Red Hat Security Advisory 2024-10703-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include bypass, cross site scripting, and spoofing vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10703.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2024:10703-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:10703  
Issue date:         2024-12-03  
Revision:           03  
CVE Names:          CVE-2024-11159  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

* thunderbird: Potential disclosure of plaintext in OpenPGP encrypted message (CVE-2024-11159)

* firefox: thunderbird: CSP Bypass and XSS Exposure via Web Compatibility Shims (CVE-2024-11694)

* firefox: thunderbird: Unhandled Exception in Add-on Signature Verification (CVE-2024-11696)

* firefox: thunderbird: Select list elements could be shown over another site (CVE-2024-11692)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5 (CVE-2024-11699)

* firefox: thunderbird: URL Bar Spoofing via Manipulated Punycode and Whitespace Characters (CVE-2024-11695)

* firefox: thunderbird: Improper Keypress Handling in Executable File Confirmation Dialog (CVE-2024-11697)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-11159

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2325896  
https://bugzilla.redhat.com/show_bug.cgi?id=2328941  
https://bugzilla.redhat.com/show_bug.cgi?id=2328943  
https://bugzilla.redhat.com/show_bug.cgi?id=2328946  
https://bugzilla.redhat.com/show_bug.cgi?id=2328947  
https://bugzilla.redhat.com/show_bug.cgi?id=2328948  
https://bugzilla.redhat.com/show_bug.cgi?id=2328950

Red Hat Security Advisory 2024-10703-03

SmokeLoader malware has resurfaced with enhanced capabilities and functionalities, targeting your personal data.

****SUMMARY****

*   **Targeted Campaign**: SmokeLoader malware attacks Taiwanese industries, including manufacturing, healthcare, and IT.

*   **Phishing Emails**: The campaign uses phishing emails exploiting MS Office vulnerabilities (CVE-2017-0199, CVE-2017-11882).

*   **Credential Theft**: Plugins target browsers, email clients, and FTP software to steal credentials and sensitive data.

*   **Advanced Techniques**: SmokeLoader employs evasion tactics like code obfuscation, anti-debugging, and sandbox evasion.

*   **Preventative Measures**: FortiGuard Labs blocked the malware, offering antivirus signatures and IPS rules for protection.

Cybersecurity researchers at Fortinet’s FortiGuard Labs have discovered a series of new malware attacks targeting companies in Taiwan. The attacks, which have been linked to the **SmokeLoader malware**, have impacted industries ranging from manufacturing and healthcare to IT and beyond.

SmokeLoader, known for its ability to deliver other malicious payloads, is taking a more direct role in this campaign, using its own plugins to execute attacks and steal sensitive data.

According to research by FortiGuard Labs, the attacks began with phishing emails containing malicious attachments, which were designed to exploit vulnerabilities in Microsoft Office. These included **CVE-2017-0199**, enabling malicious documents to automatically download and execute harmful payloads, and **CVE-2017-11882**, exploiting a vulnerability in Microsoft Office’s equation editor for remote code execution.

The emails, as per FortiGuard Labs’ **blog post** shared with Hackread.com heard of this publishing on Monday, written in native Taiwanese, were convincing but contained inconsistencies, such as different font and colour schemes, that suggested the text had been copied from elsewhere.

Once the malicious attachment was opened, the SmokeLoader malware was downloaded and executed, allowing it to communicate with its command and control (C2) server. From there, the malware downloaded various plugins, each designed to target specific applications and extract sensitive information.

The plugins used by SmokeLoader were found to target popular web browsers, email clients, and file transfer protocol (FTP) software, including Internet Explorer, Firefox, Chrome, Opera, Outlook, Thunderbird, and FileZilla. The malware was able to extract login credentials, auto-fill data, and even email addresses from these applications.

One of the plugins, known as Plugin 4, was designed to clear cookies from targeted browsers, forcing victims to re-enter their login credentials. Another plugin, Plugin 8, was used to inject keylogging code into explorer.exe, allowing the malware to capture keyboard inputs and clipboard content.

