French government hit by Chinese hackers exploiting Ivanti security flaws

News
By published

Three zero-days were exploited

Flag of the People's Republic of China overlaid with a technological network of wires and circuits.
(Image credit: Shutterstock)
  • Three zero-day flaws in Ivanti CSA solutions were abused to grab login credentials
  • The group likely sold the access to French government devices
  • Researchers are attributing the attacks to Chinese state-sponsored miscreants

In late 2024, Chinese state-sponsored threat actors abused multiple zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices to access French government agencies, as well as numerous commercial entities such as telcos, finance, and transportation organizations.

The news was recently confirmed by the French National Agency for the Security of Information Systems (ANSSI), which noted threat actors were abusing three security vulnerabilities in Ivanti CSA devices: CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190.

All three were zero-days at the time, and all were used to steal login credentials and establish persistence on target endpoints. Apparently, the miscreants were deploying PHP web shells, modifying existing PHP scripts to inject web shell capabilities, and installing kernel modules that served as a rootkit.

Get 55% off Incogni's Data Removal service with code TECHRADAR

Get 55% off Incogni's Data Removal service with code TECHRADAR

Wipe your personal data off the internet with the Incogni data removal service. Stop identity thieves
and protect your privacy from unwanted spam and scam calls.

View Deal

Selling access

The attacks were attributed to a group tracked as Houken which, in the past, was seen actively exploiting vulnerabilities in SAP NetWeaver to drop a variant of GoReShell backdoors called GOREVERSE.

This group, the researchers claim, bears many similarities to an entity tracked by Google’s Mandiant team as UNC5174.

"While its operators use zero-day vulnerabilities and a sophisticated rootkit, they also leverage a wide number of open-source tools mostly crafted by Chinese-speaking developers," French researchers said. "Houken's attack infrastructure is made up of diverse elements -- including commercial VPNs and dedicated servers."

Apparently, Houken isn’t exclusively focused on western targets. In the past, it was observed targeting a wide range of government and education organizations in Southeast Asia, China, Hong Kong, and Macau.

For Western targets, they were mostly focused on government, defense, education, media, and telecommunications.

It is also worth mentioning that in the French case, it is likely that there were multiple threat actors involved, with one group acting as an initial access broker, and a separate group purchasing that access to hunt for valuable intelligence and other sensitive data.

Via The Hacker News

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.