- Three zero day defects in the Ivanti CSA solutions have been mistreated to enter connection identification information
- The group has probably sold access to the French government devices
- Researchers attribute attacks to the disbelievers sponsored by the Chinese state
At the end of 2024, threat actors sponsored by the Chinese state abused several zero-day vulnerabilities in Ivanti Services Cloud Services (CSA) devices to access French government agencies, as well as many commercial entities such as telecommunications, finances and transport organizations.
The news was recently confirmed by the French National Agency for Information Systems (ANSSI), which noted that threat actors abused three security vulnerabilities in Ivanti CSA devices: CVE-2024-8963, CVE-2024-9380 and CVE-2024-8190.
All three were zero-day at the time, and all were used to steal connection identification information and establish persistence on target ending points. Apparently, the disbelievers deployed web PHP shells, modifying existing PHP scripts to inject shell web capabilities and the installation of nucleus modules that served as rootkit.
Access sale
The attacks have been allocated to a group followed like Houken which, in the past, was actively seen exploiting vulnerabilities in SAP Netwaver to abandon a variant of the Goresll stock market called Goreverse.
This group, according to the researchers, has many similarities with an entity followed by the Google mandating team as UNC5174.
“Although its operators use zero-day vulnerabilities and a sophisticated rootkit, they also exploit a large number of open-source tools mainly designed by Chinese language developers,” said French researchers. “Houken’s attack infrastructure is made up of various elements – including commercial VPNs and dedicated servers.”
Apparently, Houken is not exclusively focused on Western targets. In the past, it has been observed targeting a wide range of government and educational organizations in Southeast Asia, China, Hong Kong and Macao.
For Western targets, they mainly focused on government, defense, education, media and telecommunications.
It should also be mentioned that in the French case, it is likely that there were several threat actors involved, an acting group as an initial access broker, and a separate group buying this access to hunting for precious information and other sensitive data.
Via The Hacker News
