New Vulnerability Discovered in Mozilla Products
/ 4 min read
Quick take - ESET researchers have discovered a critical vulnerability (CVE-2024-9680) in Mozilla products, currently exploited by the cybercriminal group RomCom, which allows for arbitrary code execution and can be combined with another Windows vulnerability (CVE-2024-49039) to significantly enhance the impact of the exploit.
Fast Facts
- ESET researchers discovered a critical vulnerability (CVE-2024-9680) in Mozilla products, exploited by the RomCom cybercriminal group, with a CVSS score of 9.8.
- The vulnerability affects Firefox, Thunderbird, and the Tor Browser, allowing arbitrary code execution within the browser’s environment.
- RomCom previously exploited another zero-day vulnerability (CVE-2023-36884) and is now leveraging CVE-2024-49039 in Windows, which has a CVSS score of 8.8, to enhance the exploit’s impact.
- Successful exploitation occurs when victims visit compromised web pages, enabling RomCom to install a backdoor for executing commands and downloading malicious modules.
- Mozilla and Microsoft promptly released patches for the vulnerabilities following their discovery and confirmation, with ESET coordinating the disclosure process.
ESET Researchers Identify Significant Vulnerability in Mozilla Products
Overview of the Vulnerability
ESET researchers have identified a significant new vulnerability in Mozilla products, designated as CVE-2024-9680. This vulnerability has been assigned a critical CVSS score of 9.8 and affects various versions of Firefox, Thunderbird, and the Tor Browser. It allows for arbitrary code execution within the browser’s restricted environment. Currently, this vulnerability is being exploited by the cybercriminal group known as RomCom.
This marks the second instance of RomCom leveraging a substantial zero-day vulnerability, following the exploitation of CVE-2023-36884 in June 2023. The new vulnerability can be exploited in conjunction with another flaw in Windows, designated as CVE-2024-49039, which has a CVSS score of 8.8. When combined, these vulnerabilities enable attackers to execute arbitrary code in the context of a logged-in user, significantly increasing the potential impact of the exploit.
Exploitation Details
Successful exploitation occurs when a victim unknowingly visits a compromised web page containing the exploit. This allows an adversary to run arbitrary code without requiring any interaction from the user, resulting in the installation of RomCom’s backdoor on the victim’s machine. The backdoor can execute commands and download additional malicious modules, effectively compromising the system.
The vulnerability was discovered on October 8, 2024, and ESET reported it to Mozilla the same day. Mozilla promptly acknowledged the issue and released a patch on October 9, 2024. The corresponding Windows vulnerability was confirmed by Mozilla, leading to a patch release by Microsoft on November 12, 2024.
RomCom’s Activities and Techniques
RomCom, also known as Storm-0978, Tropical Scorpius, or UNC2596, is a Russia-aligned group engaged in both opportunistic cybercrime and targeted espionage operations. In 2024, the group has expanded its focus to include intelligence collection, targeting various sectors such as government, pharmaceuticals, legal, insurance, defense, and energy.
The compromise chain typically involves a fake website that redirects victims to a server hosting the exploit. The exploit employs JavaScript redirection to a legitimate website after a brief delay to evade detection. Between October 10 and October 16, 2024, additional command-and-control (C&C) servers were identified, utilizing naming conventions that included prefixes or suffixes of legitimate domains to avoid raising suspicion.
The exploit specifically triggers a use-after-free vulnerability in the animation timeline feature of Firefox. Malicious files created on October 3, 2024, included various JavaScript files targeting different versions of Firefox and the Tor Browser, manipulating animation objects to exploit the vulnerability. They execute shellcode designed to escape the Firefox sandbox and download the RomCom backdoor.
The second vulnerability in Windows, CVE-2024-49039, enables privilege escalation within the Windows Task Scheduler, allowing the execution of arbitrary applications at a higher privilege level. Following an assessment by Microsoft, a patch was released, introducing more restrictive security descriptors to prevent such privilege escalation.
ESET has shared its findings with Mozilla as part of a coordinated vulnerability disclosure process. The RomCom backdoor employs various techniques for persistence, privilege escalation, and data collection, capable of gathering sensitive information, including passwords and system data, which can be exfiltrated over command-and-control channels. Indicators of compromise (IoCs) related to the exploit and backdoor have been documented, including specific file hashes and network domains associated with RomCom activities.
Original Source: Read the Full Article Here
