This post is also available in:
עברית (Hebrew)
A critical zero-day vulnerability affecting Mozilla’s Firefox, Thunderbird, and Tor Browser has been exploited by Russian hackers in a widespread attack campaign. Discovered by ESET researchers on October 8th, the flaw, with a severity score of 9.8 out of 10, allows cybercriminals to run arbitrary code on affected systems without requiring any user interaction—simply by visiting a compromised web page.
The vulnerability, which targets the animation timeline feature in Mozilla products, was patched by Mozilla on October 9th. However, hackers have already exploited the flaw in real-world attacks, chaining it with another high-severity vulnerability in Windows (scoring 8.8 out of 10). By exploiting the two vulnerabilities in tandem, attackers could achieve a “zero-click exploit,” meaning the victim need only visit a malicious website, and the attack would occur automatically, without any further interaction required.
These sophisticated attacks were linked to RomCom, a Russia-aligned threat actor known for conducting targeted espionage operations against Ukrainian and Polish entities, in addition to other cybercrime operations.
The exploit involves creating fake websites that redirect victims to the server containing the exploit. If the victim is using the compromised browser, The malicious shellcode is then downloaded, executing a backdoor on the victim’s computer. Afterward, users are redirected to legitimate sites, helping the attackers avoid detection.
ESET’s data revealed hundreds of victims, mainly in Europe and North America, who were exposed between October 10th and November 4th. The number of affected targets varied, with some countries seeing only a single victim, while others had up to 250.
Mozilla responded quickly, releasing a patch just a day after the vulnerability was discovered. Users are urged to upgrade their browsers to the latest version to protect against this critical flaw, officially labeled CVE-2024-9680.
In addition to Mozilla’s fix, Microsoft issued a patch on November 12th for the Windows zero-day flaw, CVE-2024-49039. Both vulnerabilities have been added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog, with CISA urging government agencies to apply mitigations immediately