Russia-aligned threat actor known as RomCom has leveraged two zero-day vulnerabilities, one in Mozilla Firefox and the other in Microsoft Windows. A successful attack can spread the RomCom backdoor to anyone who visited an infected website, without the need for any clicks.

Please find below a comment from Satnam Narang, sr. staff research engineer at Tenable.

“The RomCom (also known as Storm-0978) group’s recent use of an exploit chain that included a Firefox zero day (CVE-2024-9680) and a Microsoft Windows privilege escalation zero day (CVE-2024-49039) shows the sheer determination of threat actors, while simultaneously highlighting how difficult it has become for threat actors to breach browser defenses. With the adoption of sandbox technology in modern browsers, threat actors need to do more than just exploit a browser vulnerability alone. By combining a browser-based exploit along with a privilege escalation flaw, the RomCom threat actor was able to bypass the Firefox sandbox. Interestingly enough, while this exploit chain was discovered by researchers at ESET, researchers at Google’s Threat Analysis Group were also credited with discovering the Windows privilege escalation zero-day, though it is unclear if they observed it as part of a separate exploit chain involving Google Chrome versus Mozilla Firefox.” — Satnam Narang, sr. staff research engineer at Tenable