A sophisticated Chinese cyber threat group, identified as Houken, has been actively exploiting multiple zero-day vulnerabilities in Ivanti Cloud Service Appliance (CSA) devices to deploy advanced Linux rootkits, thereby establishing persistent access to critical infrastructure networks. This campaign, initiated in September 2024, has successfully compromised organizations across various sectors, including government, telecommunications, media, finance, and transportation, particularly in France and other regions.
Exploitation of Zero-Day Vulnerabilities
The Houken group has leveraged a chain of critical vulnerabilities—CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380—all exploited as zero-days prior to Ivanti’s security advisories. This coordinated exploitation underscores the threat actors’ advanced capabilities in vulnerability research and their access to previously unknown security flaws.
Global Reach and Targeted Sectors
The campaign’s reach extends beyond France, impacting entities across Southeast Asia, Europe, and the United States. Targets include research institutions, non-governmental organizations, and other entities of strategic intelligence value. Analysts from CERT-SSI identified the Houken intrusion set through comprehensive forensic analysis of compromised French infrastructure, revealing operational patterns consistent with activities conducted in China Standard Time (UTC+8).
Connection to UNC5174 Intrusion Set
Investigations have uncovered links between Houken and the previously documented UNC5174 intrusion set, suggesting coordination by a common threat actor operating as an initial access broker for state-sponsored intelligence collection. This connection highlights the potential for shared tactics, techniques, and procedures among Chinese state-sponsored cyber actors.
Blend of Sophisticated Techniques and Commodity Tools
The attackers exhibit a paradoxical blend of sophisticated techniques and the use of commodity tools. They utilize zero-day exploits alongside open-source utilities primarily developed by Chinese-speaking programmers. Their infrastructure combines commercial VPN services, including NordVPN and ExpressVPN, with dedicated command-and-control servers, indicating either multi-actor collaboration or deliberately diverse operational security practices.
Deployment of Advanced Linux Rootkits
A particularly concerning aspect of Houken’s toolkit is the deployment of a previously unobserved Linux rootkit comprising two components: a kernel module (sysinitd.ko) and a user-space executable (sysinitd). This sophisticated persistence mechanism hijacks inbound TCP traffic across all ports, enabling remote command execution with root privileges through a technique that bypasses traditional network monitoring.
Rootkit Installation and Persistence Mechanisms
The rootkit installation begins with the execution of webshells created through vulnerability exploitation. For example, attackers use CVE-2024-9380 to inject malicious PHP code into the system. Once initial access is established, the threat actors deploy the rootkit components and establish multiple persistence mechanisms. They modify legitimate PHP scripts by appending malicious code to `/etc/php.ini`, enabling universal command execution regardless of which web page is accessed. The modification includes setting `allow_url_include = On` and utilizing base64-encoded PHP eval functions that decode to malicious commands.
Implications for Cybersecurity
The rootkit’s TCP hijacking capability represents a significant advancement in persistence technology, allowing attackers to maintain access even when traditional backdoors are discovered and removed. This makes detection and remediation particularly challenging for defenders. The Houken group’s activities underscore the evolving threat landscape and the need for organizations to adopt robust cybersecurity measures, including timely patching of vulnerabilities, continuous monitoring, and comprehensive incident response strategies.
Recommendations for Organizations
1. Immediate Patching: Organizations using Ivanti CSA devices should apply the latest security patches promptly to mitigate the exploited vulnerabilities.
2. Enhanced Monitoring: Implement continuous monitoring of network traffic and system logs to detect unusual activities indicative of compromise.
3. Incident Response Planning: Develop and regularly update incident response plans to ensure swift action in the event of a security breach.
4. User Education: Conduct regular training sessions for employees to recognize phishing attempts and other common attack vectors used by threat actors.
5. Access Controls: Enforce strict access controls and least privilege principles to limit the potential impact of a compromised account or system.
By adopting these measures, organizations can enhance their resilience against sophisticated cyber threats like those posed by the Houken group.
