Security Experts:

Connect with us

Hi, what are you looking for?



Mozilla Patches Second Firefox Zero-Day Used in Cryptocurrency Attacks

Mozilla on Thursday patched a second zero-day vulnerability in Firefox that has been exploited by malicious actors to deliver Mac malware to cryptocurrency exchanges.

Mozilla on Thursday patched a second zero-day vulnerability in Firefox that has been exploited by malicious actors to deliver Mac malware to cryptocurrency exchanges.

The flaw, tracked as CVE-2019-11708, has been described by Mozilla as a high-severity sandbox escape issue.

“Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user’s computer,” Mozilla said in its advisory.

The first Firefox zero-day, identified as CVE-2019-11707, was patched by Mozilla on Tuesday. The organization warned at the time that the flaw had been exploited in targeted attacks, but did not share any details.

For the first vulnerability, Mozilla credited the security team at cryptocurrency exchange Coinbase and Samuel Groß of Google Project Zero. For the second weakness, it credited only Coinbase.

Groß said he reported the flaw to Mozilla on April 15, but had no information about the attacks. He did point out shortly after the first patch was released that exploitation of CVE-2019-11707 can result in remote code execution, but it requires a separate sandbox escape, which turns out to be CVE-2019-11708.

Coinbase learned of the vulnerabilities because attackers used them to target the organization’s employees. The hackers have apparently attempted to deliver Mac (and possibly Windows malware) to Coinbase and other organizations involved with cryptocurrencies.

FireEye’s Nick Carr has revealed that FireEye has been tracking activity apparently related to these attacks since 2017. The attacks observed by FireEye have been aimed at financial institutions and cryptocurrency exchanges.

Security researcher Vitali Kremez, who has analyzed the payloads and the infrastructure involved in the attacks, told SecurityWeek that he has no evidence of any Windows malware being served, but pointed out that the “referenced hashes and IOCs are clearly related to the PE32 malware.”

Kremez, who spotted a link to a recent campaign involving a WinRAR zero-day and attacks leveraging a 2017 Microsoft Office vulnerability, said one of the command and control (C&C) servers involved in the Firefox attacks was also used by Windows malware.

“The evidence is circumstantial they were at least pursuing Windows targets as they did before during WinRAR and EPS exploitation. They likely profiled at the exploit gate and served the victim malware depending on the architecture,” the researcher told SecurityWeek.

Kremez said the malware delivered via the Firefox zero-days is an information stealer and it appears to be linked to a piece of malware tracked by Kaspersky as Mokes, a cross-platform backdoor that allows attackers to spy on victims.

Mac security expert Patrick Wardle has analyzed one of the macOS malware samples delivered in the Firefox attacks and found code similarities to OSX.Netwire (Wirenet), a piece of malware that emerged in 2012, designed for stealing passwords from Linux and OS X systems.

Wardle obtained the sample from an individual who had received it via an email mentioning a prize awarded by the University of Cambridge in the UK. The targeted person said he had been involved until fairly recently with a cryptocurrency exchange.

One of the Mac malware samples is detected at the time of writing by 11 of the engines on VirusTotal and a second sample is not detected by any security products.

Brandon Levene from Alphabet’s cybersecurity firm Chronicle, which operates the VirusTotal service, has analyzed the first sample and told SecurityWeek that Netwire supports multiple operating systems, including Windows, macOS and Linux. The expert has spotted what he has described as an “extremely similar sample of Netwire for OS X” that was uploaded to VirusTotal in February 2018.

“The malware itself is pretty rudimentary. On Windows it actually seems to be composed of Powercat (an open-source powershell version of Netcat) though it is apparently customized for their needs. Professional opinion? This group has solid exploit dev but middling malware skills,” Levene explained.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.