Mozilla Patches Second Firefox Zero-Day Used in Cryptocurrency Attacks

Mozilla on Thursday patched a second zero-day vulnerability in Firefox that has been exploited by malicious actors to deliver Mac malware to cryptocurrency exchanges.

The flaw, tracked as CVE-2019-11708, has been described by Mozilla as a high-severity sandbox escape issue.

“Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user’s computer,” Mozilla said in its advisory.

The first Firefox zero-day, identified as CVE-2019-11707, was patched by Mozilla on Tuesday. The organization warned at the time that the flaw had been exploited in targeted attacks, but did not share any details.

For the first vulnerability, Mozilla credited the security team at cryptocurrency exchange Coinbase and Samuel Groß of Google Project Zero. For the second weakness, it credited only Coinbase.

Groß said he reported the flaw to Mozilla on April 15, but had no information about the attacks. He did point out shortly after the first patch was released that exploitation of CVE-2019-11707 can result in remote code execution, but it requires a separate sandbox escape, which turns out to be CVE-2019-11708.

Coinbase learned of the vulnerabilities because attackers used them to target the organization’s employees. The hackers have apparently attempted to deliver Mac (and possibly Windows malware) to Coinbase and other organizations involved with cryptocurrencies.

FireEye’s Nick Carr has revealed that FireEye has been tracking activity apparently related to these attacks since 2017. The attacks observed by FireEye have been aimed at financial institutions and cryptocurrency exchanges.

Security researcher Vitali Kremez, who has analyzed the payloads and the infrastructure involved in the attacks, told SecurityWeek that he has no evidence of any Windows malware being served, but pointed out that the “referenced hashes and IOCs are clearly related to the PE32 malware.”

Kremez, who spotted a link to a recent campaign involving a WinRAR zero-day and attacks leveraging a 2017 Microsoft Office vulnerability, said one of the command and control (C&C) servers involved in the Firefox attacks was also used by Windows malware.

“The evidence is circumstantial they were at least pursuing Windows targets as they did before during WinRAR and EPS exploitation. They likely profiled at the exploit gate and served the victim malware depending on the architecture,” the researcher told SecurityWeek.

Kremez said the malware delivered via the Firefox zero-days is an information stealer and it appears to be linked to a piece of malware tracked by Kaspersky as Mokes, a cross-platform backdoor that allows attackers to spy on victims.

Mac security expert Patrick Wardle has analyzed one of the macOS malware samples delivered in the Firefox attacks and found code similarities to OSX.Netwire (Wirenet), a piece of malware that emerged in 2012, designed for stealing passwords from Linux and OS X systems.

Wardle obtained the sample from an individual who had received it via an email mentioning a prize awarded by the University of Cambridge in the UK. The targeted person said he had been involved until fairly recently with a cryptocurrency exchange.

One of the Mac malware samples is detected at the time of writing by 11 of the engines on VirusTotal and a second sample is not detected by any security products.

Brandon Levene from Alphabet’s cybersecurity firm Chronicle, which operates the VirusTotal service, has analyzed the first sample and told SecurityWeek that Netwire supports multiple operating systems, including Windows, macOS and Linux. The expert has spotted what he has described as an “extremely similar sample of Netwire for OS X” that was uploaded to VirusTotal in February 2018.

“The malware itself is pretty rudimentary. On Windows it actually seems to be composed of Powercat (an open-source powershell version of Netcat) though it is apparently customized for their needs. Professional opinion? This group has solid exploit dev but middling malware skills,” Levene explained.