Intrusions exploiting a Firefox animation timeline use-after-free vulnerability, tracked as CVE-2024-9680, and a Windows Task Scheduler privilege escalation bug, tracked as CVE-2024-49039 — both of which are zero-days — have been deployed by Russian threat operation RomCom, also known as Tropical Scorpius, Storm-0978, and UNC2596, against North America and Europe as part of a sweeping attack campaign, BleepingComputer reports.
RomCom leveraged a fake website to redirect targets to an exploit-hosting server, which then facilitated the deployment and execution of the RomCom backdoor that could enable further payload compromise, according to an analysis from ESET. "Chaining together two zero-day vulnerabilities armed RomCom with an exploit that requires no user interaction. This level of sophistication shows the threat actor's will and means to obtain or develop stealthy capabilities," said ESET. Such a development comes after last year's NATO Summit attendees were targeted by RomCom in attacks involving the exploitation of a Windows and Microsoft Office vulnerability.
