Recently, a Chinese hacking group exploited multiple zero-day vulnerabilities in lvanti’s Connect Secure Appliance (CSA) to target sensitive organizations in France. This includes the French government, telecom providers, and companies from sectors like transport, finance, and media. The hacking campaign was discovered in September 2024 and has been linked to a threat group known as “Houken,” also referred to by Mandiant as UNC5174.
The attack involved three serious vulnerabilities in Ivanti CSA, now tracked as CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380. At the time of exploitation, none of these flaws had any public patches available. This allowed the attackers to gain remote access to systems without being detected.
According to France’s national cybersecurity agency ANSSI, these attackers didn’t just focus on France. The same group has also been seen targeting government agencies in Southeast Asia, NGOs in Hong Kong and Macau, and various Western institutions. It appears this campaign was not only widespread but also highly strategic.
Once the hackers found a way into the Ivanti CSA systems, they dropped PHP-based web shells to gain control over the device. These web shells allowed them to maintain remote access, run commands, and extract data. In more advanced stages of the attack, they used a Linux kernel-mode rootkit named sysinitd.ko along with a companion backdoor called sysinitd. This gave them deep, stealthy control over the systems by hiding their activities, hijacking TCP traffic, and making it extremely hard to detect their presence.
One interesting and concerning tactic was that the hackers patched the vulnerabilities themselves, after using them, to prevent other attackers or security teams from exploiting or even noticing the flaw. This shows how professional and precise the attackers were in their methods.
The tools used in this campaign were a mix of open-source and custom software. Some of the known tools include Behinder, neo-reGeorg, GOREVERSE, and a tunneling tool called 3proxy. For hiding their real locations, they also used popular VPN services like NordVPN and ExpressVPN.
It is believed that Houken operates as an initial-access broker. This means they break into systems first and then either use that access themselves or sell it to other state-sponsored groups. There have already been reports of stolen emails from a South American government ministry and even some cryptomining activity on other compromised systems.
The worst part is that these attacks happened before Ivanti released any official patches. This highlights a bigger problem in cybersecurity: when security devices like Ivanti CSA are exposed to the internet, and flaws go unnoticed or unpatched, they become easy targets for advanced attackers.
Right now, Ivanti has addressed these issues with updates and security patches. Organizations still using affected versions should update their systems immediately. If your company is running Ivanti CSA, it’s important to not only apply the latest patches but also check for signs of compromise. One way to do this is to scan the system for web shells or the “sysinitd” rootkit. Also, monitor network traffic and system logs for any suspicious behavior.
Experts recommend limiting internet exposure for critical infrastructure whenever possible. Devices like CSA, which handle sensitive data, should always be behind proper segmentation, firewalls, and multi-layered security.
Although there are no confirmed reports of these attacks in the wild after the patches were released, the risk remains high. The fact that highly skilled hackers were able to exploit zero-day flaws before anyone knew about them shows how quickly threat actors are evolving.
In summary, this was a well-planned cyber-espionage campaign by a Chinese group using Ivanti zero-day flaws. The campaign targeted not only France but also a range of global organizations. If you use Ivanti CSA, patch now and check your systems for signs of compromise. These kinds of attacks remind us how critical it is to stay ahead in cybersecurity.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
