French government affected by Chinese hackers exploiting Ivanti security vulnerabilities.
Three zero-day vulnerabilities were exploited.
At the end of 2024, multiple critical zero-day vulnerabilities were identified in Ivanti Cloud Services Appliance (CSA) devices, which were exploited by state-sponsored threat actors from China. These attacks targeted French government agencies and various commercial entities, such as telecommunications, financial, and transportation companies.
The French National Agency for the Security of Information Systems (ANSSI) confirmed that three specific vulnerabilities, listed as CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190, were used by the attackers to steal access credentials and establish persistence in the systems of the affected organizations. During the intrusion, PHP web shells were deployed, existing scripts were modified to incorporate web shell capabilities, and kernel modules that functioned as rootkits were installed.
Investigations attributed these attacks to a group known as Houken, which had previously been observed exploiting vulnerabilities in SAP NetWeaver to introduce backdoor variants called GoReShell. According to analysts, this group exhibits similarities to an entity that Google’s Mandiant team has categorized as UNC5174.
French researchers indicated that, although Houken operators employ zero-day vulnerabilities and a sophisticated rootkit, they also utilize a range of open-source tools predominantly developed by Chinese-speaking programmers. Houken's attack infrastructure consists of various elements, including commercial VPNs and dedicated servers.
Additionally, it has been observed that Houken does not solely focus on Western targets; historically, it has also attacked a wide range of governmental and educational organizations in Southeast Asia, China, Hong Kong, and Macao. Regarding Western targets, their focus has primarily been on sectors such as government, defense, education, media, and telecommunications.
In the case of France, it is likely that multiple threat actors were involved, with one group acting as an initial access broker and another acquiring that access to seek valuable information and other sensitive data.
