| Category | Details |
|---|---|
| Vulnerability Identified | CVE-2024-9680: A use-after-free bug in the animation timeline feature in Firefox, Thunderbird, and Tor Browser. |
| Exploited by | RomCom (Russia-aligned threat group) |
| Impact | Allows arbitrary code execution in the context of the browser; chained with CVE-2024-49039 (Windows privilege escalation) for full execution outside the browser’s sandbox. |
| Target Products | Firefox, Thunderbird, Tor Browser |
| CVSS Score | CVE-2024-9680: 9.8 (Critical); CVE-2024-49039: 8.8 (High) |
| Exploitation Timeline | - October 8, 2024: Vulnerability discovered - October 9, 2024: Mozilla patches the vulnerability - November 12, 2024: Microsoft patches CVE-2024-49039 |
| RomCom Backdoor | Shellcode executed to deliver RomCom backdoor; capable of executing commands and downloading modules |
| Compromise Chain | Fake websites redirect victims to exploit servers; exploitation succeeds with no user interaction |
| C&C Servers | Use recurring naming schemes for fake domains; redirect victims to legitimate websites to avoid suspicion |
| Geographic Distribution | Mostly Europe and North America (from October 10–November 4, 2024) |
| Files Related to the Exploit | - main-128.js, main-129.js (Firefox exploit) - main-tor.js (Tor Browser exploit) - index.html (exploit trigger and redirect) |
| RomCom Targets (2024) | - Espionage: Ukraine government, defense, energy - Cybercrime: US pharma, legal sector, insurance |
| Mozilla & Tor Project Response | - Prompt patch releases by Mozilla (October 9, 2024) and Tor Project (13.5.7) - Thunderbirds updated (October 10, 2024) |
| Vulnerabilities Patched | - Firefox 131.0.2, ESR 115.16.1, 128.3.1 - Tor Browser 13.5.7, Tails 6.8.1 - Thunderbird 115.16, 128.3.1, 131.0.1 |
| Source | WeliveSecurity |
Read full article: https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply