The French national cybersecurity agency (ANSSI) has discovered a sophisticated cyberattack campaign in which a threat actor organization known as “Houken” has been taking advantage of many zero-day vulnerabilities in Ivanti Cloud Service Appliance (CSA) devices.
The campaign, beginning in September 2024, targeted French organizations across governmental, telecommunications, media, finance, and transport sectors.
ANSSI’s analysis links Houken to the previously recognized UNC5174 group, suggesting operations as an initial access broker potentially affiliated with China’s Ministry of State Security (MSS).
Zero-Day Exploits Enable Widespread Compromise
The attackers exploited three critical vulnerabilities CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380 before Ivanti’s public security advisories.
These were chained to achieve remote code execution on exposed Ivanti CSA appliances. Once access was established, Houken operators deployed a range of persistence mechanisms.
These included extracting administrative credentials via a base64-encoded Python script, implanting custom and open-source PHP webshells, and, in select high-value cases, installing a novel Linux kernel rootkit (sysinitd.ko) alongside a user-space controller (sysinitd).
The rootkit, previously detailed by FortiGuard Labs, utilizes TCP hijacking to enable persistent, covert command execution with root privileges. Houken’s operational footprint extended beyond initial entry.
Investigations revealed cases of lateral movement post-exploitation reconnaissance, further credential theft, and attempts to compromise additional network devices, including F5 BIG-IP.
One notable incident involved exfiltration of large volumes of emails from a foreign ministry, underlining espionage objectives beyond simple access brokering.
Tooling Reflect Mixed Sophistication
ANSSI’s investigation confirmed that Houken’s infrastructure leveraged a diverse mix of anonymization services, including leading VPN providers such as NordVPN, ExpressVPN, and Proton VPN.
Dedicated servers primarily VPS from providers like HOSTHATCH, ColoCrossing, and JVPS.hosting were used as both exploitation platforms and command-and-control (C2) servers for payloads like the open-source GOREVERSE backdoor.
Attack traffic was also traced to residential and mobile IP addresses, often associated with Chinese ISPs such as China Unicom and China Telecom, which aligns with the attackers’ UTC+8 operational time zone. Tooling utilized in the campaign displayed an ambivalent approach.
While sophisticated in their discovery and exploitation of zero-days and the deployment of bespoke rootkits, the operators relied heavily on commodity, open-source tools predominantly those authored by Chinese-speaking developers and frequently shared on GitHub.
Notable examples include Neo-reGeorg, Behinder (Ice Scorpion), VShell, Suo5, and ffuf, in addition to custom webshells and system modifications for persistent access.
ANSSI’s findings strongly associate Houken with the UNC5174 set, previously cited by Google Threat Intelligence and Mandiant as being linked to Chinese cyber operators.
This conclusion is based on overlaps in infrastructure, tooling, and observed post-exploitation tactics, such as self-patching exploited vulnerabilities and the reuse of webshell filenames.
The campaign’s targeting and methodology point to an access-broker model, with subsequent resale of footholds to state-aligned entities for intelligence purposes.
At least one case of Monero cryptominer deployment was recorded, indicating occasional profit-driven activity.
While Houken’s technical and organizational attributes suggest a private contractor model, likely servicing China’s state intelligence interests, the group remains active and is expected to continue leveraging edge-device vulnerabilities globally.
Network Indicators of Compromise (IoCs)
| IoC | First Seen | Last Seen | Comment |
|---|---|---|---|
| 107.173.111.26 | 2024-09-26 | 2024-09-26 | GOREVERSE C2 |
| 195.133.52.87 | 2024-09-20 | 2024-09-20 | GOREVERSE C2 |
| 45.33.101.53 | 2024-09-05 | 2024-09-10 | VPS for reverse shell (Netcat) |
| 156.234.193.18 | 2024-09-06 | 2024-09-06 | Server for tool download/reverse shell (Python) |
| 198.98.54.209 | 2024-09-09 | 2024-09-09 | Server for additional tool download |
| 23.236.66.97 | 2024-09-06 | 2024-09-12 | Vulnerabilities exploitation |
| 134.195.90.71 | 2024-09-06 | 2024-09-11 | VPS accessed via SSH, SCP, TELNET |
| 64.176.49.160 | 2024-09-19 | 2024-10-09 | Vulnerabilities exploitation |
| oyr2ohrm.eyes.sh | 2024-09-09 | 2024-09-09 | OAST tool connection from compromised equipment |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
%20has%20discovered%20a%20sophisticated%20cyberattack%20campaign%20in%20which%20a%20threat%20actor%20organization.){kind=link}