China-linked group Houken hit French govt, telecom, media, finance and transport sectors using Ivanti CSA zero-days, says France’s ANSSI.
France’s cyber agency ANSSI revealed that a Chinese hacking group used Ivanti CSA zero-days to target government, telecom, media, finance, and transport sectors. The campaign, active since September 2024, is linked to the Houken intrusion set, which overlaps with UNC5174 (aka Uteus), tracked by Mandiant.
In September 2024, ANSSI identified a campaign exploiting Ivanti CSA zero-days to breach French entities across key sectors. The attack used a unique intrusion set, dubbed Houken, which combines zero-day exploits and a rootkit with Chinese open-source tools and diverse infrastructure like VPNs and dedicated servers. Houken likely serves as an access broker selling system footholds, with some activity showing data theft and cryptomining.
“At the beginning of September 2024, an attacker repeatedly exploited vulnerabilities CVE-20248190, CVE-2024-8963, and CVE-2024-9380 vulnerabilities to remotely execute arbitrary code on vulnerable Ivanti Cloud Service Appliance devices. These vulnerabilities were exploited as zero-days, before the publication of the Ivanti security advisory.” reads the report published by ANSSI. “The attacker opportunistically chained these vulnerabilities to gain initial access on Ivanti CSA appliances, with the intention of:
- Obtaining credentials through the execution of a base64 encoded Python script1.
- Ensuring persistence, by:– deploying or creating PHP webshells;– modifying existing PHP scripts to add webshells capabilities;– occasionally installing a kernel module which acts as a rootkit once loaded.
The attacker tried to self-patch Ivanti CSA flaws to block other threat actors, then moved laterally, did reconnaissance activities, stole credentials, and set persistence. ANSSI saw activity in November 2024.
At the end of 2024, the French cyber agency observed multiple attacks on local entities across key sectors. After compromising Ivanti CSA devices, attackers moved laterally, stole credentials, and tried to persist on networks. The government experts pointed out that the activity aligned with China Standard Time (UTC+8). ANSSI aided impacted organizations with forensics and response.
The Houken intrusion set exploited zero-day flaws in Ivanti CSA devices to gain initial access to French networks. Once inside, attackers used tools like Neo-reGeorg, Behinder, and GOREVERSE to maintain persistence and control the compromised systesm. Their infrastructure included anonymization services (e.g., NordVPN, Tor), VPSs, and residential IPs. They reused IPs, deployed webshells, modified PHP scripts, and used a sophisticated rootkit to hijack TCP traffic. The TTPs suggest a capable actor targeting high-value systems, likely for espionage or sale of access.
The Houken’s tactics range from basic, noisy use of open-source tools, often developed by Chinese-speaking communities, to more advanced techniques like zero-day exploitation and rootkit development, hinting at a multi-actor operation. Houken targets a wide array of entities, prioritizing Southeast Asian governments and education sectors, NGOs, and Western institutions linked to state functions. Links to UNC5174, a group tied to China’s MSS, suggest a shared operator selling access and intelligence.
“the threat actor behind the Houken and UNC5174 intrusion sets might correspond to a private entity, selling accesses and worthwhile data to several state-linked bodies while seeking its own interests leading lucrative oriented operations. Such behaviour was already observed for Chinese-linked intrusion sets related to the APT41 galaxy and previously linked to numerous private sector entities [13].” ANSSI concludes.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, China-linked group Houken)
