Chinese Houken Group Exploits Ivanti CSA Zero-Days to Install Linux Rootkits

The French National Agency for the Security of Information Systems (ANSSI) has uncovered a sophisticated cyberattack campaign orchestrated by a threat group dubbed “Houken.”

This group, suspected to be linked to the Chinese intrusion set UNC5174, exploited multiple zero-day vulnerabilities in Ivanti Cloud Service Appliance (CSA) devices to gain unauthorized access to networks of French organizations across governmental, telecommunications, media, finance, and transport sectors.

Sophisticated Attack Campaign Targets French Sectors

The attacks, which commenced in early September 2024 and continued through November 2024, leveraged vulnerabilities identified as CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380, enabling remote code execution on vulnerable systems.

What sets this campaign apart is the deployment of a previously unseen Linux rootkit, showcasing a blend of advanced technical prowess and opportunistic exploitation tactics.

ANSSI’s detailed investigation paints a picture of Houken as a moderately sophisticated intrusion set, likely operating as an initial access broker.

The attackers meticulously chained zero-day ...