Full Report
ANSSI report details the Chinese UNC5174 linked Houken cyberattack using Ivanti zero-days (CVE-2024-8190, 8963, 9380) against the French government, defence and finance sector.
Analysis Summary
# Threat Actor: Houken (UNC5174)
## Attribution & Identity
**Attribution:** China Linked.
**Associated Groups/Aliases:** Linked to Chinese group UNC5174.
## Activity Summary
The actor engaged in cyberattacks against French systems utilizing zero-day vulnerabilities in Ivanti products.
## Tactics, Techniques & Procedures
- Exploitation of Ivanti zero-days: CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380.
- TTPs derived from an ANSSI report detailing their operations.
## Targeting
- **Sectors:** French government, defense, and finance sectors.
- **Geography:** France.
- **Victims:** Systems utilizing vulnerable Ivanti appliances within the mentioned French sectors.
## Tools & Infrastructure
- **Malware families used:** Not specified in detail, but the focus is on leveraging Ivanti zero-days.
- **Infrastructure (C2, domains, IPs):** DeTails not provided in the summary text.
## Implications
The targeting of critical French sectors (government, defense, finance) using sophisticated zero-day exploits against widely deployed hardware (Ivanti) suggests a high-level, state-sponsored espionage or disruption mission.
## Mitigations
- Immediate patching or mitigation strategies for Ivanti products vulnerable to CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380.
- Enhanced monitoring and detection capabilities focused on anomalous activity originating from or targeting Ivanti appliances, as detailed in the ANSSI report.