Today, Mozilla released Firefox 67.0.4 that fixes the second unknown vulnerability that was used during this chained attack. Depending on the privileges associated with user active at the time of the attack, an attacker could install programs, view, change, or delete data, or create new accounts with full user rights. The update to version number 67.0.3 patches the critical zero-day flaw and protects users from potential attacks.
"We walked back the entire attack, recovered and reported the 0-day to firefox, pulled apart the malware and [infrastructure] used in the attack and are working with various orgs to continue burning down attacker infrastructure and digging into the attacker involved".
What just happened? Browser vulnerabilities are a common occurrence and don't usually pose a serious threat since regular software updates tend to include security fixes to patch these flaws, unless it's a rare zero-day bug.
Cryptocurrency are most likely among the first to be targeted although the full reach of the issue is unclear and at this point there are no specific details of how the bug has been exploited exactly. In turn, this vulnerability allows for an "exploitable crash" to be set up.