The SmokeLoader malware was also found to use advanced techniques to evade detection, including code obfuscation, anti-debugging, and sandbox evasion. Its modular design allows it to adapt to different attack scenarios, making it a formidable threat to organizations.

The attack flow and phishing emails used in the attack (Via: Fortinet’s FortiGuard Labs)

FortiGuard Labs has detected and blocked the malware, assigning it a severity level of “High.” The company has also provided protections for its customers, including antivirus signatures and IPS rules to detect and prevent malware.

In a comment to Hackread.com, **Casey Ellis**, Founder and Advisor at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity suggests the use of SmokeLoader aligns with a broader global pattern of cyber actors preparing for future attacks by infiltrating systems in advance.

_“_Given the geo-political environment, Taiwan is no stranger to thinking about Advanced Persistent Threats (APTs) and the use of SmokeLoader does seem to follow suit with the general trend of pre-positioning that we have seen in other parts of the world._“_

****What can you do to protect yourself?****

To avoid falling victim to the SmokeLoader malware, it’s important to stay cautious with emails from unknown or suspicious sources. Don’t click on links or download attachments, especially if they prompt you to enable macros or run files.

If you’re unsure about an email, even from a familiar source, check its content carefully. Scan links, files, and attachments using tools like VirusTotal or your system’s security software to ensure they’re safe.

1.  **Fickle Stealer Exploits Software Flaws, Steals Browser Data**
2.  **Malware Exploits Avast Anti-Rootkit Driver to Disable Security**
3.  **Malware Bypasses Microsoft Defender, Steals $24,000 in Crypto**
4.  **SteelFox Malware Posing as Popular Software, Steal Browser Data**
5.  **Facebook Malvertising Attack Spreads Malware via Fake Bitwarden**

SmokeLoader Malware Exploits MS Office Flaws to Steal Browser Credentials

Debian Linux Security Advisory 5820-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, spoofing or cross-site scripting.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5820-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 27, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2024-11692 CVE-2024-11694 CVE-2024-11695                 CVE-2024-11696 CVE-2024-11697 CVE-2024-11699Multiple security issues have been found in the Mozilla Firefox webbrowser, which could potentially result in the execution of arbitrarycode, spoofing or cross-site scripting. For the stable distribution (bookworm), these problems have been fixed inversion 128.5.0esr-1~deb12u1.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmdHcXoACgkQEMKTtsN8TjbVxg/+NpPN+XZlnNqjVxWv48TJO30h6qh+Zf7SZ3ToyxKH/nvMEOKNsgbutlednaKDlfJbVa761JBSCVR/CyERS32hC+IGDdn9i5w0BS2IrMsPOnF/eU6OExgUr7rMMkPuKUp9+YGJJwfEDgqHWSGj0jr2S2HcyMAtx2vcINSIhzbIcO7xhxj6P4CGAA8/0l2eOq3YpclgYB23gP69arKDPj++AIv5lLpmg1bHr+aeXde9Am/roaEdvA6tK5PM4ay86TsSsMKjB9bQLjcpH8sHYoCt8VRA4qkCED2KAwQBxQ115imOoeRyJbRjWHpbIt9DEBxxsbYlQTldDhghV4YcsrIhEFaVY5zlDHYegEicxrCVoQJV0cHbpedeCp2otNEuM+crLl1l/CuSEeBkX2F1Ng1CM2/dGJpfuYN63mhO7Zs+UIuecqyLy7ZMe7Ucno2sNJnLPIwcx+zpQwLj/jUDzK89jzW4ZR6BQ5VOI2ex+blMsrYFKWuMoZhXpnlt7qC1/SzlseedwbyAeSXLBcLhMckXfshNsO/B6JmgluOb5i2BBLFlUOpSFwZdDoknaKxjXLF+EUhrV08R63pxKp5HZvsBiirQk1kfbhyReaaWjBn1nIOr5x0IASEGk+s4T80/s+5lJpGkqnzjwTK8bM58i7sN5qJIrJD2gAgtsXxyOYj02S4==Cop0-----END PGP SIGNATURE-----

Debian Security Advisory 5820-1

Red Hat Security Advisory 2024-10704-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include bypass, cross site scripting, and spoofing vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10704.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2024:10704-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:10704  
Issue date:         2024-12-02  
Revision:           03  
CVE Names:          CVE-2024-11159  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

