Full Report
ESET Research details the analysis of a previously unknown vulnerability in Mozilla products exploited in the wild and another previously unknown Microsoft Windows vulnerability, combined in a zero-click exploit
Analysis Summary
# Vulnerability: Chained Zero-Day Exploits in Mozilla Firefox/Thunderbird and Windows Leading to RomCom Backdoor Installation
## CVE Details
- CVE ID: CVE-2024-9680 (Mozilla Vulnerability) and CVE-2024-49039 (Windows Vulnerability)
- CVSS Score: 9.8 (Critical) for CVE-2024-9680; 8.8 (High) for CVE-2024-49039
- CWE: Use-After-Free (Inferred for CVE-2024-9680)
## Affected Systems
- Products:
- Mozilla Firefox (Vulnerable versions prior to patch)
- Mozilla Thunderbird (Vulnerable versions prior to patch)
- Tor Browser (Vulnerable versions prior to patch)
- Windows OS (Vulnerable versions prior to Microsoft patch)
- Versions: Specific vulnerable versions are not listed without the full vendor advisories, but they are versions existing before the respective patch dates (Oct 9, 2024, for Mozilla; Nov 12, 2024, for Microsoft).
- Configurations: Any configuration running the vulnerable versions of the affected browsers. The chain requires the second vulnerability once the first escape of the sandbox is achieved.
## Vulnerability Description
This vulnerability involves a two-stage exploitation chain executed via a malicious website when accessed by a vulnerable browser:
1. **CVE-2024-9680 (Zero-Day in Mozilla):** A Use-After-Free bug in the animation timeline feature of Firefox/Thunderbird. Successful exploitation allows arbitrary code execution within the restricted context of the browser's content process.
2. **CVE-2024-49039 (Zero-Day in Windows):** A privilege escalation bug in Windows that, when chained with the sandbox escape from CVE-2024-9680, allows an attacker to execute arbitrary code in the context of the logged-in user, bypassing the browser sandbox entirely.
No user interaction is required once the victim navigates to the exploit hosting webpage.
## Exploitation
- Status: Exploited in the wild by the Russia-aligned group RomCom (Storm-0978).
- Complexity: Low (for the initial trigger via browsing, relying on the chain execution).
- Attack Vector: Network (Visiting a malicious webpage).
## Impact
- Confidentiality: High (RomCom backdoor collects data including cookies, history, passwords, and files).
- Integrity: High (Arbitrary code execution and installation of persistent backdoor; data manipulation).
- Availability: Medium to High (System compromise and potential disruption caused by malware payload).
## Remediation
### Patches
- **CVE-2024-9680 (Mozilla):** Patched by Mozilla on October 9th, 2024. Users must update Firefox, Thunderbird, and Tor Browser to versions released on or after this date.
- **CVE-2024-49039 (Windows):** Patched by Microsoft on November 12th, 2024. Users must apply the relevant security updates for Windows.
### Workarounds
- Organizations should block access to known malicious redirect servers hosting the exploit (though adversaries are seen rapidly changing these domains).
- Restrict network access to traffic originating from potentially compromised browsers if network telemetry allows for behavioral anomaly detection.
- Utilize strong endpoint security solutions capable of detecting in-memory shellcode execution or sandboxing violations.
## Detection
- **Indicators of Compromise (IOCs):** The primary payload is the RomCom backdoor, which exhibits the following behaviors:
- Establishes communication over HTTP/HTTPS (C&C).
- Encrypts C&C traffic using SSL certificates.
- Performs extensive reconnaissance (user, system, software discovery).
- Searches for and archives specific file types (.msg, .eml, .email, etc.) into ZIP archives.
- Attempts lateral movement via SSH tunnels.
- **Detection Methods and Tools:** Look for indicators related to memory manipulation (especially marking pages executable after retrieval, as seen in the PE loader shellcode) within browser process memory space. Monitor for unexpected outbound connections on standard web ports initiated by browser processes, especially those exhibiting encryption patterns inconsistent with normal browsing traffic.
## References
- ESET Research Blog Post on RomCom Exploit
- Vendor advisories for [CVE-2024-9680] and [CVE-2024-49039] (Search NVD using the CVE IDs for official Microsoft/Mozilla pages).