In June 2015, we published Fidelis Threat Advisory #1017 and a blog post on unrelated hostile cyber criminal activity based on the exploitation of CVE-2014-4114, using a novel technique leading to zero antivirus detections for this well-known vulnerability. What originally drew our attention was the fact that cyber criminals were now leveraging the vulnerability that was initially exploited by advanced persistent threat (APT) actors in October 2014.
Yesterday (June 15, 2015), CitizenLab published a report revealing that hostile actors were using precisely the same technique involving CVE-2014-4114 against Tibetan and pro-democracy Hong Kong groups. While no explicit attribution was made in the report, preliminary analysis suggests that actors working in the interest of a government may be behind this activity. Suspected Chinese government-affiliated cyber espionage actors have historically conducted cyber operations against these groups to monitor their developments.
During our research, we noticed that several files had the same original creation date (2011) and author (“aaa”) in the PowerPoint metadata. We traced this file to the original document: a PowerPoint document written in Chinese about China Cloud Computing Technology, entitled “Big Data as a Means of Ensuring Internet Security for the Military”(approximate translation). While the contents of that document had been removed, it is clear that someone had built and distributed phishing messages using it as the original PowerPoint document. The document is publicly available, but obscure enough for this to be a very interesting finding.