Chinese Hackers Exploit Ivanti Zero-Day to Attack France
▼ Summary
– France’s ANSSI identified a new cyber intrusion campaign called Houken, targeting French organizations across multiple sectors since at least September 2024.
– The Houken campaign uses moderately sophisticated tools, including zero-day exploits, Chinese-origin open-source tools, and a rootkit, linked to Chinese state-affiliated actor UNC5174.
– Attackers exploited three Ivanti vulnerabilities (CVE-2024-8190, CVE-2024-8963, CVE-2024-9380) to execute arbitrary code, steal credentials, and deploy webshells before patches were released.
– The threat actor operated in UTC+8 (China Standard Time) and targeted sectors like government, telecoms, media, finance, and transport, with attacks lasting until November 2024.
– Houken’s infrastructure included commercial VPNs, VPS providers, and ISPs, with tactics ranging from unsophisticated to advanced, suggesting a multi-actor approach.
French organizations across multiple industries have fallen victim to a sophisticated cyberattack campaign linked to Chinese state-sponsored actors, according to findings from France’s national cybersecurity agency ANSSI. The operation, active since at least September 2024, exploited critical vulnerabilities in Ivanti systems to infiltrate networks in government, telecom, finance, and transportation sectors.
ANSSI’s Computer Emergency Response Team (CERT-FR) traced the attacks to a group they named Houken, which security researchers believe operates as an initial access broker for China’s Ministry of State Security. The hackers leveraged three zero-day flaws in Ivanti Cloud Service Appliance (CSA), CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380, to execute arbitrary code remotely. After breaching systems, they deployed custom webshells, modified existing scripts, and even installed a kernel-level rootkit to maintain persistence.
What makes this campaign particularly concerning is the blend of crude and advanced techniques. While some tactics, like using publicly available tools, suggested limited sophistication, the exploitation of zero-day vulnerabilities and deployment of stealthy rootkits pointed to state-backed capabilities. Attackers also attempted to patch compromised systems themselves, likely to prevent rival hackers from exploiting the same weaknesses.
The operational patterns aligned with China Standard Time (UTC+8), reinforcing suspicions of Chinese involvement. Houken’s infrastructure relied on commercial VPN services like ExpressVPN and NordVPN, alongside dedicated servers from providers such as HOSTHATCH and ColoCrossing. Researchers noted the use of Chinese-developed open-source tools, including webshells like Neo-reGeorg, alongside custom malware.
Lateral movement within victim networks was observed in several cases, with attackers conducting reconnaissance and moving toward internal systems. ANSSI provided forensic support to affected organizations, though the campaign persisted until at least November 2024. The agency’s report highlights Houken’s broad targeting scope, suggesting the group prioritizes intelligence-gathering operations beyond France.
This incident underscores the growing threat of state-aligned cyber espionage, particularly through initial access brokers who sell network footholds to government-linked actors. Organizations using Ivanti products are urged to ensure all patches are applied and to monitor for signs of compromise, including unexpected system modifications and unusual network traffic.
(Source: InfoSecurity)