Full Report
The attacker chained Ivanti CSA zero-days to execute a base64-encoded Python script, which extracted the admin password from a local PostgreSQL database. Using this access, the attacker created or modified PHP scripts to serve as webshells and sometimes deployed a custom Linux...
Analysis Summary
# Incident Report: Ivanti CSA Zero-Day Exploitation by UNC5174 (Houken)
## Executive Summary
Threat actors attributed to UNC5174 exploited chained zero-day vulnerabilities in Ivanti Connect Secure Appliances (CSA) to gain initial access. The attacker exploited the vulnerability to execute a Python script that harvested PostgreSQL administrative credentials, leading to the deployment of webshells, a custom Linux rootkit (`sysinitd.ko`), and lateral movement, ultimately resulting in data exfiltration (including Ministry of Foreign Affairs email data) and cryptomining activity.
## Incident Details
- Discovery Date: Not Explicitly Stated (Implied context from reporting date)
- Incident Date: Prior to July 3, 2025 (Reporting Date)
- Affected Organization: Ministry of Foreign Affairs (South America mentioned), other Ivanti CSA users.
- Sector: Government/Diplomatic, Various (Implied due to broad targeting)
- Geography: South America (Specific data exfiltration noted), Global (VPN/VPS usage)
## Timeline of Events
### Initial Access
- Date/Time: Pre-July 3, 2025
- Vector: Chained Zero-Day Vulnerabilities in Ivanti CSA.
- Details: Attacker successfully exploited two Ivanti CSA zero-days to execute a base64-encoded Python script.
### Lateral Movement
- Date/Time: Post-Initial Access
- Vector: Exploitation of accessible services/internal reconnaissance.
- Details: Attackers moved laterally, observed targeting F5 BIG-IP instances.
### Data Exfiltration/Impact
- Date/Time: During compromise period
- Vector: Webshells and compromised credentials.
- Details: Email data was exfiltrated from a Ministry of Foreign Affairs mailbox server. Cryptomining activities (Monero) were also deployed.
### Detection & Response
- Date/Time: Prior to July 3, 2025
- Vector: External security research/reporting (Publication Date).
- Details: The campaign was publicly documented by ANSSI, indicating external detection and analysis. Response actions inferred include system patching and forensic investigation (not explicitly detailed in the provided text).
## Attack Methodology
- Initial Access: Vulnerability Exploitation (Chained Ivanti CSA 0-days).
- Persistence: Creation/modification of PHP webshells; deployment of a custom Linux rootkit (`sysinitd.ko`) for remote root access; establishment of persistent reverse shells (GOREVERSE).
- Privilege Escalation: Successfully extracted PostgreSQL admin password, leading to elevated access.
- Defense Evasion: Use of anonymized infrastructure (VPNs, VPS hosts); self-patching of exploited systems to disrupt rival actors.
- Credential Access: Extraction of the admin password from a local PostgreSQL database via initial script execution.
- Discovery: Standard network lateral movement (e.g., to F5 BIG-IP) and credential harvesting likely occurred.
- Lateral Movement: Targeting of internal infrastructure components like F5 BIG-IP.
- Collection: Harvesting of email data from an MFA server.
- Exfiltration: Data theft, alongside deployment of cryptomining infrastructure.
- Impact: Resource hijacking (cryptomining) and data exfiltration (MFA email data).
## Impact Assessment
- Financial: Consumption of organizational resources via Cryptomining activity.
- Data Breach: Email data exfiltration from a Ministry of Foreign Affairs mailbox server.
- Operational: Potential service disruption due to webshells, rootkit installation, and resource hijacking.
- Reputational: High, targeting diplomatic entities.
## Indicators of Compromise
- Network indicators: Anonymized infrastructure utilizing **NordVPN**, **ExpressVPN**, **Proton VPN**; VPS hosts including **HOSTHATCH**, **ColoCrossing**, and **JVPS**. Reused IPs across incidents.
- File indicators: Python script (base64-encoded), PHP webshells (modified/created), Custom Linux rootkit (`sysinitd.ko`).
- Behavioral indicators: Dynamic `eval` code injection via `php.ini` modification, TCP hijacking, reverse shell activity (GOREVERSE), proxy usage (Neo-reGeorg, suo5), alignment with China Standard Time (UTC+8).
## Response Actions
- Containment: Self-patching by the threat actor suggests attempts to maintain exclusivity over the initial access point, potentially complicating organization-led containment unless external patching was immediate. (Specific organizational response is not detailed).
- Eradication: Inferred remediation would involve fully patching Ivanti CSA, removing webshells, validating the integrity of PostgreSQL database, and eradicating the `sysinitd.ko` rootkit across affected systems.
- Recovery: Restoring services and verifying data integrity, particularly after email data exfiltration.
## Lessons Learned
- Chaining zero-days presents an exceptionally high-risk initial access vector requiring extreme vigilance for emergency patching.
- Administrative credentials stored locally (e.g., in PostgreSQL on the appliance) pose a significant risk when exposed through initial vulnerability exploitation.
- The actors displayed advanced operational security (using commercial VPNs) mixed with commodity tooling, indicating sophisticated threat groups.
## Recommendations
- Immediately apply all emergency vendor patches (Ivanti CSA) upon release.
- Implement credential segmentation: Do not store critical administrative credentials in local databases accessible via exploited perimeter devices.
- Enhance outbound network monitoring for abnormal TCP activity and signals related to cryptomining infrastructure, especially if unusual CPU/network load is observed on perimeter appliances.
- Mandate immediate security audits for systems pivoted to following perimeter breaches (e.g., F5 BIG-IP appliances).