Chinese Hackers Exploit Ivanti CSA Zero-Days In Major France Attack

HomeNews* Chinese threat group exploited zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices to target French critical sectors.

• The campaign affected government, telecom, media, finance, and transport organizations starting in September 2024.
• Attackers used advanced methods like rootkits, commercial VPNs, and open-source tools for persistent network access.
• Exploited vulnerabilities include CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190.
• The campaign appears to involve multiple threat actors, with some seeking financial gain and others providing access to state-linked groups. French authorities reported that a Chinese-based Hacking group launched an attack campaign against major sectors in France, including government, telecommunications, media, finance, and transport. The campaign began in September 2024 and focused on exploiting several unpatched security flaws—known as zero-days—in Ivanti Cloud Services Appliance (CSA) devices.

• Advertisement - The French National Agency for the Security of Information Systems (ANSSI) stated that the group, identified as Houken, shares connections with the threat cluster UNC5174, also called Uteus or Uetus, tracked by Google Mandiant. According to ANSSI, the attackers combined the use of unknown software vulnerabilities, a concealed rootkit (a tool that hides the attacker’s presence), and a range of open-source programs mainly developed by Chinese-speaking programmers.

ANSSI reported, “Houken’s attack infrastructure is made up of diverse elements—including commercial VPNs and dedicated servers.” HarfangLab, a French Cybersecurity firm, described a multi-party approach: one party finds software vulnerabilities, a second group uses them for network access, and third parties carry out follow-on attacks. According to ANSSI, “The operators behind the UNC5174 and Houken intrusion sets are likely primarily looking for valuable initial accesses to sell to a state-linked actor seeking insightful intelligence.”

The attackers targeted three specific Ivanti CSA vulnerabilities—CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190. They used different methods to steal credentials and maintain system access, such as installing PHP web shells, modifying existing scripts, or deploying a kernel module rootkit. Tools like the Behinder and NEO-reGeorg web shells, the GOREVERSE backdoor, and the suo5 proxy were observed in use.

The attacks also involved a Linux kernel module called “sysinitd.ko,” which lets attackers hijack all inbound traffic and execute commands with full administrative privileges. Some attackers reportedly patched the same vulnerabilities after exploiting them, likely to stop other groups from using the same systems.

The broader campaign affected organizations throughout Southeast Asia and Western governments, education sectors, NGOs, and media outlets. In some cases, the attackers used access for cryptocurrency mining. French authorities suggested the actors might be a private group selling access and information to various state-linked organizations while conducting their own profit-driven operations.

Previous Articles:

• Senator Lummis Proposes Bill to Exempt Crypto Taxes Under $300
• First Abu Dhabi Bank to Launch Middle East’s First Digital Bond
• 0xProcessing: Crypto Payments Prove 91% Safer Than Card Systems
• OpenAI Warns Against Robinhood Tokens Amid $300 Billion Valuation
• JD.com, Ant Group Push for Yuan Stablecoin to Challenge Dollar

• Advertisement -