* thunderbird: Potential disclosure of plaintext in OpenPGP encrypted message (CVE-2024-11159)

* firefox: thunderbird: CSP Bypass and XSS Exposure via Web Compatibility Shims (CVE-2024-11694)

* firefox: thunderbird: Unhandled Exception in Add-on Signature Verification (CVE-2024-11696)

* firefox: thunderbird: Select list elements could be shown over another site (CVE-2024-11692)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5 (CVE-2024-11699)

* firefox: thunderbird: URL Bar Spoofing via Manipulated Punycode and Whitespace Characters (CVE-2024-11695)

* firefox: thunderbird: Improper Keypress Handling in Executable File Confirmation Dialog (CVE-2024-11697)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-11159

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2325896  
https://bugzilla.redhat.com/show_bug.cgi?id=2328941  
https://bugzilla.redhat.com/show_bug.cgi?id=2328943  
https://bugzilla.redhat.com/show_bug.cgi?id=2328946  
https://bugzilla.redhat.com/show_bug.cgi?id=2328947  
https://bugzilla.redhat.com/show_bug.cgi?id=2328948  
https://bugzilla.redhat.com/show_bug.cgi?id=2328950

Red Hat Security Advisory 2024-10704-03

Red Hat Security Advisory 2024-10702-03 - An update for firefox is now available for Red Hat Enterprise Linux 9. Issues addressed include bypass, cross site scripting, and spoofing vulnerabilities.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10702.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: firefox security updateAdvisory ID:        RHSA-2024:10702-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:10702Issue date:         2024-12-02Revision:           03CVE Names:          CVE-2024-11692====================================================================Summary: An update for firefox is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.Security Fix(es):* firefox: thunderbird: CSP Bypass and XSS Exposure via Web Compatibility Shims (CVE-2024-11694)* firefox: thunderbird: Unhandled Exception in Add-on Signature Verification (CVE-2024-11696)* firefox: thunderbird: Select list elements could be shown over another site (CVE-2024-11692)* firefox: thunderbird: Memory safety bugs fixed in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5 (CVE-2024-11699)* firefox: thunderbird: URL Bar Spoofing via Manipulated Punycode and Whitespace Characters (CVE-2024-11695)* firefox: thunderbird: Improper Keypress Handling in Executable File Confirmation Dialog (CVE-2024-11697)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-11692References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2328941https://bugzilla.redhat.com/show_bug.cgi?id=2328943https://bugzilla.redhat.com/show_bug.cgi?id=2328946https://bugzilla.redhat.com/show_bug.cgi?id=2328947https://bugzilla.redhat.com/show_bug.cgi?id=2328948https://bugzilla.redhat.com/show_bug.cgi?id=2328950

Red Hat Security Advisory 2024-10702-03

Red Hat Security Advisory 2024-10667-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include bypass, cross site scripting, and spoofing vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10667.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2024:10667-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:10667  
Issue date:         2024-12-02  
Revision:           03  
CVE Names:          CVE-2024-11159  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

* thunderbird: Potential disclosure of plaintext in OpenPGP encrypted message (CVE-2024-11159)

* firefox: thunderbird: CSP Bypass and XSS Exposure via Web Compatibility Shims (CVE-2024-11694)

* firefox: thunderbird: Unhandled Exception in Add-on Signature Verification (CVE-2024-11696)

* firefox: thunderbird: Select list elements could be shown over another site (CVE-2024-11692)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5 (CVE-2024-11699)

* firefox: thunderbird: URL Bar Spoofing via Manipulated Punycode and Whitespace Characters (CVE-2024-11695)

* firefox: thunderbird: Improper Keypress Handling in Executable File Confirmation Dialog (CVE-2024-11697)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-11159

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2325896  
https://bugzilla.redhat.com/show_bug.cgi?id=2328941  
https://bugzilla.redhat.com/show_bug.cgi?id=2328943  
https://bugzilla.redhat.com/show_bug.cgi?id=2328946  
https://bugzilla.redhat.com/show_bug.cgi?id=2328947  
https://bugzilla.redhat.com/show_bug.cgi?id=2328948  
https://bugzilla.redhat.com/show_bug.cgi?id=2328950

Red Hat Security Advisory 2024-10667-03

A stealthy JavaScript injection attack steals data from the checkout page of sites, either by creating a fake credit card form or extracting data directly from payment fields.

