French authorities said government agencies and businesses spanning telecom, media, finance and transportation were impacted by the widely exploited Ivanti vulnerabilities.
Listen to this article
0:00
Learn more.
This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
Multiple critical infrastructure sectors were hit last year during an attack spree in France via a trio of zero-day vulnerabilities affecting Ivanti Cloud Services Appliance devices, the country’s cybersecurity agency said in a report released Tuesday.
Government agencies and organizations in the telecommunications, media, finance and transportation industries were impacted by widespread zero-day exploits of CVE-2024-8190, CVE-2024-8963 and CVE-2024-9380 from early September to late November 2024, according to the French National Agency for the Security of Information Systems.
French authorities attribute the attacks to UNC5174, a former member of Chinese hacktivist collectives likely working as a contractor for China’s Ministry of State Security, according to Mandiant. The attacker, believed to use the persona “Uteus,” previously exploited edge device vulnerabilities in ConnectWise ScreenConnect, F5 BIG-IP, Atlassian Confluence, the Linus kernel and Zyxel firewalls.
Authorities in France concluded UNC5174 used a unique intrusion set it dubbed “Houken,” which used zero-day vulnerabilities, a sophisticated rootkit, various open-source tools, commercial VPNs and dedicated servers. Officials said Houken and UNC5174 are likely operated by the same threat actor, an initial access broker that also steals credentials and deploys mechanisms to achieve persistent access to victim networks.
“Though already documented for its opportunistic exploitation of vulnerabilities on edge devices, the use of zero-days by a threat actor linked to UNC5174 is new,” France’s cybersecurity agency said in the report. “The operators behind the UNC5174 and Houken intrusion sets are likely primarily looking for valuable initial accesses to sell to a state-linked actor seeking insightful intelligence.”
The Cybersecurity and Infrastructure Security Agency issued an advisory in January warning that threat actors chained the three Ivanti zero-days to gain initial access, conduct remote code execution, obtain credentials and implant webshells on victim networks.
Sysdig researchers in April said they observed the China state-sponsored hacking group, UNC5174, using open-source offensive security tools, such as VShell and WebSockets, to blend in with more common cybercriminal activity.
Multiple attackers, including China-linked espionage groups, have repeatedly exploited a long run of vulnerabilities in Ivanti products. Ivanti is a repeat offender, shipping software with a high number of vulnerabilities — more than any other vendor in this space since the start of last year — across at least 10 different product lines since 2021.
CISA’s known exploited vulnerabilities catalog contains 30 Ivanti defects in the past four years, and attackers have exploited seven vulnerabilities in Ivanti products so far this year, according to cyber authorities.
“We support information sharing to aid defenders. This report covers threat actor activity from last fall that affected an end-of-life version of Cloud Services Appliance. Customers on fully patched or upgraded versions were not affected,” a spokesperson for Ivanti said in a statement.
“Ivanti released a patch in 2024 and strongly urged all customers to upgrade to CSA version 5.0, which was not affected by this vulnerability. The security and protection of our customers remain our top priority, and we are committed to supporting them.”
