Full Report
Russia-backed hackers, known as RomCom, have exploited critical zero-day vulnerabilities in Mozilla Firefox and Windows to launch targeted attacks
Analysis Summary
# Threat Actor: RomCom APT Group (Storm-0978, Tropical Scorpius, UNC2596)
## Attribution & Identity
Russia-aligned Advanced Persistent Threat (APT) group.
## Activity Summary
The group was observed exploiting zero-day and zero-click vulnerabilities discovered in October 2024 in Mozilla products (Firefox, Thunderbird, Tor Browser) and Windows. Successful exploitation leads to the remote execution of arbitrary code and the deployment of the RomCom backdoor. The activity spanned from October 10, 2024, to November 4, 2024.
## Tactics, Techniques & Procedures
- **Exploitation of Zero-Days:** Leveraged CVE-2024-9680 (Firefox use-after-free) and CVE-2024-49039 (Windows privilege escalation).
- **Zero-Click Attack Chain:** The chain involves a fake website redirecting victims to an exploit server. If the browser exploit succeeds, shellcode is executed, bypassing user interaction (zero-click).
- **Chaining Vulnerabilities:** Used the two zero-day vulnerabilities sequentially to achieve code execution outside the Firefox sandbox in the context of the logged-in user.
- **Payload Delivery:** Executes shellcode which downloads and runs the RomCom backdoor.
- [MITRE ATT&CK IDs are not explicitly provided in the text, but related techniques involve T1204.002 (User Execution: Malicious File) if the redirection required any implicit interaction, and T1059 (Command and Scripting Interpreter) for shellcode execution.]
## Targeting
- Sectors: Not explicitly named, but the software targeted (browsers, email clients) suggests a focus on individuals or organizations using those platforms.
- Geography: Primarily Europe and North America.
- Victims: Potential victims were located in Europe and North America who visited websites hosting the exploit. Specific organizations are not mentioned.
## Tools & Infrastructure
- Malware families used: RomCom backdoor (capable of executing commands and downloading additional modules).
- Infrastructure (C2, domains, IPs): Mentioned using a "fake website" and a "server hosting the exploit." Specific URLs or IPs are not provided.
## Implications
The utilization of sophisticated, chained zero-click exploits demonstrates a high level of technical sophistication and significant investment by the group. This capability allows for highly stealthy and critical compromises requiring no user interaction, marking RomCom as a highly capable threat actor.
## Mitigations
- **Patch Management:** Immediately update Mozilla Firefox, Thunderbird, and Tor Browser to resolve CVE-2024-9680, and ensure Windows systems are patched against CVE-2024-49039.
- **Endpoint Detection and Response (EDR):** Deploy advanced monitoring capable of detecting attempts to execute shellcode or unexpected process behavior following browser activity.
- **Browser Security Configuration:** Review security settings on affected browsers.