RomCom exploits vulnerabilities

Recent reports have uncovered that a threat actor known as RomCom has been exploiting two zero-day vulnerabilities, one in Mozilla Firefox and another in Microsoft Windows, to deploy their proprietary backdoor malware. These vulnerabilities, CVE-2024-9680 and CVE-2024-49039, have been actively targeted in attacks across Europe and North America. Continue reading this Cybersecurity Threat Advisory to learn how to defend against RomCom. 

The RomCom campaign exploits two zero-day vulnerabilities in a multi-stage attack. The process begins with Mozilla Firefox's Animation component vulnerability, CVE-2024-9680. This flaw allows attackers to execute arbitrary code within the browser's sandbox. The exploit is triggered when a user visits a maliciously crafted website, often delivered via phishing campaigns or watering hole attacks. This initial stage provides the attacker a foothold within the victim's system, albeit limited to the browser's permissions and sandbox environment.

The second stage involves CVE-2024-49039, a privilege escalation vulnerability in Windows Task Scheduler. After gaining initial foothold within the victim's system, the attacker exploits CVE-2024-49039 to escape the browser's sandbox and escalate to higher privilege on the target system. This escalation enables the execution of the RomCom backdoor, a malicious payload that establishes a persistent remote access point. The backdoor is designed to exfiltrate sensitive data, execute arbitrary commands, and download additional malware, granting attackers full control over the compromised machine.

When combined, these vulnerabilities form a highly effective attack chain that allows the threat actor to transition from unauthorized access to full system compromise with ease. This makes the CSA an ideal target for nation-state actors, as compromising it provides access not only to the CSA itself but also to the broader infrastructure it manages. Such access can enable long-term espionage or disruption campaigns. 

​The combination of two zero-day vulnerabilities enables a zero-click exploit that requires no user interaction. Attackers' prompt exploitation of these flaws before security patches became available highlights their advanced capabilities and intent to develop stealthy attack methods. Additionally, the widespread nature of the campaign, targeting users across Europe and North America, underscores the broad risk posed by such sophisticated threats.

Organizations using unpatched versions of Firefox and Windows are at high risk of compromise. Successful exploitation can lead to unauthorized access, data exfiltration, and potential deployment of additional malware. The RomCom backdoor's ability to execute commands and download further payloads poses a significant threat to the confidentiality, integrity, and availability of organizational data and systems. 

 LBT Technology Group strongly recommends organizations to take these additional steps to defend their machines against this threat:

• Update all systems with the latest security patches from Mozilla and Microsoft.
• Limit administrative rights to only those users and processes that require them.
• Segregate critical assets on the network and restrict access using network segmentation to prevent lateral movement in case of compromise.
• Configure Firefox to block JavaScript by default on untrusted websites. This can reduce the likelihood of exploit delivery via malicious websites.
• Monitor for unexpected creation or modification of tasks as this could signal exploitation attempts.

 For more in-depth information about the recommendations, please visit the following links:

• https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/
• https://nvd.nist.gov/vuln/detail/CVE-2024-49039
• https://nvd.nist.gov/vuln/detail/CVE-2024-9680

If you have any questions, please contact LBT's Sales Engineer.