- Three zero-day flaws in Ivanti CSA solutions were abused to grab login credentials
- The group likely sold the access to French government devices
- Researchers are attributing the attacks to Chinese state-sponsored miscreants
In late 2024, Chinese state-sponsored threat actors abused multiple zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices to access French government agencies, as well as numerous commercial entities such as telcos, finance, and transportation organizations.
The news was recently confirmed by the French National Agency for the Security of Information Systems (ANSSI), which noted threat actors were abusing three security vulnerabilities in Ivanti CSA devices: CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190.
All three were zero-days at the time, and all were used to steal login credentials and establish persistence on target endpoints. Apparently, the miscreants were deploying PHP web shells, modifying existing PHP scripts to inject web shell capabilities, and installing kernel modules that served as a rootkit.
Selling access
The attacks were attributed to a group tracked as Houken which, in the past, was seen actively exploiting vulnerabilities in SAP NetWeaver to drop a variant of GoReShell backdoors called GOREVERSE.
This group, the researchers claim, bears many similarities to an entity tracked by Google’s Mandiant team as UNC5174.
“While its operators use zero-day vulnerabilities and a sophisticated rootkit, they also leverage a wide number of open-source tools mostly crafted by Chinese-speaking developers,” French researchers said. “Houken’s attack infrastructure is made up of diverse elements — including commercial VPNs and dedicated servers.”
Apparently, Houken isn’t exclusively focused on western targets. In the past, it was observed targeting a wide range of government and education organizations in Southeast Asia, China, Hong Kong, and Macau.
For Western targets, they were mostly focused on government, defense, education, media, and telecommunications.
It is also worth mentioning that in the French case, it is likely that there were multiple threat actors involved, with one group acting as an initial access broker, and a separate group purchasing that access to hunt for valuable intelligence and other sensitive data.
Via The Hacker News
Leave a comment