Full Report
France’s cybersecurity agency ANSSI uncovered last September a campaign exploiting multiple zero-day flaws in Ivanti Cloud Service Appliance... The post China-linked Houken attacker hit France’s critical infrastructure through Ivanti zero-day flaws appeared first on Industrial Cyber.
Analysis Summary
# Incident Report: Houken Campaign Exploits Ivanti Zero-Days Against French Critical Sectors
## Executive Summary
In September 2024, French cybersecurity agency ANSSI uncovered the 'Houken' intrusion set exploiting three zero-day vulnerabilities (CVE-2024-8190, CVE-2024-8963, CVE-2024-9380) in Ivanti Cloud Service Appliance (CSA) devices to gain initial access to critical French networks. The campaign utilized a mix of sophisticated techniques, including a novel rootkit, alongside common open-source tools, targeting government, telecom, media, finance, and transport sectors. Response involved forensic support and remediation, highlighting the risk associated with EOL devices and the sophistication of the likely state-linked threat actor.
## Incident Details
- Discovery Date: September 2024
- Incident Date: Beginning September 2024 (Most recent activity noted end of November 2024)
- Affected Organization: French Networks (Government, Telecom, Media, Finance, Transport sectors)
- Sector: Critical Infrastructure (Government, Telecom, Media, Finance, Transport)
- Geography: France
## Timeline of Events
### Initial Access
- Date/Time: Beginning of September 2024
- Vector: Exploitation of zero-day vulnerabilities in Ivanti Cloud Service Appliance (CSA) devices (Version 4.6x before build 519; older versions also vulnerable).
- Details: Attackers chained vulnerabilities (e.g., CVE-2024-8963 combined with CVE-2024-8190 and CVE-2024-9380, or CVE-2024-9379) to achieve Remote Code Execution (RCE). The goal was to obtain credentials via a base64-encoded Python script.
### Lateral Movement
- Details: After gaining a foothold via Ivanti CSA, the attacker sometimes performed reconnaissance and moved laterally into internal information systems in three observed cases. This movement led to the collection of additional credentials and the establishment of further persistence mechanisms.
### Data Exfiltration/Impact
- Data Exfiltration: ANSSI observed one case of data exfiltration.
- Other Impact: Observed interest in deploying cryptominers, indicating opportunistic profit objectives alongside initial access brokering. One incident in the French defense sector involved the deployment of a sophisticated rootkit.
### Detection & Response
- Detection: Detected by ANSSI through monitoring campaigns targeting French entities linked to the Houken profile.
- Response Actions: ANSSI provided significant support to affected entities, assisting in forensic analysis and corrective actions. Affected credentials and data on appliances were assumed compromised.
## Attack Methodology
- Initial Access: Chaining of zero-day vulnerabilities (CVE-2024-8190, CVE-2024-8963, CVE-2024-9380, CVE-2024-9379) in Ivanti CSA for RCE.
- Persistence: Deployment/creation of PHP webshells, modification of existing PHP scripts for webshell capabilities, and installation of a kernel module acting as a rootkit.
- Privilege Escalation: The use of a sophisticated rootkit (kernel module) allowed for remote command execution with root privileges by hijacking inbound TCP traffic.
- Defense Evasion: Implemented self-patching attempts to remove the vulnerable web resources, potentially to prevent other actors from exploiting the same weaknesses. The use of a custom, unobserved rootkit in one defense sector incident also served as a sophisticated evasion technique.
- Credential Access: Execution of a Python script immediately post-initial access aimed at obtaining credentials. Further credential collection occurred during lateral movement.
- Discovery: Reconnaissance activities were observed after initial compromise.
- Lateral Movement: Moving from the compromised appliance to internal information systems using standard internal techniques.
- Collection: Gathering additional credentials post-lateral movement.
- Exfiltration: Observed in at least one instance.
- Impact: Establishing persistence, data theft, credential compromise, and potential cryptomining deployment.
## Impact Assessment
- Financial: Not specified, but likely involved remediation and investigation costs. Interest in cryptomining implies direct profit motives.
- Data Breach: Credentials were confirmed stolen/targeted. Data exfiltration occurred in one observed case.
- Operational: Lateral movement into internal information systems suggests potential disruption to operations, particularly in critical infrastructure sectors.
- Reputational: Attacks against government and critical infrastructure sectors inherently carry high reputational risks for the victims and national security implications.
## Indicators of Compromise
- Network Indicators: Infrastructure utilized commercial VPNs, dedicated servers, cloud service providers, and anonymization services (Specific IPs defanged).
- File Indicators: Python scripts (base64 encoded), PHP webshells (open-source and handcrafted), kernel module rootkit (sysinitd.ko).
- Behavioral Indicators: Exploitation of specific Ivanti CSA vulnerabilities, deployment of rootkits, opportunistic cryptomining activity, operational timezone aligned with UTC+8 (CST).
## Response Actions
- Containment: Focus on isolating compromised Ivanti CSA appliances and investigating lateral movement paths.
- Eradication: Removal of webshells, kernel modules, and rootkits; assumed compromise of credentials required comprehensive resetting.
- Recovery: Affected entities conducted forensic analysis and applied necessary corrective actions as advised by ANSSI, CISA, and the FBI (e.g., upgrading Ivanti CSA instances).
## Lessons Learned
- EOL Software Risk: Exploitation focused on Ivanti CSA version 4.6x, which was end-of-life and no longer receiving patches, demonstrating a critical risk in maintaining legacy infrastructure.
- ThreatActor Characteristics: The actor ('Houken,' potentially linked to UNC5174) displayed ambivalent sophistication, using zero-days and an advanced rootkit alongside generic open-source tools.
- Access Brokering: The suspected primary goal was securing initial access for sale to state-linked actors or profit-driven operations.
## Recommendations
- Immediately upgrade all Ivanti CSA devices to supported, patched versions. Treat credentials stored on any end-of-life appliance as compromised.
- Enhance network monitoring to detect the use of common open-source webshells and kernel module activity, especially on internet-facing edge devices.
- Conduct proactive threat hunting specifically looking for the behaviors associated with the Houken/UNC5174 intrusion set, focusing on post-exploitation activity like rootkit deployment.