The French cybersecurity agency stated in a study released Tuesday that three zero-day flaws impacting Ivanti Cloud Services Appliance devices triggered an attack spree in France last year that affected several critical infrastructure sectors.
The French National Agency for the Security of Information Systems reports that from early September to late November 2024, widespread zero-day exploits of CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380 affected government agencies and organisations in the media, finance, transportation, and telecommunications sectors.
According to Mandiant, the attacks were carried out by UNC5174, a former member of Chinese hacktivist collectives who was probably working as a contractor for China's Ministry of State Security. The attacker, known as "Uteus," has previously targeted edge device flaws in ConnectWise ScreenConnect, F5 BIG-IP, Atlassian Confluence, the Linux kernel, and the Zyxel firewall.
Authorities in France discovered that UNC5174 employed a unique intrusion set known as "Houken," which included zero-day vulnerabilities, a sophisticated rootkit, numerous open-source tools, commercial VPNs, and dedicated servers. Officials believe Houken and UNC5174 are operated by the same threat actor, an initial access broker who steals credentials and implements methods to gain persistent access to target networks.
“Though already documented for its opportunistic exploitation of vulnerabilities on edge devices, the use of zero-days by a threat actor linked to UNC5174 is new,” France’s cybersecurity agency noted in the report. “The operators behind the UNC5174 and Houken intrusion sets are likely primarily looking for valuable initial accesses to sell to a state-linked actor seeking insightful intelligence.”
Earlier this year in January, the Cybersecurity and Infrastructure Security Agency said that threat actors used the three Ivanti zero-days in a chain to get credentials, execute remote code, establish initial access, and install webshells on victim networks. In April, Sysdig researchers said that they had observed the China state-sponsored hacker organisation UNC5174 use open-source offensive security techniques like WebSockets and VShell to blend in with more common cybercriminal activities.
Numerous attackers have frequently taken advantage of long-standing flaws in Ivanti products, including espionage outfits with ties to China. Since 2021, Ivanti has shipped software with a high number of vulnerabilities across at least ten different product lines, more than any other vendor in this market since the start of last year. According to cyber authorities, cybercriminals have exploited seven flaws in Ivanti products so far this year, and 30 Ivanti faults have been discovered over the past four years in CISA's known exploited vulnerabilities catalogue.
“We support information sharing to aid defenders. This report covers threat actor activity from last fall that affected an end-of-life version of Cloud Services Appliance. Customers on fully patched or upgraded versions were not affected,” a spokesperson for Ivanti noted in a statement.
“Ivanti released a patch in 2024 and strongly urged all customers to upgrade to CSA version 5.0, which was not affected by this vulnerability. The security and protection of our customers remain our top priority, and we are committed to supporting them.”