Source: Kim Kuperkova via Shutterstock

Attackers are targeting Magento e-commerce websites with a new card-skimming malware that can dynamically lift payment details from checkout pages of online transactions. The attack, discovered by a researcher from Web security firm Surcuri, comes as online retailers and shoppers are priming for this week's historically busy Black Friday online shopping day.

Sucuri security analyst Weston Henry discovered the attack in the form of a malicious JavaScript injection, which has multiple variants and target sites built on the popular e-commerce platform in two different ways, according to a blog post published on Nov. 26.

One way is by creating a fake credit card form to steal card details, the other is by extracting the data directly from the payment fields. "Its dynamic approach and encryption mechanisms make it challenging to detect," Sucuri security analyst Puja Srivastava explained in the post. The data is then encrypted and exfiltrated to a remote server controlled by the attacker.

Magento-based websites are a frequent target for cybercriminals due to their widespread usage for e-commerce and the valuable customer data they handle, including payment card or bank account details. And card-skimming — typically by a group of cybercriminals collectively known as Magecart — is a popular attack vector to steal such data from these sites.

Related:News Desk 2024: Can GenAI Write Secure Code?

**Cyber Victims Targeted During Shopper Checkout**

Henry discovered the malicious script during a routine inspection of a Magento-based site with Sucuri's SiteCheck. "The tool identified a resource originating from the blacklisted domain dynamicopenfonts.app," explained Sucuri security analyst Puja Srivastava in the post. Eventually, the resource was found in two locations on the site.  

One of the locations where it was found was within the <referenceContainer> directive of the XML file, which is designed to load a JavaScript resource just before the closing <body> tag.

Attackers obfuscated the contents of the external script to avoid detection, "making it challenging to identify at first glance," Srivastava noted.

Once executed, the script activates only on pages containing the word "checkout" but excluding the word "cart" in the URL, with the aim of extracting sensitive credit card information from specific fields on the checkout page.

After it's completed this malicious task, the malware collects additional user data through Magento’s APIs, including the user's name, address, email, phone number, and other billing information. "This data is retrieved via Magento's customer-data and quote models," Srivastava explained.

Related:Israel Defies VC Downturn With More Cybersecurity Investments

**Magento Malware's Strong Anti-Detection Game**

Attackers behind the malware have taken care to use multiple anti-detection techniques to hide their malicious activity, the researchers found. While the malware is collecting the data, it first encodes it as JSON and then XOR-encrypts it with the key "script" to add an extra layer of obfuscation, the researchers found.

The encrypted data also is Base64-encoded before being sent via a beaconing technique to a remote server at staticfonts.com. Beaconing is a method whereby a script or program sends data silently from the client to a remote server without alerting the user or interrupting their activity.

While legitimate applications such as analysis tools also use beaconing, malicious actors favor the technology because it's a stealthy and hard-to-detect way to transmit stolen data, the researchers noted.

**How to Secure E-Commerce Sites From Cyberattack**

To protect e-commerce sites from stealthy card-skimmers — particularly on busy shopping days like Black Friday, which are a goldmine for cybercriminals — Sucuri recommends administrators conduct regular security audits, monitor unusual activity, and deploy a robust Web application firewall (WAF) to protect sites.

Related:'RomCom' APT Mounts Zero-Day, Zero-Click Browser Escapes in Firefox, Tor

They also should ensure that sites are consistently updated with the latest security patches, as "outdated software is a primary target for attackers who exploit vulnerabilities in old plug-ins and themes," Srivastava wrote.

Administrators also should ensure they use strong, unique passwords on e-commerce sites to bolster security and avoid having them easily cracked by attackers. Finally, implementing file integrity monitoring to detect any unauthorized changes to website files also can serve as an early warning system.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Sneaky Skimmer Malware Targets Magento Sites Ahead of Black Friday

Watch out for the Russian hackers from the infamous RomRom group, also known as Storm-0978, Tropical Scorpius, or UNC2596, and their use of a custom backdoor.

