Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Russian Cyber Threat Actors Unleash Chaos: RomCom Group Exploits Firefox and Tor Browser Zero-Days




A Russian cybercrime group known as RomCom has exploited zero-day vulnerabilities in Firefox and Tor Browser to target attacks on Europe and North America. The group's brazen exploits have left users across the continent vulnerable, underscoring the need for vigilance in the face of emerging threats.

  • RomCom is a Russian-based cybercrime group known for its brazen exploits that have left users across Europe and North America in the crosshairs.
  • The group has demonstrated an ability to chain two vulnerabilities together to compromise systems without user interaction.
  • Two critical vulnerabilities are being exploited: CVE-2024-9680 in Firefox browsers and CVE-2024-49039 in Windows Task Scheduler.
  • RomCom uses fake servers with recurring prefixes or suffixes like "redir" or "red" to trick victims into visiting malicious websites.
  • The attackers have successfully exploited these vulnerabilities between October 10th and 16th, 2024, without user interaction.
  • Experts warn of an ever-evolving threat landscape and the necessity for vigilance on the part of users.



    • The threat landscape is replete with an array of malicious actors, who continually adapt and innovate their tactics to evade detection. In recent times, a Russian-based cybercrime group known as RomCom has garnered attention for its brazen exploits, which have left users across Europe and North America in the crosshairs. This particular group, also referred to by other designations such as UAT-5647, Storm-0978, Tropical Scorpius, UAC-0180, and UNC2596, has demonstrated a remarkable proficiency for leveraging zero-day vulnerabilities in popular browsers like Firefox and Tor Browser.

    At the heart of this operation lies the exploitation of two critical vulnerabilities. The first, CVE-2024-9680, pertains to an animation timeline feature within the Firefox browser. This feature, known as Animation Timelines, allows developers to inspect, edit, and debug animations directly within the browser. However, a use-after-free issue in this particular component renders it susceptible to exploitation, permitting an attacker to achieve code execution in the content process.

    The second vulnerability, CVE-2024-49039, pertains to a Windows Task Scheduler privilege escalation flaw that allows AppContainer escape. This enables low-privileged users to run code at Medium integrity, thereby compromising system security. It is worth noting that this issue has been actively exploited, particularly across different regions, underscoring its potential impact.

    RomCom has demonstrated an uncanny ability to chain these two vulnerabilities together in order to compromise the systems of unsuspecting victims without any user interaction. This is achieved by tricking users into visiting a maliciously crafted website that redirects them to a server hosting the exploit. Upon successful exploitation, shellcode is executed that downloads and executes the RomCom backdoor.

    According to ESET, the attackers used fake servers with recurring prefixes or suffixes like “redir” or “red” in domain names. These domains were utilized to trick victims into visiting the malicious websites. It appears that unpatched browsers were targeted via these fake sites, which dropped payloads with no user interaction.

    From October 10th to 16th, 2024, attackers exploited this vulnerability to infect victims' systems without any interaction required from them. The compromised users were then redirected to legitimate sites in an effort to avoid raising suspicion. ESET reports that the attackers employed fake servers with recurring prefixes or suffixes like “redir” or “red” in domain names.

    The RomCom group's exploits serve as a poignant reminder of the ever-evolving threat landscape and the necessity for vigilance on the part of users. As cybersecurity continues to be a pressing concern, it is imperative that individuals remain abreast of emerging threats and take proactive measures to protect themselves against such attacks.

    In recent months, several high-profile incidents have underscored the gravity of this threat. The CISA has added Oracle WebLogic Server flaw to its Known Exploited Vulnerabilities catalog, while Spanish police have successfully shut down an illegal TV streaming network. Additionally, APT28 has targeted key networks in Europe with HeadLace malware, and experts have discovered information on European politicians on the dark web.

    Furthermore, FlyingYeti has targeted Ukraine using a WinRAR exploit to deliver COOKBOX Malware, while Ticketmaster has confirmed a data breach impacting 560 million customers. Critical Apache Log4j2 flaw still threatens global finance, with crooks stealing over $300 million worth of Bitcoin from the exchange DMM Bitcoin.

    ShinyHunters is selling data of 30 million Santander customers, and over 600,000 SOHO routers were destroyed by Chalubo malware in 72 hours. APT41: The threat of KeyPlug against Italian industries has also come to light, with critical SQL Injection flaws impacting Ivanti Endpoint Manager (EPM).

    Chinese actor 'Unfading Sea Haze' remained undetected for five years, while a consumer-grade spyware app was found in check-in systems of 3 US hotels. A critical Veeam Backup Enterprise Manager authentication bypass bug has also been disclosed, alongside cybercriminals targeting elections in India with influence campaigns.

    A critical GitHub Enterprise Server Authentication Bypass bug has been identified, and OmniVision has disclosed a data breach after the 2023 Cactus ransomware attack. Furthermore, CISA has added NextGen Healthcare Mirth Connect flaw to its Known Exploited Vulnerabilities catalog, while the Blackbasta group claims to have hacked Atlas, one of the largest US oil distributors.

    Experts warn of a flaw in Fluent Bit utility that is used by major cloud platforms and firms, and experts released PoC exploit code for RCE in QNAP QTS. The GitCaught campaign relies on Github and Filezilla to deliver multiple malware, while two students uncovered a flaw that allows users to use laundry machines for free.



    Related Information:

  • https://securityaffairs.com/171443/apt/russia-romcom-group-firefox-tor-browser-zero-day.html

  • https://nvd.nist.gov/vuln/detail/CVE-2024-9680

  • https://www.cvedetails.com/cve/CVE-2024-9680/

  • https://nvd.nist.gov/vuln/detail/CVE-2024-49039

  • https://www.cvedetails.com/cve/CVE-2024-49039/

  • https://www.helpnetsecurity.com/2024/11/26/romcom-backdoor-cve-2024-9680-cve-2024-49039/

  • https://www.infosecurity-magazine.com/news/romcom-apt-zeroday-flaws-firefox/

  • https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/

  • https://industrialcyber.co/news/microsoft-reveals-storm-0978-hackers-target-defense-and-government-entities-in-europe-north-america/

  • https://socprime.com/blog/uac-0180-targets-defense-contractors-in-ukraine-using-glueegg-dropclue-and-atera/

  • https://cip.gov.ua/ua/news/kiberzlochinci-vikoristovuyut-tematiku-zakupivel-bpla-dlya-atak-na-oboronni-pidpriyemstva

  • https://cloud.google.com/blog/topics/threat-intelligence/unc2596-cuba-ransomware/


    • Published: Wed Nov 27 06:53:13 2024 by llama3.2 3B Q4_K_M


         


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us