A sophisticated China-linked threat actor successfully exploited a trio of zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices last year to breach numerous French organizations, including government agencies and entities within critical sectors such as telecommunications, media, finance, and transport. This revelation comes from a detailed report released by the French National Agency for the Security of Information Systems (ANSSI).
The campaign, detected in early September 2024 and continuing through November, leveraged previously unknown flaws in Ivanti CSA products: CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380. These vulnerabilities, exploited as “zero-days” before Ivanti could issue patches, allowed the attackers to gain initial access, execute remote code, steal credentials, and establish persistent footholds within victim networks.
ANSSI has attributed this malicious activity to an intrusion set it tracks as “Houken,” noting significant overlaps with “UNC5174” (also known as Uteus or Uetus), a threat cluster previously monitored by Google Mandiant. While the operators behind Houken demonstrated a high level of sophistication, employing a custom kernel-mode rootkit, they also utilized a range of open-source tools, many of which are commonly used by Chinese-speaking developers.
The French agency suggests that Houken may function as an initial access broker, compromising networks and then selling access to other state-linked or financially motivated actors. Evidence collected by ANSSI indicates not only intelligence gathering but also, in at least one instance, the deployment of cryptocurrency miners, blurring the lines between state-sponsored espionage and profit-driven cybercrime.
Beyond France, ANSSI’s investigation revealed that the threat actor’s targeting extended to governmental and educational sectors in Southeast Asia, non-governmental organizations in mainland China, Hong Kong, and Macau, as well as Western media, defense, and telecommunication institutions. A peculiar aspect of the attacks was the observed attempt by the attackers to “self-patch” the exploited Ivanti vulnerabilities after gaining access, likely to prevent other threat actors from exploiting the same flaws.
The incident underscores the persistent and evolving threat posed by advanced persistent threat (APT) groups leveraging zero-day vulnerabilities in widely used network devices. Cybersecurity authorities continue to urge organizations to prioritize timely patching and implement robust security measures to detect and respond to sophisticated intrusions. Ivanti has since released patches for the identified vulnerabilities and has advised customers to upgrade to the latest versions of their CSA products.
