The French cybersecurity agency on Tuesday revealed that a number of entities spanning governmental, telecommunications, media, finance, and transport sectors in the country were impacted by a malicious campaign undertaken by a Chinese hacking group by weaponizing several zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices.
The campaign, detected at the beginning of September 2024, has been attributed to a distinct intrusion set codenamed Houken, which is assessed to share some level overlaps with a threat cluster tracked by Google Mandiant under the moniker UNC5174 (aka Uteus or Uetus).
“While its operators use zero-day vulnerabilities and a sophisticated rootkit, they also leverage a wide number of open-source tools mostly crafted by Chinese-speaking developers,” the French National Agency for the Security of Information Systems (ANSSI) said. “Houken’s attack infrastructure is made up of diverse elements — including commercial VPNs and dedicated servers.”
The agency theorized that Houken is likely being used by an initial access broker since 2023 with an aim to gain a foothold into target networks and then shared with other threat actors interested in carrying out follow-on post-exploitation activities, reflective of a multi-party approach to vulnerability exploitation, as pointed out by HarfangLab.
“A first party identifies vulnerabilities, a second uses them at scale to create opportunities, then accesses are distributed to third parties which further attempt to develop targets of interest,” the French cybersecurity company noted earlier this February.
“The operators behind the UNC5174 and Houken intrusion sets are likely primarily looking for valuable initial accesses to sell to a state-linked actor seeking insightful intelligence,” the agency added.
In recent months, UNC5174 has been linked to the active exploitation of SAP NetWeaver flaws to deliver GOREVERSE, a variant of GoReShell. The hacking crew has also leveraged vulnerabilities in Palo Alto Networks, Connectwise ScreenConnect, and F5 BIG-IP software in the past to deliver the SNOWLIGHT malware, which is then used to drop a Golang tunneling utility called GOHEAVY.
Another report from SentinelOne attributed the threat actor to an intrusion against a “leading European media organization” in late September 2024.
In the attacks documented by ANSSI, the attackers have been observed exploiting three security defects in Ivanti CSA devices, CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190, as zero-days to obtain credentials and establish persistence using one of the three methods –
- Directly deploying PHP web shells
- Modifying existing PHP scripts to inject web shell capabilities, and
- Installing a kernel module that serves as a rootkit
The attacks are characterized by the use of publicly available web shells like Behinder and neo-reGeorg, followed by the deployment of GOREVERSE to maintain persistence after lateral movements. Also employed is an HTTP proxy tunneling tool called suo5 and a Linux kernel module named “sysinitd.ko” that was documented by Fortinet in October 2024 and January 2025.
“It is composed of a kernel module (sysinitd.ko) and a user-space executable file (sysinitd) installed on the targeted device through the execution of a shell script: install.sh,” ANSSI said. “By hijacking inbound TCP traffic over all ports, and invoking shells, sysinitd.ko and sysinitd allow the remote execution of any command with root privileges.”
That’s not all. Besides conducting reconnaissance and operating in the UTC+8 time zone (which corresponds to China Standard Time), the attackers have been observed attempting to patch the vulnerabilities, likely to prevent exploitation by other unrelated actors, ANSSI added.
It’s suspected that the threat actors have a wide targeting range, comprising governmental and education sectors in Southeast Asia, non-governmental organizations located in China, including Hong Kong and Macau, and governmental, defence, education, media or telecommunication sectors in the West.
On top of that, the tradecraft similarities between Houken and UNC5174 have raised the possibility that they are operated by a common threat actor. That having said, at least in one incident, the threat actors are said to have weaponized the access to deploy cryptocurrency miners, underscoring their financial motivations.
“The threat actor behind the Houken and UNC5174 intrusion sets might correspond to a private entity, selling accesses and worthwhile data to several state-linked bodies while seeking its own interests leading lucrative oriented operations,” ANSSI said.
