A Chinese-linked hacking group, dubbed “Houken,” has been identified as the orchestrator of a sophisticated cyberattack campaign targeting French organizations by exploiting multiple zero-day vulnerabilities in Ivanti Cloud Service Appliance (CSA) devices. The campaign was first detected by France’s national cybersecurity agency, ANSSI, in September 2024, though evidence suggests it may have started as early as 2023.
Key details of the campaign
The attackers leveraged three high to critical zero-day vulnerabilities—CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380—in Ivanti CSA devices, enabling remote code execution on targeted systems. The campaign affected a broad range of French sectors, including government, telecommunications, media, finance, and transport. Houken combined advanced tactics—such as the deployment of a previously unseen Linux rootkit—with the use of publicly available offensive tools, often authored by Chinese-speaking developers.
Techniques used in the attack
• Chaining zero-day exploits to gain initial access
• Deploying PHP webshells (e.g., /rc/help.php, /gsb/hsh.php)
• Using proxy tunnel tools like “OutlookEN.aspx” on Microsoft Exchange servers
• Modifying legitimate PHP scripts to introduce backdoors
• Harvesting credentials via base64-encoded Python scripts
• Installing a rootkit (sysinitd.ko and sysinitd) in some cases, especially in the defense sector, to hijack TCP traffic and enable persistent remote command execution with root privileges.
The campaign
ANSSI assesses that Houken is operated by the same threat actor as UNC5174, previously described by Google Threat Intelligence Group and believed to be an initial access broker for China’s Ministry of State Security (MSS).
The campaign appears to focus on gaining initial access, which is then sold to state-linked actors seeking intelligence, indicating a broker model rather than direct espionage in all cases.
Impact and Response
The campaign resulted in successful intrusions, lateral movement within networks, credential harvesting, and the establishment of persistent backdoors across multiple critical sectors in France.
