Chinese Hackers Exploit Ivanti CSA Zero-Days in Attacks on French Government, Telecoms
Summary:
The French cybersecurity agency ANSSI disclosed that government, telecom, media, finance, and transport sectors in France were impacted by a Chinese hacking group that weaponized multiple zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices as part of a sophisticated intrusion campaign detected in September 2024. This campaign has been attributed to a group codenamed Houken, which shares operational and tooling overlaps with UNC5174, a cluster tracked by Google Mandiant. According to ANSSI, Houken operators employ zero-day vulnerabilities and a sophisticated rootkit alongside numerous open-source tools crafted by Chinese-speaking developers, and leverage infrastructure including commercial VPNs and dedicated servers to conduct operations. HarfangLab suggested Houken may act as an initial access broker since 2023, gaining footholds within target networks before selling or sharing access with other threat actors for post-exploitation activities. This aligns with a multi-party exploitation model where one party discovers vulnerabilities, another exploits them to gain access, and third parties pursue espionage or financially motivated objectives.
UNC5174, which shares tradecraft similarities with Houken, has previously exploited SAP NetWeaver flaws to deploy the GOREVERSE backdoor (a variant of GoReShell) and has targeted vulnerabilities in Palo Alto Networks, Connectwise ScreenConnect, and F5 BIG-IP to deliver SNOWLIGHT malware and a Golang tunneling utility called GOHEAVY. SentinelOne linked UNC5174 to an intrusion against a major European media organization in September 2024, further demonstrating the group’s broad targeting across Western sectors. During the Ivanti CSA intrusions documented by ANSSI, attackers exploited CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190 as zero-days to steal credentials and establish persistence through PHP web shells, script modification for shell capabilities, and deploying a rootkit kernel module named sysinitd.ko. Tools used include Behinder, neo-reGeorg, GOREVERSE, the suo5 HTTP proxy tunneling tool, and the sysinitd user-space executable, which hijacks TCP traffic on all ports to enable root-level remote command execution on compromised devices.
Security Officer Comments:
ANSSI also noted that the attackers, operating in the UTC+8 time zone corresponding to China Standard Time, were observed patching the Ivanti vulnerabilities post-compromise to prevent exploitation by other threat actors, demonstrating a layered operational security approach. The targeting extends beyond France, affecting government and education sectors in Southeast Asia, NGOs in China, Hong Kong, and Macau, and various Western government, defense, media, education, and telecom entities. The financially motivated side of operations was evident in at least one incident where crypto miners were deployed on compromised systems, suggesting the actors pursue profit alongside espionage. ANSSI concludes that the Houken and UNC5174 clusters are likely operated by a private Chinese entity selling access and stolen data to state-linked bodies while conducting parallel financially driven attacks, underscoring the blended motives of modern Chinese cyber operations.
Suggested Corrections:
https://thehackernews.com/2025/07/chinese-hackers-exploit-ivanti-csa-zero.html
The French cybersecurity agency ANSSI disclosed that government, telecom, media, finance, and transport sectors in France were impacted by a Chinese hacking group that weaponized multiple zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices as part of a sophisticated intrusion campaign detected in September 2024. This campaign has been attributed to a group codenamed Houken, which shares operational and tooling overlaps with UNC5174, a cluster tracked by Google Mandiant. According to ANSSI, Houken operators employ zero-day vulnerabilities and a sophisticated rootkit alongside numerous open-source tools crafted by Chinese-speaking developers, and leverage infrastructure including commercial VPNs and dedicated servers to conduct operations. HarfangLab suggested Houken may act as an initial access broker since 2023, gaining footholds within target networks before selling or sharing access with other threat actors for post-exploitation activities. This aligns with a multi-party exploitation model where one party discovers vulnerabilities, another exploits them to gain access, and third parties pursue espionage or financially motivated objectives.
UNC5174, which shares tradecraft similarities with Houken, has previously exploited SAP NetWeaver flaws to deploy the GOREVERSE backdoor (a variant of GoReShell) and has targeted vulnerabilities in Palo Alto Networks, Connectwise ScreenConnect, and F5 BIG-IP to deliver SNOWLIGHT malware and a Golang tunneling utility called GOHEAVY. SentinelOne linked UNC5174 to an intrusion against a major European media organization in September 2024, further demonstrating the group’s broad targeting across Western sectors. During the Ivanti CSA intrusions documented by ANSSI, attackers exploited CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190 as zero-days to steal credentials and establish persistence through PHP web shells, script modification for shell capabilities, and deploying a rootkit kernel module named sysinitd.ko. Tools used include Behinder, neo-reGeorg, GOREVERSE, the suo5 HTTP proxy tunneling tool, and the sysinitd user-space executable, which hijacks TCP traffic on all ports to enable root-level remote command execution on compromised devices.
Security Officer Comments:
ANSSI also noted that the attackers, operating in the UTC+8 time zone corresponding to China Standard Time, were observed patching the Ivanti vulnerabilities post-compromise to prevent exploitation by other threat actors, demonstrating a layered operational security approach. The targeting extends beyond France, affecting government and education sectors in Southeast Asia, NGOs in China, Hong Kong, and Macau, and various Western government, defense, media, education, and telecom entities. The financially motivated side of operations was evident in at least one incident where crypto miners were deployed on compromised systems, suggesting the actors pursue profit alongside espionage. ANSSI concludes that the Houken and UNC5174 clusters are likely operated by a private Chinese entity selling access and stolen data to state-linked bodies while conducting parallel financially driven attacks, underscoring the blended motives of modern Chinese cyber operations.
Suggested Corrections:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Regardless of preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
https://thehackernews.com/2025/07/chinese-hackers-exploit-ivanti-csa-zero.html