French government hit by Chinese hackers exploiting Ivanti security flaws

• Three zero-day flaws in Ivanti CSA solutions were abused to grab login credentials
• The group likely sold the access to French government devices
• Researchers are attributing the attacks to Chinese state-sponsored miscreants

In late 2024, Chinese state-sponsored threat actors abused multiple zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices to access French government agencies, as well as numerous commercial entities such as telcos, finance, and transportation organizations.

The news was recently confirmed by the French National Agency for the Security of Information Systems (ANSSI), which noted threat actors were abusing three security vulnerabilities in Ivanti CSA devices: CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190.

All three were zero-days at the time, and all were used to steal login credentials and establish persistence on target endpoints. Apparently, the miscreants were deploying PHP web shells, modifying existing PHP scripts to inject web shell capabilities, and installing kernel modules that served as ...