In September 2024, the French National Agency for the Security of Information Systems (ANSSI) identified a sophisticated cyber-espionage campaign targeting multiple sectors within France, including government, telecommunications, media, finance, and transportation. This campaign was orchestrated by a Chinese hacking group known as Houken, which exploited zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices to infiltrate these critical infrastructures.
Discovery and Attribution
The campaign was first detected in early September 2024. ANSSI attributed the attacks to the Houken intrusion set, which shares operational similarities with another threat cluster tracked by Google Mandiant as UNC5174, also referred to as Uteus or Uetus. These groups are known for their advanced tactics and persistent targeting of high-value entities.
Attack Methodology
Houken’s operators utilized a combination of zero-day vulnerabilities and sophisticated rootkits to compromise Ivanti CSA devices. They also employed a variety of open-source tools predominantly developed by Chinese-speaking developers. The attack infrastructure was diverse, incorporating commercial VPNs and dedicated servers to facilitate their operations.
The attackers exploited three specific vulnerabilities in Ivanti CSA devices:
– CVE-2024-8963: A critical flaw allowing unauthorized access.
– CVE-2024-9380: A vulnerability enabling remote code execution.
– CVE-2024-8190: A security defect permitting privilege escalation.
By leveraging these vulnerabilities, the attackers were able to obtain credentials and establish persistent access through several methods:
1. Direct Deployment of PHP Web Shells: Installing malicious scripts to execute arbitrary commands.
2. Modification of Existing PHP Scripts: Injecting web shell capabilities into legitimate scripts to maintain stealth.
3. Installation of Kernel Modules Serving as Rootkits: Deploying malicious kernel modules to gain deep system access and conceal activities.
Tools and Techniques
The attackers employed publicly available web shells such as Behinder and neo-reGeorg to establish initial access. Following lateral movement within the networks, they deployed GOREVERSE, a variant of GoReShell, to maintain persistence. Additionally, they utilized an HTTP proxy tunneling tool named suo5 and a Linux kernel module called sysinitd.ko, which was documented by Fortinet in October 2024 and January 2025.
The sysinitd.ko module, along with its user-space executable sysinitd, was installed on targeted devices through a shell script named install.sh. This setup allowed the attackers to hijack inbound TCP traffic across all ports and execute commands with root privileges, effectively granting them full control over the compromised systems.
Strategic Implications
ANSSI theorized that Houken has been operating as an initial access broker since 2023. In this role, Houken gains initial footholds into target networks and subsequently shares or sells access to other threat actors interested in conducting further exploitation activities. This multi-party approach to vulnerability exploitation reflects a complex and collaborative cyber-espionage ecosystem.
The agency noted that the operators behind the UNC5174 and Houken intrusion sets are likely seeking valuable initial accesses to sell to state-linked actors aiming to gather insightful intelligence. This underscores the strategic nature of these cyber operations, which are not merely opportunistic but are part of a broader intelligence-gathering effort.
Broader Context
In recent months, UNC5174 has been linked to the active exploitation of SAP NetWeaver flaws to deliver GOREVERSE. The group has also targeted vulnerabilities in Palo Alto Networks, Connectwise ScreenConnect, and F5 BIG-IP software to deploy the SNOWLIGHT malware, which is then used to drop a Golang tunneling utility called GOHEAVY. These activities highlight the group’s persistent efforts to exploit vulnerabilities in widely used enterprise solutions to achieve their objectives.
Another report from SentinelOne attributed the threat actor to an intrusion against a leading European media organization in late September 2024. This indicates a broad targeting range, encompassing governmental and educational sectors in Southeast Asia, non-governmental organizations in China, including Hong Kong and Macau, and various sectors in the West.
Mitigation and Recommendations
In response to these threats, organizations utilizing Ivanti CSA devices are urged to take immediate action:
1. Apply Security Patches Promptly: Ensure that all Ivanti CSA devices are updated to the latest firmware versions that address the identified vulnerabilities.
2. Conduct Comprehensive Security Audits: Regularly review system logs and network traffic for signs of unauthorized access or unusual activity.
3. Implement Network Segmentation: Isolate critical systems to limit the potential impact of a breach.
4. Enhance Monitoring and Detection Capabilities: Deploy advanced threat detection tools to identify and respond to malicious activities promptly.
5. Educate and Train Staff: Provide ongoing cybersecurity training to employees to recognize and report potential threats.
By adopting these measures, organizations can strengthen their defenses against sophisticated cyber threats and reduce the risk of successful attacks.
Conclusion
The exploitation of Ivanti CSA zero-day vulnerabilities by the Houken group underscores the evolving nature of cyber threats and the importance of proactive cybersecurity practices. As attackers continue to develop and deploy advanced techniques, it is imperative for organizations to remain vigilant, apply timely patches, and implement robust security measures to protect their critical assets.
