The Russian-backed RomCom group is associated with exploiting two zero-day vulnerabilities to deliver a backdoor of the same name to systems.

“For a successful attack, it is enough for the victim to view a web page containing the exploit. The attacker can then execute arbitrary code – without requiring user interaction (zero click) – which in this case led to the installation of the RomCom backdoor on the victim’s computer.” ESET said

The vulnerabilities that the group exploits are

  • CVE-2024-9680 (CVSS score: 9.8) – use-after-free vulnerability in the Animation component of Firefox (patched by Mozilla in October 2024).
  • CVE-2024-49039 (CVSS score: 8.8) – Vulnerability in Windows Task Scheduler to elevated privileges (patched by Microsoft in November 2024).

RomCom, also known as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596 and Void Rabisu, has been running cybercrime and espionage operations since at least 2022.

It is currently unknown how the links to the fake website are spread, but it has been found that the exploit is triggered if the site is visited from a vulnerable version of Firefox.

Phishing as a service: ‘Rockstar 2FA’ targets Microsoft 365 users

 

Cyber security researchers are warning of malicious email campaigns using a phishing-as-a-service (PhaaS) toolkit called Rockstar 2FA to steal Microsoft 365 account login credentials.

“This campaign leverages an AitM [adversary-in-the-middle] attack that allows attackers to intercept user login credentials and cookies, meaning that even users with multi-factor authentication (MFA) enabled can be vulnerable,” said Trustwave researchers Diana Solomon and John Kevin Adriano.

The phishing tool is advertised through services such as Telegram and Mail.ru. The tool can be purchased as part of a subscription for $200 for two weeks (or $350 for a month), allowing attackers with little technical knowledge to carry out campaigns on a large scale.

Rockstar 2FA’s touted features include bypassing two-factor authentication (2FA), cookie collection, bot protection, generating login pages that mimic popular services, and Telegram bot integration.

The email campaigns uncovered by Trustwave use various vectors such as URLs, QR codes and document attachments that are embedded in messages sent from compromised accounts or spam tools.

Trustwave has also observed the platform using legitimate services such as Atlassian Confluence, Google Docs Viewer, Microsoft OneDrive and OneNote to place fraudulent links

Zabbix fixes critical SQL injection vulnerability

Zabbix warns users of a new critical vulnerability that could lead to a complete system takeover.

The SQL injection error is marked as CVE-2024-42327 (CVSS v3 score 9.9). This vulnerability can be exploited by a user account without administrator privileges, just needing access to the API.

Zabbix said that three versions of the product are affected and should be updated to the latest available version:

  • 0.0 – 6.0.31
  • 4.0 – 6.4.16
  • 0.0

Zero-Day vulnerability in Active Directory Certificate Services

Security researchers at TrustedSec have discovered a critical zero-day vulnerability, tracked as CVE-2024-49019 (CVSs v3 score 7.8), affecting Active Directory Certificate Services (AD CS).

This vulnerability exploits a feature of version 1 certificate templates and allows attackers with enrollment privileges to significantly escalate privileges. This vulnerability was patched in November’s Patch Tuesday, but its implications deserve closer examination.

“An attacker can craft a CSR to contain policies that are preferred over configured Extended Key Usage attributes

The vulnerability was identified during a penetration test. The TrustedSec team subsequently tested the vulnerability on multiple clients and found that 10 out of 15 environments were compromised. Exploitation of this vulnerability could lead to the granting of Domain Admin privileges.