****SUMMARY****

*   **RomCom Exploits Double Zero-Day:** RomCom, a Russia-linked group used previously unknown vulnerabilities in Firefox and Windows in a sophisticated attack campaign.

*   **Attack Chain:** Visiting a malicious webpage triggered a Firefox flaw, and then a Windows bug allowed the installation of RomCom’s backdoor.

*   **Targeted Sectors:** RomCom targeted government, pharmaceutical, legal, and other sectors in Europe and North America for espionage and cybercrime.

*   **Quick Patches:** Mozilla and Microsoft rapidly released updates to fix the vulnerabilities, highlighting the importance of software updates.

*   **Sophisticated Threat:** The attack shows the advanced capabilities of state-sponsored cyber groups and the need for strong cybersecurity measures.

Cyber security researchers at ESET have exposed a malicious campaign by the Russia-linked **RomCom group**, which combined two previously unknown (zero-day) vulnerabilities to compromise targeted systems including Windows and Firefox.

The attack chain, first detected on October 8th, started with a vulnerability in Mozilla Firefox, Thunderbird, and Tor Browser (**CVE-2024-9680**, CVSS score 9.8). If a user with a vulnerable browser visited a customized webpage, malicious code could run within the browser’s restricted environment without any user interaction. This vulnerability, a “use-after-free” bug in the animation feature of Firefox, was quickly addressed by Mozilla within 24 hours of being notified by ESET.

However, the attack didn’t stop there. RomCom chained this browser vulnerability with another zero-day flaw in Windows (**CVE-2024-49039**, CVSS score 8.8) to bypass the browser’s security “sandbox.” This second vulnerability allowed the attackers to run code with the privileges of the logged-in user, taking control of the system. Microsoft released a fix for this issue on November 12th.

The exploit chain worked by first redirecting users to fake websites, which used domains designed to appear legitimate and included the names of other organizations, before sending them to a server hosting the exploit code.

These fake sites often used the prefix or suffix “redir” or “red” to a legitimate domain, and the redirection at the end of the attack took the victims to the legitimate website, hiding the attack. Once the exploit successfully ran, it installed **RomCom’s custom backdoor**, giving the attackers remote access and control over the infected machine.

Exploit flow (Via ESET)

ESET’s **investigation** shows that RomCom targeted various sectors, including government entities in Ukraine, the pharmaceutical industry in the US, and the legal sector in Germany, for both espionage and cybercrime purposes. The group, also known as **Storm-0978, Tropical Scorpius, or UNC2596**, is known for both opportunistic attacks and targeted espionage.

From October 10th to November 4th, ESET’s data showed that users visiting these malicious websites were primarily located in Europe and North America, with the number of victims ranging from one to as many as 250 in some countries.

This cyberattack campaign goes on to show the importance of quick vulnerability disclosure and patching. It also emphasises the need for users to remain alert and keep their software up to date to prevent exploitation of **zero-day vulnerabilities**.

1.  **Russian Cyber Offensive Shifts Focus to Ukraine’s Military**
2.  **Russian APT29 Use NSO Group-Style Exploits in Attacks, Google**
3.  **Russian Malware Targets Ukrainian Military Recruits via Telegram**
4.  **Russian Hackers Phish Critical Sectors with Microsoft, AWS Lures**
5.  **Russian Midnight Blizzard Breached UK Home Office via Microsoft**

Russian Hackers Exploit Firefox and Windows 0-Days to Deploy Backdoor

The innocuously named Russian-sponsored cyber threat actor has combined critical and serious vulnerabilities in Windows and Firefox products in a zero-click code execution exploit.

Source: Collection Chrisophel via Alamy Stock Photo

For a brief window of time in October, Russian hackers had the ability to launch arbitrary code against anyone in the world using Firefox or Tor.

