies
– Pharmaceutical corporations
– Insurance providers
Historical Context and Threat Evolution
This campaign marks a continuation of RomCom’s sophisticated operations, following their July 2023 attacks targeting NATO summit participants using the CVE-2023-36884 zero-day exploit. The group’s evolving tactics and persistent targeting of critical infrastructure highlight the growing sophistication of state-sponsored cyber threats.
Organizations must implement comprehensive security measures to protect against such advanced threats. Key recommendations include prompt security patch deployment, implementation of defense-in-depth strategies, and continuous security monitoring with particular emphasis on browser and system-level protection. Security teams should prioritize vulnerability management and maintain robust incident response capabilities to effectively counter sophisticated attack campaigns like those employed by RomCom.
