Chinese Hackers Exploit Ivanti CSA Zero-Days in Major France Attack

Chinese Threat Actors Exploit Ivanti Zero-Days to Target French Critical Sectors in 2024

  • Chinese threat group exploited zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices to target French critical sectors.
  • The campaign affected government, telecom, media, finance, and transport organizations starting in September 2024.
  • Attackers used advanced methods like rootkits, commercial VPNs, and open-source tools for persistent network access.
  • Exploited vulnerabilities include CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190.
  • The campaign appears to involve multiple threat actors, with some seeking financial gain and others providing access to state-linked groups.

French authorities reported that a Chinese-based Hacking group launched an attack campaign against major sectors in France, including government, telecommunications, media, finance, and transport. The campaign began in September 2024 and focused on exploiting several unpatched security flaws—known as zero-days—in Ivanti Cloud Services Appliance (CSA) devices.

- Advertisement -

The French National Agency for the Security of Information Systems (ANSSI) stated that the group, identified as Houken, shares connections with the threat cluster UNC5174, also called Uteus or Uetus, tracked by Google Mandiant. According to ANSSI, the attackers combined the use of unknown software vulnerabilities, a concealed rootkit (a tool that hides the attacker’s presence), and a range of open-source programs mainly developed by Chinese-speaking programmers.

ANSSI reported, “Houken’s attack infrastructure is made up of diverse elements—including commercial VPNs and dedicated servers.” HarfangLab, a French Cybersecurity firm, described a multi-party approach: one party finds software vulnerabilities, a second group uses them for network access, and third parties carry out follow-on attacks. According to ANSSI, “The operators behind the UNC5174 and Houken intrusion sets are likely primarily looking for valuable initial accesses to sell to a state-linked actor seeking insightful intelligence.”

The attackers targeted three specific Ivanti CSA vulnerabilities—CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190. They used different methods to steal credentials and maintain system access, such as installing PHP web shells, modifying existing scripts, or deploying a kernel module rootkit. Tools like the Behinder and NEO-reGeorg web shells, the GOREVERSE backdoor, and the suo5 proxy were observed in use.

The attacks also involved a Linux kernel module called “sysinitd.ko,” which lets attackers hijack all inbound traffic and execute commands with full administrative privileges. Some attackers reportedly patched the same vulnerabilities after exploiting them, likely to stop other groups from using the same systems.

The broader campaign affected organizations throughout Southeast Asia and Western governments, education sectors, NGOs, and media outlets. In some cases, the attackers used access for cryptocurrency mining. French authorities suggested the actors might be a private group selling access and information to various state-linked organizations while conducting their own profit-driven operations.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -

Latest News

Prosecutors Weigh Charges Against Dragonfly Over Tornado Cash Ties

U.S. prosecutors are considering charges against Dragonfly Capital over its investment in Tornado Cash’s...

Prosecutors Weigh Charges Against Dragonfly Capital Over Tornado Cash

Prosecutors in New York said they may file criminal charges against employees at Dragonfly...

US, UK Employees Risk Data Leaks Using Chinese GenAI Tools, Study Finds

Employee use of Chinese generative AI tools in the US and UK is widespread...

Chris Larsen Sells $175M XRP, Sparks Centralization Concerns

Chris Larsen, Ripple's co-founder, transferred $175 million in XRP during a recent price rally,...

GENIUS Act Spurs Debate Over Stablecoin Redemption and Run Risks

The U.S. GENIUS Act on stablecoins has raised concerns about the safety and redemption...

Must Read

What Are Anonymous Debit Cards And How Do They Work?

You've heard about anonymous debit cards, but what are they really? Anonymous Debit Cards are cards that let you make purchases without revealing your...