France’s national cybersecurity agency (ANSSI) released a report detailing a campaign by China-based threat group dubbed Houken that occurred in September 2024. Houken exploited multiple zero-day vulnerabilities in Ivanti’s Cloud Service Appliance (CSA) to compromise organizations across France’s public and private sectors.
Between July and September 2024, ANSSI observed targeting of French entities in the government, telecom, media, finance, and transport sectors. The threat actors exploited three previously unknown vulnerabilities—CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380—for remote code execution on Ivanti CSA.
Once inside the network, Houken deployed custom PHP webshells, modified legitimate scripts and, in some cases, installed a custom rootkit to maintain persistence. Notably, the attackers also patched the exploited vulnerabilities post-compromise, likely to prevent other threat actors from leveraging their access.
Houken shares infrastructure and tooling with UNC5174, a group previously documented by Mandiant. The group’s behavior aligns with that of access brokers—threat actors who gain and sell initial access to compromised networks, likely to state actors. ANSSI also noted a case of data exfiltration, as well as an interest in the deployment of cryptominers, which could indicate a hybrid motive of espionage and financial gain.
Analyst notes:
Houken’s campaign underscores the growing threat posed by access brokers and their continued interest in edge infrastructure. Organizations can secure edge devices through limiting exposure and enforcing strict access controls, as well as ensuring timely patching. To mitigate similar threats, monitor for unusual activity and regularly audit for persistence mechanisms like webshells or unauthorized kernel modules.