- Three Zero-Day Missing in Ivanti CSA solutions were abused to get hold of login credentials
- The group probably sold access to French government units
- Researchers attribute the attacks to Chinese state -sponsored misunderstandings
At the end of 2024, Chinese state-sponsored threat actors abused several zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices to access French authorities, as well as several commercial entities such as Telcos, Financing and Transport Organizations.
The news was recently confirmed by the French National Agency for Security in Information Systems (Anssi), which noticed threat players abused three safety vulnerability in Ivanti CSA units: CVE-2024-8963, CVE-2024-9380 and CVE-2024-8190.
All three were zero-days at the time and all were used to steal login credentials and establish persistence on target points. Apparently implemented Miscreants PHP web shells, changed existing PHP scripts to inject web -shell capacities and install core modules that served as a rootkit.
Selling access
The attacks were attributed to a group traced as Houken, which was previously seen actively exploited vulnerabilities in SAP Netweaver to drop a variant of Goreshell back doors called Goreverse.
This group, the researchers claim, bear many similarities to a device traced by Google’s Mandiant -Team like UNC5174.
“While its operators use zero-day vulnerabilities and a sophisticated root kit, they also utilize a wide number of open source tools mostly designed by Chinese-speaking developers,” French researchers said. “Houken’s attack infrastructure consists of various elements – including commercial VPNs and dedicated servers.”
Apparently, Houken is not focused exclusively on Western goals. Previously, it was observed targeted at a large number of government and education organizations in Southeast Asia, China, Hong Kong and Macau.
For Western goals, they were mostly focused on government, defense, education, media and telecommunications.
It is also worth mentioning that in the French case it is likely that there were several threat actors involved, where a group acts as an initial access broker, and a separate group that buys this access to hunt for valuable intelligence and other sensitive data.
Via Hacker the news
