In June 2015, we published Fidelis Threat Advisory #1017 and a blog post on unrelated hostile cyber criminal activity based on the exploitation of CVE-2014-4114, using a novel technique leading to zero antivirus detections for this well-known vulnerability. What originally drew our attention was the fact that cyber criminals were now leveraging the vulnerability that was initially exploited by advanced persistent threat (APT) actors in October 2014.
Yesterday (June 15, 2015), CitizenLab published a report revealing that hostile actors were using precisely the same technique involving CVE-2014-4114 against Tibetan and pro-democracy Hong Kong groups. While no explicit attribution was made in the report, preliminary analysis suggests that actors working in the interest of a government may be behind this activity. Suspected Chinese government-affiliated cyber espionage actors have historically conducted cyber operations against these groups to monitor their developments.
During our research, we noticed that several files had the same original creation date (2011) and author (“aaa”) in the PowerPoint metadata. We traced this file to the original document: a PowerPoint document written in Chinese about China Cloud Computing Technology, entitled “Big Data as a Means of Ensuring Internet Security for the Military”(approximate translation). While the contents of that document had been removed, it is clear that someone had built and distributed phishing messages using it as the original PowerPoint document. The document is publicly available, but obscure enough for this to be a very interesting finding.
We continue to believe that Nigerians and Bangladeshi operators are behind some of the activity noted in our Advisory. In these instances, these actors used the same tactics, techniques, and procedures: spear phishing with the attached PowerPoint that when saved in PPS format, bypassed all antivirus detection.
In our estimation, the author/creation date, combined with the frequent implementation of weaponized PowerPoint documents exploiting CVE-2014-4114 suggest that the same individual created the base document and has created a kit and distributed it selectively, which may account for its limited presence in the wild. We anticipate this to gain more traction the more it’s used, detected, and reported.