A state-aligned hacking group known as RomCom has exploited critical zero-day vulnerabilities in Mozilla Firefox and Microsoft Windows, targeting users across Europe and North America. This sophisticated campaign combined two security flaws, allowing attackers to deploy malware with no user interaction required.

The Firefox vulnerability (CVE-2024-9680) involved a use-after-free bug in the animation timeline, enabling attackers to execute code within the browser’s sandbox. Mozilla patched the flaw on October 9 after its discovery by cybersecurity firm ESET. Meanwhile, the Windows flaw (CVE-2024-49039) allowed privilege escalation, enabling malware to break out of the browser’s containment. Microsoft addressed this issue on November 12.

By chaining these vulnerabilities, attackers executed a zero-click exploit to install the RomCom backdoor, capable of running commands and downloading additional malware. The campaign reflects RomCom’s growing sophistication and underscores the urgency of applying security updates to mitigate such threats.

Sources:
Security Info Watch
TechCrunch