A Russia-aligned hacking group known as RomCom orchestrated a sophisticated cyber attack by combining two previously unknown security flaws in Firefox browser and Windows operating system to deliver malicious software without any user interaction.
Security researchers at ESET uncovered that between October 10-November 4, 2024, RomCom hackers exploited vulnerabilities CVE-2024-9680 in Firefox and CVE-2024-49039 in Windows Task Scheduler to target victims primarily in Europe and North America.
The attack worked by directing victims to fake websites that automatically triggered the Firefox vulnerability, allowing attackers to run malicious code within the browser. The Windows flaw was then used to break out of Firefox's security sandbox, giving attackers full control of the victim's computer.
"This attack chain required no clicks or actions from victims - simply visiting the malicious website was enough to compromise their system," explained Damien Schaeffer, the ESET researcher who discovered both vulnerabilities.
The hackers deployed a backdoor capable of executing commands and downloading additional malicious modules onto infected computers. While researchers identified the attack mechanism, they have not determined how victims were initially lured to the malicious websites.
Mozilla responded swiftly after being notified, patching Firefox within 25 hours. Microsoft later fixed the Windows vulnerability on November 12. The Tor Browser and Tails operating system also received updates to address the Firefox flaw.
RomCom has previously targeted government entities, defense contractors, and energy sector organizations in Ukraine, as well as pharmaceutical and insurance companies in the US and government agencies across Europe. This marks their second major zero-day exploit, following a Microsoft Word vulnerability abuse in 2023.
The incident highlights the growing sophistication of state-aligned hacking groups in chaining multiple vulnerabilities for stealthy cyber attacks. Security experts recommend keeping all software updated to protect against such threats.