The French cybersecurity agency (ANSSI) has issued a warning regarding a malicious campaign launched by a Chinese hacking group that has exploited several zero-day vulnerabilities in Ivanti’s Cloud Services Appliance (CSA). This campaign has affected multiple sectors including governmental, telecommunications, media, finance, and transport within France. The campaign was identified in early September 2024 and is believed to be the work of a distinct intrusion set known as Houken, which shares similarities with an existing threat cluster tracked by Google Mandiant labeled UNC5174.
ANSSI reported that the Houken intrusion set utilizes a combination of zero-day vulnerabilities and a sophisticated rootkit, along with various open-source tools typically developed by Chinese-speaking individuals. The agency noted that the attack infrastructure involves a mixture of commercial VPNs and dedicated servers, indicating a well-planned operation. According to ANSSI, Houken may operate as an initial access broker, compromising networks and then distributing access to third parties for subsequent exploitation.
In recent months, the UNC5174 group has been tied to exploits targeting SAP NetWeaver, among others, and has been known for deploying malware such as GOREVERSE and SNOWLIGHT. ANSSI’s investigation revealed that the attackers have been leveraging three specific vulnerabilities—CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190—to gain access to target systems. The techniques used include deploying PHP web shells and modifying existing scripts to establish persistence within compromised devices.
Interestingly, the attackers have shown attempts to patch these vulnerabilities, indicating a strategic move to prevent other actors from exploiting the same weaknesses. This behavior has raised concerns about the motivations behind the attacks, with speculation that the attackers may also be engaging in cryptocurrency mining operations as part of their financial strategy. Overall, ANSSI’s report sheds light on the evolving landscape of cyber threats linked to state-sponsored groups and the necessity for continuous vigilance in cybersecurity practices.