- Three zero day failures were abused in Ivanti CSA solutions to obtain login credentials
- The group probably sold access to French government devices
- Researchers are attributing attacks to criminals sponsored by the Chinese state
At the end of 2024, threat actors sponsored by the Chinese state abused multiple zero -day vulnerabilities in Cloud Ivanti (CSA) service devices to access French government agencies, as well as numerous commercial entities such as telecommunications, finance and transport organizations.
The news was recently confirmed by the French National Agency for the Safety of Information Systems (ANSSI), which indicated that threat actors abused three security vulnerabilities in Ivanti CSA devices: CVE-2024-8963, CVE-2024-9380 and CVE-2024-8190.
The three were zero days at that time, and they were all used to steal login credentials and establish persistence at the target final points. Apparently, criminals were implementing the PHP web layers, modifying existing PHP scripts to inject shell web capabilities and install kernel modules that served as rootkit.
Access sale
The attacks were attributed to a group tracked as Houken that, in the past, was actively exploiting vulnerabilities in SAP Netweaver to release a variant of Goreshell’s background commission called Gorebse.
This group, says the researchers, has many similarities with an entity tracked by the Google driving team as UNC5174.
“While their operators use zero -day vulnerabilities and a sophisticated rootkit, they also take advantage of a wide amount of open source tools mostly created by Chinese -speaking developers,” French researchers said. “Houken’s attack infrastructure is composed of various elements, including commercial VPNs and dedicated servers.”
Apparently, Houken does not focus exclusively on Western objectives. In the past, it was observed that it was aimed at a wide range of government and educational organizations in Southeast Asia, China, Hong Kong and Macao.
For western objectives, they focused mainly on government, defense, education, media and telecommunications.
It is also worth mentioning that in the French case, it is likely that there are multiple actors of threats involved, with a group that acts as an initial access corridor and a separate group that buys that access to the search for valuable intelligence and other confidential data.
Through The hacker news
