Chinese cybercriminals launch a zero-day exploit campaign, specifically aimed at French targets, using Ivanti software vulnerabilities.
In September 2024, an unexpected cyber intrusion campaign was detected, traced back to a China-linked Advanced Persistent Threat (APT) group known as Houken. This group targeted sectors such as government, telecom, media, finance, and transport, using Ivanti Cloud Service Appliance (CSA) zero-day vulnerabilities.
The campaign began with an attacker exploiting three high to critical zero-day vulnerabilities (CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380) affecting Ivanti CSA to remotely execute arbitrary code on vulnerable devices. These vulnerabilities were patched on September 10, September 15, and October 8, respectively.
The Houken toolset involved a mix of unsophisticated and advanced tactics, suggesting limited resources for tool development and access to significant technical capabilities. The attackers chained three exploits to obtain credentials and ensured persistence by deploying or creating PHP webshells, modifying existing PHP scripts to add webshells capabilities, and occasionally installing a kernel module which acts as a rootkit once loaded.
The attack infrastructure included dedicated servers hosted by HOSTHATCH, ColoCrossing, and JVPS.hosting, as well as internet service providers such as Comcast, China Unicom, China Telecom, and Airtel. Furthermore, IP addresses from popular anonymisation services such as ExpressVPN, NordVPN, Proton VPN, and Surfshark were also part of the attack infrastructure.
The attacker attempted to self-patch web resources affected by the vulnerabilities to prevent exploitation by additional unrelated actors. After establishing a foothold on victim networks, the attacker performed reconnaissance activities and moved laterally, especially focusing on entities located near China, especially in Southeast Asia, NGOs inside and outside China, and entities based in Western countries associated with governmental, defence, education, media, or telecommunication sectors.
The ANSSI's Computer emergency response team (CERT-FR) published a report on July 1, 2025, assessing that the Houken intrusion set is operated by the same threat actor as UNC5174, which is believed to be an initial access broker for the China's Ministry of State Security (MSS).
The attacks lasted at least until November 2024 and affected French organizations in the aforementioned sectors. The ANSSI provided significant support to the affected entities, assisting in the conduct of forensic analysis and corrective actions regarding these incidents.
In this newly identified campaign, ANSSI estimated that the threat actor likely uses Houken to gain initial access into a network in order to sell it to a state-linked actor seeking intelligence. The Houken toolset in the campaigns starting in September 2024 also included handcrafted webshells, open-source tools available on GitHub, mostly crafted by Chinese-speaking developers, a Linux kernel module and a user-space binary acting as a rootkit, and commercial VPN solutions and dedicated command-and-control servers.
This cyber intrusion campaign serves as a stark reminder of the ongoing cyber threats and the importance of maintaining robust security measures, particularly when dealing with critical infrastructure.
Read also:
- Transforming Digital Inventories in the Food Industry: A Comprehensive Guide for Food Businesses
- Munich Airport Unveils Its New Electrical Vehicle Charging Parksite
- 1. Key Points for August 14: Gathering in Alaska, Immigration Enforcement (ICE), Financial service Zelle, Infowars, and Air Canada Airline Incidents
- Automobile manufacturer IM Motors reveals an extended-range powertrain akin to installing an internal combustion engine in a Tesla Model Y.
