Unmasking CVE-2024-9680: The Zero-Day Exploited by RomCom

In October 2024, a critical vulnerability known as CVE-2024-9680 made headlines in the cybersecurity world. This zero-day flaw, found in Mozilla Firefox, Thunderbird, and Tor Browser, was swiftly exploited by a sophisticated threat actor group, RomCom, known for its cyber-espionage and ransomware campaigns.

But what exactly happened, and how does this affect the everyday internet user? Let’s break it down.

What is CVE-2024-9680?

This vulnerability was a use-after-free bug in the Firefox browser’s animation timeline feature. Essentially, it allowed attackers to execute arbitrary code remotely without any user interaction. Imagine clicking a link or even visiting a seemingly safe website, only to unknowingly have your system compromised.

"In a successful attack, if a victim browses a web page containing the exploit, an adversary can run arbitrary code – without any user interaction required (zero click) – which in this case led to the installation of RomCom's backdoor on the victim's computer," ESET said in a report

Mozilla responded quickly, patching the flaw just 25 hours after it was reported—a commendable effort to protect users.

The Role of RomCom

RomCom, also known as Storm-0978, is a Russia-aligned cybercrime and espionage group. These attacks are notable for the deployment of RomCom RAT, an actively maintained malware that's capable of executing commands and downloading additional modules to the victim' machines. In this case, they combined CVE-2024-9680 with another vulnerability in the Windows Task Scheduler (CVE-2024-49039) to create a devastating attack chain. Here’s how it worked:

1. Exploitation Chain: Victims visited malicious websites like economistjournal[.]cloud, unknowingly triggering the Firefox vulnerability.

2. Privilege Escalation: Once the attack bypassed Firefox’s security sandbox, it exploited the Windows flaw to gain administrative privileges.

3. RomCom RAT Deployment: The group then deployed its signature malware, the RomCom Remote Access Trojan (RAT), enabling full control over the infected system.

   
   

The RAT allowed RomCom to:

• Execute commands on the victim’s machine.

• Download additional malicious payloads.

• Maintain stealthy, persistent access for spying or ransomware delivery.

It's currently not known how links to the fake website are distributed, but it has been found that the exploit is triggered should the site be visited from a vulnerable version of the Firefox browser.

Real-Life Scenarios

This attack was used against organizations in Europe and North America. For example:

• Fake Websites: RomCom created convincing clones of legitimate domains, like those of NGOs and tech companies, to lure victims.

• Stealth Operations: Reflective DLL injection techniques ensured the malware remained undetected by traditional antivirus solutions.

• Data Theft: Once inside, attackers could steal sensitive data, spy on communications, or plant ransomware.

How Does This Still Affect Us Today?

Even though the vulnerabilities were patched, RomCom’s methods highlight broader risks:

• Sophisticated Zero-Day Exploits: Vulnerabilities are discovered and weaponized faster than ever, leaving a narrow window for users to patch.

• Persistent Threats: Even patched systems may remain vulnerable if updates aren’t applied or if new exploits emerge.

How Can You Protect Yourself?

1. Stay Updated: Always keep your software, browsers, and operating systems updated. Patches are your first line of defense.

2. Verify Websites: Double-check URLs and avoid clicking on suspicious links, especially from unsolicited emails.

3. Use Security Tools: Enable browser sandboxing, install reputable antivirus software, and monitor network activity for anomalies.

4. Educate Yourself: Awareness of tactics like phishing and fake websites can reduce your risk significantly.

   
   

For organizations, proactive threat hunting and zero-trust architecture are critical in mitigating such attacks.

Final Thoughts

The story of CVE-2024-9680 is a stark reminder of the evolving cybersecurity landscape. Threat actors like RomCom are relentless, but by staying informed and vigilant, both individuals and organizations can minimize the risk of falling victim to such sophisticated attacks.

Stay safe, stay updated, and keep learning—cybersecurity is a shared responsibility.