Researchers have discovered a previously unknown vulnerability in Mozilla products being exploited in the wild by the Russia-aligned group RomCom. This marks at least the second time RomCom has been caught exploiting significant zero-day vulnerabilities, following a similar incident with Microsoft Word. This critical vulnerability, with a CVSS score of 9.8, impacts vulnerable versions of Firefox, Thunderbird, and the Tor Browser, allowing the execution of code in the restricted context of the browser.
This is chained with another newly discovered Windows vulnerability, with a CVSS score of 8.8, enabling arbitrary code execution in the context of the logged-in user. In a successful attack, an adversary can execute code on a victim’s computer without any user interaction, leading to the installation of RomCom’s backdoor. The exploit can occur when a user simply browses to a compromised web page.
Researchers discovered the Mozilla zero-day vulnerability on October 8, 2024. It was identified as a use-after-free bug in the animation timeline feature in Firefox. Mozilla patched this vulnerability on October 9, 2024.
Further analysis identified another zero-day vulnerability in Windows, a privilege escalation bug, which was patched by Microsoft on November 12, 2024. RomCom (also known as Storm-0978, Tropical Scorpius, or UNC2596) is known for both opportunistic cybercrime campaigns and targeted espionage operations. The group can execute commands and download additional malicious modules to the victim’s machine via their backdoor.
The compromise chain involves a fake website leading victims to a server hosting the exploit. Upon visiting with a vulnerable browser, shellcode is executed, leading to the installation of the RomCom backdoor.
RomCom’s exploitation tactics detailed
This method leverages JavaScript redirection to mask the attack, minimized suspicions by redirecting victims back to legitimate sites. From October 10 to October 16, 2024, shortly after the first vulnerability was patched, other C&C servers hosting the exploit were discovered. These servers used deceptive domain prefixes or suffixes to pose as legitimate sites.
Victims were redirected to legitimate websites post-exploit, avoiding immediate detection. The forensic investigation revealed specific files designed to exploit the vulnerabilities in Firefox’s animation timelines. These files were hosted on servers controlled by RomCom and aimed at achieving code execution within a content process of Firefox.
Relevant files include main-128.js for versions of Firefox from 128 onwards, main-129.js for versions post-129, and main-tor.js for Tor Browser. The JavaScript exploit first checks the browser’s version, ensuring it targets affected versions by verifying object offsets and sizes. It follows with an HTML injection onto the exploit page.
This injection triggers the use-after-free vulnerability when specific operations on four initialized HTML elements are performed. Researchers’ discovery and analysis of these vulnerabilities underscore the importance of timely security updates and patches. Mozilla’s and Microsoft’s rapid responses to patch these critical flaws likely mitigated extensive exploitation impacts.
These findings illustrate persistent and evolving threats targeting both end-users and organizations. Continuous monitoring, prompt vulnerability reporting, and effective patch management are crucial in defending against such sophisticated cyber threats.