The RomCom cyber threat group has been exploiting two zero-day vulnerabilities, CVE-2024-9680 in Mozilla Firefox and CVE-2024-49039 in Windows, to deploy a backdoor granting complete system control. These vulnerabilities allowed for zero-click exploitation, meaning victims were compromised simply by visiting a malicious website; no user interaction was required. The campaign primarily targeted users in Europe and North America, with some regions reporting up to 250 affected systems between October 10th and November 4th, 2024.
CVE-2024-9680, a critical Use-After-Free flaw in Firefox's animation timeline, allowed the execution of arbitrary code within the browser's restricted context. This affected not only Firefox but also similar browsers like Thunderbird and Tor. The second vulnerability, CVE-2024-49039, an Elevation of Privilege flaw in the Windows Task Scheduler service, allowed attackers to bypass Firefox's sandbox protections and gain elevated privileges on the compromised system. The combination of these two vulnerabilities allowed RomCom to deploy a backdoor without any user action.
RomCom used fake websites to redirect victims to an exploit-hosting server, leading to the installation of their backdoor. This backdoor provided attackers with complete control over compromised systems, enabling further malicious activities. The sophistication of chaining these two zero-day vulnerabilities highlights the advanced capabilities and determination of the RomCom threat group. Microsoft's November 2024 Patch Tuesday addressed these vulnerabilities, urging users to update their systems immediately to mitigate the risk.