On Oct. 8, researchers from ESET first spotted malicious files on a server managed by the Russian advanced persistent threat (APT) RomCom (aka Storm-0978, Tropical Scorpius, UNC2596). The files had gone online just five days earlier, on Oct. 3. Analysis showed that they leveraged two zero-day vulnerabilities: one affecting Mozilla software, the other Windows. The result: an exploit that spread the RomCom backdoor to anyone who visited an infected website, no clicks required.

Luckily, both issues were remediated quickly. "The attackers only had a really small window to try to compromise computers," explains Romain Dumont, malware researcher with ESET. "Yes, there was a zero-day vulnerability. But, still, it was patched really fast."

Dark Reading has reached out to Mozilla for comment on this story.

**A Zero-Day in Firefox & Tor**

The first of the two vulnerabilities, CVE-2024-9680, is a use-after-free opportunity in Firefox animation timelines — the browser mechanism that handles how animations play out based on user interactions with websites. Its power to afford attackers arbitrary command execution earned it a "critical" 9.8 rating from the Common Vulnerability Scoring System (CVSS). 

Related:Sneaky Skimmer Malware Targets Magento Sites Ahead of Black Friday

Importantly, CVE-2024-9680 affects more than just Firefox. Mozilla's open source email client "Thunderbird" is also impacted, as is the ultrasecretive Tor browser, which is built from a modified version of Firefox's Extended Support Release (ESR) browser.

In October, RomCom deployed specially crafted websites that would instantly trigger CVE-2024-9680 without the need for any victim interaction. Victims would unknowingly download the RomCom backdoor from RomCom-controlled servers, then quickly be redirected to the original website they thought they were visiting all along.

These malicious domains were made to mimic the real sites associated with the ConnectWise and Devolutions IT services platforms, and Correctiv, a nonprofit newsroom for investigative journalism in Germany. That these organizations are both political and economic in nature might not surprise those familiar with RomCom, which has always conducted opportunistic cybercrime, but in more recent times has added politically motivated espionage to its agenda. Its activity in 2024 has included campaigns against the insurance and pharmaceutical sectors in the US, but also the defense, energy, and government sectors in Ukraine.

Related:News Desk 2024: Can GenAI Write Secure Code?

It's unclear by what means of social engineering RomCom might have spread these malicious sites.

**What We Know of RomCom's Campaign**

Not content with only running code in a victim's browser, however, RomCom also employed a second vulnerability, CVE-2024-49039. This high-severity 8.8 CVSS-rated bug in the Windows Task Scheduler allows for privilege escalation, thanks to an undocumented remote procedure calls (RPC) endpoint unintentionally accessible to low level users. In this case, RomCom used CVE-2024-49039 to escape the browser sandbox and onto a victim's machine at large.

The damage that might've been done with such a powerful exploit chain, and exactly who was affected by it last month, remains unknown. What's clear at this point is that the overwhelming majority of targets were located in North America and Europe — particularly the Czech Republic, France, Germany, Poland, Spain, Italy, and the US — plus scattered victims in New Zealand and French Guiana.

Also, notably, none of the victims tracked by ESET were compromised via Tor. "Tor has some predefined settings that differ from Firefox, so maybe it would not have worked," Damien Schaeffer, senior malware researcher at ESET speculates. He notes, too, that RomCom's primary targets appeared to be corporations, which rarely use Tor.

Related:Israel Defies VC Downturn With More Cybersecurity Investments

Both CVE-2024-9680 and CVE-2024-49039 have since been patched — the former on Oct. 9, just 25 hours after Mozilla was notified of the issue, and the latter on Nov. 12.

"By now, I hope, the problem is more or less done," Schaeffer says. Still, for any given organization, "It'll depend on their policies. If you have good patch management, this would have been fixed in one day or so. But it's up to people to fix their stuff."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'RomCom' APT Mounts Zero-Day, Zero-Click Browser Escapes in Firefox, Tor

The Russia-aligned threat actor known as RomCom has been linked to the zero-day exploitation of two security flaws, one in Mozilla Firefox and the other in Microsoft Windows, as part of attacks designed to deliver the eponymous backdoor on victim systems.
"In a successful attack, if a victim browses a web page containing the exploit, an adversary can run arbitrary code – without any user

Tag

#firefox