Full Report
French authorities said government agencies and businesses spanning telecom, media, finance and transportation were impacted by the widely exploited Ivanti vulnerabilities. The post China-linked attacker hit France’s critical infrastructure via trio of Ivanti zero-days last year appeared first on CyberScoop.
Analysis Summary
# Incident Report: Exploitation of Ivanti Zero-Days Against French Critical Infrastructure
## Executive Summary
Between September and November 2024, multiple French critical infrastructure sectors, including government agencies, telecommunications, media, finance, and transportation, were compromised by a China-linked advanced threat actor identified as UNC5174 (using the "Houken" intrusion set). The attack leveraged a trio of zero-day vulnerabilities in Ivanti Cloud Service Appliance devices for initial access, leading to persistent compromise, credential theft, and the suspected goal of intelligence gathering for a state-linked actor. French authorities released a report detailing the attack after observing the systematic exploitation of these vulnerabilities.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the cybersecurity agency report was released "Tuesday" (around July 3, 2025), detailing exploitation from September to November 2024.
- **Incident Date:** Early September to late November 2024.
- **Affected Organization:** Government agencies and private companies across French critical infrastructure (telecom, media, finance, transportation).
- **Sector:** Critical Infrastructure (Government, Telecom, Media, Finance, Transportation).
- **Geography:** France.
## Timeline of Events
### Initial Access
- **Date/Time:** Early September 2024.
- **Vector:** Exploitation of three zero-day vulnerabilities in Ivanti Cloud Service Appliance devices: CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380.
- **Details:** Attackers chained these zero-days to gain initial access to victim networks.
### Lateral Movement
- **Details:** The group utilized an intrusion set dubbed "Houken," which employed a sophisticated rootkit, open-source tools (like VShell and WebSockets), commercial VPNs, and dedicated servers to establish persistence and potentially move within the compromised networks.
### Data Exfiltration/Impact
- **Details:** The primary objective, according to French authorities, was likely seeking valuable initial accesses to sell to a state-linked actor, suggesting the goal was **insightful intelligence gathering**. Credential theft was also a key component of the actor's established playbook.
### Detection & Response
- **How it was discovered:** French national cybersecurity agency (ANSSI) conducted analysis leading to a report. CISA had previously issued an advisory in January (2025) warning about the chaining of these Ivanti zero-days.
- **Response actions taken:** (Specific details on French response are limited in the text, but follow the standard pattern of patching/remediation for Ivanti vulnerabilities, as implied by industry standard response and CISA advisories).
## Attack Methodology
- **Initial Access:** Chaining of three Ivanti zero-days (CVE-2024-8190, CVE-2024-8963, CVE-2024-9380).
- **Persistence:** Deployment of a sophisticated rootkit and mechanisms to achieve persistent access.
- **Privilege Escalation:** Implied, as securing persistent access and stealing credentials are standard steps following initial zero-day exploitation.
- **Defense Evasion:** Use of open-source offensive security tools (VShell, WebSockets) to blend in with common cybercriminal activity.
- **Credential Access:** Explicitly mentioned as part of the threat actor's objectives.
- **Discovery:** Use of open-source tools and dedicated infrastructure to map the network.
- **Lateral Movement:** Use of dedicated servers and commercial VPNs alongside the custom intrusion set "Houken."
- **Collection:** Focused on gathering valuable initial access information likely for intelligence purposes.
- **Exfiltration:** Implied intelligence gathering/data theft for sale to state-linked actors.
- **Impact:** Compromise of critical infrastructure integrity and confidentiality, likely leading to espionage.
## Impact Assessment
- **Financial:** Not reported.
- **Data Breach:** Focus was on gaining access for intelligence selling, suggesting sensitive network information and credentials were the target.
- **Operational:** Organizations across telecom, media, finance, and transportation were impacted, suggesting broad potential disruption capability.
- **Reputational:** Negative exposure for Ivanti (a "repeat offender") and the compromised French organizations.
## Indicators of Compromise
- **Network indicators:** Use of commercial VPNs and dedicated servers (specific IPs/domains not provided).
- **File indicators:** Deployment of a sophisticated rootkit and use of tools like VShell and WebSockets.
- **Behavioral indicators:** Chaining of three Ivanti zero-days; activity attributed to actor UNC5174 / intrusion set "Houken."
## Response Actions
- **Containment Measures:** (Inferred) Immediate segmentation/isolation of affected Ivanti Cloud Service Appliances and other compromised network segments.
- **Eradication Steps:** (Inferred) Removal of the custom rootkit and all attacker-implanted webshells/backdoors.
- **Recovery Actions:** (Inferred) Patching all Ivanti devices immediately upon public disclosure of the vulnerabilities (post-exploitation) and resetting compromised credentials.
## Lessons Learned
- **Key takeaways:** Edge devices (like Ivanti appliances) remain a prime target, especially when new, unknown vulnerabilities (zero-days) are present. China-linked (UNC5174) actors are actively utilizing sophisticated, multi-layered intrusion sets ("Houken") to penetrate critical infrastructure, often setting up access for subsequent state-sponsored use.
- **What could have been done better:** Proactive vulnerability management and aggressive patching cycles for third-party edge devices are crucial, especially given Ivanti's history of critical flaws.
## Recommendations
- **Prevention measures for similar incidents:**
1. Immediately audit and patch all Ivanti (and other edge network vendors) devices against known vulnerabilities.
2. Implement robust network segmentation to limit the effectiveness of lateral movement once initial access is achieved via an appliance.
3. Enhance monitoring for unusual outbound connections, commercial VPN usage, or deployment of unexpected binaries (like rootkits or open-source security tools) on critical assets.
4. Review third-party risk associated with vendors known to ship vulnerable software frequently (e.g., Ivanti).