Ivanti Zero-Day Exploited by Chinese Hackers
Chinese state-linked threat actors have been observed exploiting multiple zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices as part of a sophisticated campaign targeting French government, telecom, finance, and media sectors. The French cybersecurity agency ANSSI attributes the activity to a group called Houken, believed to overlap with Mandiant-tracked UNC5174. These attackers employed a blend of PHP web shells, open-source tools, and a custom Linux kernel rootkit to gain access, maintain persistence, and evade detection in targeted environments.
The operation, first detected in September 2024, involved exploiting three Ivanti CSA vulnerabilities—CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190—to implant malware and obtain credentials. Attackers used well-known tools like Behinder, neo-reGeorg, GOREVERSE, and sysinitd.ko, a kernel-level rootkit that enabled remote code execution with root privileges. In some cases, they went as far as patching the vulnerabilities themselves, likely to block competing threat actors from leveraging the same exploits. Also, ANSSI reports evidence of initial access brokering, suggesting that compromised systems may be sold to or shared with other groups for follow-on exploitation.
Beyond France, the campaign’s targeting appears to span NGOs in China, Southeast Asian governments, and Western defense and education sectors, revealing the global implications of this access-driven model. While financial motives—including cryptojacking—were observed, analysts believe the primary objective is intelligence gathering. The use of layered tooling, post-exploitation tunneling, and a hybrid of stealth and aggression underscores the evolving tradecraft of threat actors operating across state and criminal lines.
Lakshmanan, Ravie. 2025. “Chinese Hackers Exploit Ivanti CSA Zero-Days in Attacks on French Government, Telecoms.” The Hacker News. July 3.
READ: https://bit.ly/44ZDb6j
