Russian hackers are capitalizing on a critical zero-day vulnerability affecting Firefox, Thunderbird, and the Tor Browser. The cybercrooks can run arbitrary code without any user interaction – just by visiting a web page with an exploit. Mozilla patched the vulnerable products on October 9th.
On 8th October, ESET researchers discovered a previously unknown critical zero-day with a severity score of 9.8 out of 10, affecting the animation timeline feature in Mozilla products.
Russian hackers, in a widespread campaign, chained the vulnerability with another high-severity (8.8/10) Windows zero-day to escape Firefox’s sandbox, elevate privileges, and run arbitrary code. Microsoft released a patch for this second flaw on November 12th.
The flaws were exploited in the wild. RomCom was behind the attacks, a Russia-aligned threat actor who had previously attacked Ukrainian and Polish entities and conducted other targeted espionage operations and opportunistic campaigns against companies.
Chaining two zero-days allows attackers to achieve the so-called zero-click exploit.
“If a victim browses to a web page containing the exploit, an adversary can run arbitrary code – without any user interaction required – which in this case led to the installation of RomCom’s eponymous backdoor on the victim’s computer,” ESET explains.
The attack chain is, therefore, quite simple. Attackers compose fake websites, such as economistjournal[.]cloud, which redirects potential victims to a server hosting the exploit. The shellcode downloads and executes the RomCom backdoor. The users are redirected to the legitimate website again to avoid raising the targets’ suspicions.
It is unclear how the hackers disseminated the malicious links. However, once clicked, no further user interaction is required.
“This level of sophistication shows the threat actor’s will and means to obtain or develop stealthy capabilities,” ESET said.
Unpatched versions of Firefox, including the TOR browser, Firefox ESR, and Thunderbird, are all affected by the critical flaw labeled CVE-2024-9680.
ESET telemetry reveals hundreds of victims who visited malicious websites between October 10th and November 4th, mainly in Europe and North America.
“The number of potential targets runs from a single victim per country to as many as 250,” ESET assesses.
Mozilla was very responsible and released a patch within a day.
“When Firefox prompts you to upgrade, click that button,” Mozilla urges in a blog post.
The high-severity Windows Task Scheduler elevation of privilege vulnerability, CVE‑2024‑49039, allows a malicious application to break out of its restricted security sandbox, elevate its privileges, and access sensitive system functions.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added both vulnerabilities to the Known Exploited Vulnerabilities Catalog and urged governmental organizations to apply mitigations.
Your email address will not be published. Required fields are markedmarked