France’s cybersecurity agency ANSSI uncovered last September a campaign exploiting multiple zero-day flaws in Ivanti Cloud Service Appliance devices to breach French networks. The attackers targeted critical sectors, from government and telecom to media, finance, and transport. ANSSI attributed the campaign to a unique intrusion set it calls ‘Houken,’ describing it as moderately sophisticated and marked by an ambivalent use of resources.
“While its operators use zero-day vulnerabilities and a sophisticated rootkit, they also leverage a wide number of open-source tools, mostly crafted by Chinese-speaking developers. Houken’s attack infrastructure is made up of diverse elements, including commercial VPNs and dedicated servers,” ANSSI detailed in a document titled ‘Houken: Seeking a path by living on the edge with zero-days.’ “ANSSI suspects that the Houken intrusion set is operated by the same threat actor as the intrusion set previously described by Mandiant as UNC5174.”
It added that since 2023, Houken is likely used by an access broker to gain a foothold on targeted systems, which could eventually be sold to entities interested in carrying out deeper post-exploitation activities. “Though already documented for its opportunistic exploitation of vulnerabilities on edge devices, the use of zero-days by a threat actor linked to UNC5174 is new to ANSSI’s knowledge.”
Furthermore, ANSSI pointed out that operators behind the UNC5174 and Houken intrusion sets are likely primarily looking for valuable initial access to sell to a state-linked actor seeking insightful intelligence. However, ANSSI also observed one case of data exfiltration as well as an interest in the deployment of cryptominers, indicating straightforward profit-driven objectives.
At the beginning of September 2024, an attacker repeatedly exploited the vulnerabilities CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380 to remotely execute arbitrary code on vulnerable Ivanti Cloud Service Appliance devices. These vulnerabilities were exploited as zero-days before Ivanti released its security advisory.
ANSSI observed that the attacker opportunistically chained these flaws to gain initial access to Ivanti CSA appliances. Their goal was to obtain credentials by executing a base64-encoded Python script. To maintain persistence, the attacker deployed or created PHP webshells, modified existing PHP scripts to add webshell capabilities, and at times installed a kernel module acting as a rootkit once loaded. In what was likely an attempt to prevent other unrelated actors from exploiting the same weaknesses, the attacker even tried to self-patch the affected web resources.
After establishing a foothold on victim networks through compromised Ivanti CSA devices, the attacker sometimes performed reconnaissance and moved laterally. Deeper compromises enabled them to collect additional credentials and deploy more persistence mechanisms. ANSSI observed the most recent activity tied to this campaign at the end of November 2024.
“Several incidents affecting French entities, and linked to this attack campaign, were observed by ANSSI at the end of 2024. The campaign targeted French organizations from governmental, telecommunications, media, finance, and transport sectors,” the document detailed. “In three cases, the compromise of Ivanti CSA devices was followed by lateral movements toward the victims’ internal information systems. The malicious actor also collected credentials and attempted to establish a persistence on these compromised networks.”
Further, the attacker’s operational activities time zone was UTC+8, which aligns with China Standard Time (CST). ANSSI provided significant support to these entities, assisting in the conduct of forensic analysis and corrective actions regarding these incidents.
The attack infrastructure used by the Houken intrusion set included a range of elements, such as IP addresses drawn from popular and publicly accessible anonymization services, dedicated servers, internet service providers, and cloud service providers.
On the victims’ networks during the September 2024 campaign, Houken operators used multiple types of tools. They relied on numerous open-source tools available on GitHub, including webshells mostly developed by Chinese-speaking authors. They also deployed handcrafted webshells, along with a kernel module and a user-space binary that functioned as a rootkit.
In one incident targeting an entity of the French defense sector, Houken operators deployed a previously unobserved rootkit on an internet-facing Ivanti CSA appliance. This rootkit was publicly described by the FortiGuard Labs Threat Research from Fortinet. “By hijacking inbound TCP traffic over all ports, and invoking shells, sysinitd.ko and sysinitd allow the remote execution of any command with root privileges. This rootkit includes an interesting process manager illustrating the relatively good level of sophistication and the effectiveness of this additional persistence mechanism.”
On the one hand, ANSSI observed noisy and rudimentary actions within victims’ environments, along with the deployment of generic offensive tools, which could indicate limited resources dedicated to tooling development. The use of open-source tools crafted by Chinese-speaking developers appears increasingly common across the Chinese offensive landscape and may simply reflect the attacker’s preference for readily available commodities.
On the other hand, researching zero-day vulnerabilities and developing rootkits are not trivial undertakings, suggesting that the threat actor has access to significant resources. This divergence in skills and resources may point to a multi-actor approach similar to the model described by HarfangLab’s Cyber Threat Research Team, in which one actor identifies vulnerabilities and entry points while another is responsible for their industrial-scale exploitation.
Regarding the attack infrastructure, certain elements, such as the use of multiple commercial VPN exit nodes and the diversity of dedicated servers, suggest that Houken operators may rely on services provided by other actors to obtain parts of their infrastructure. They could also have been granted permission to use various infrastructure resources for their activities. Furthermore, the lack of segmentation across their attack infrastructure may indicate insufficient attention to operational security.
The threat actor behind Houken appears to have a very broad targeting range. Its targets seem to be prioritized according to several criteria. First, entities located near China, particularly in Southeast Asia, including countries such as Thailand, Vietnam, and Indonesia, with a specific focus on governmental and education sectors. Second, non-governmental organizations operating both inside and outside China, including those in Hong Kong and Macao. Third, entities based in Western countries associated with government, defense, education, media, or telecommunications sectors.
ANSSI reported several notable elements linking Houken to the UNC5174 intrusion set. In one incident, Houken operators exploited an F5 BIG-IP device through the CVE-2023-46747 vulnerability and created a local account named Root6, a tactic previously described in GTIG reporting on UNC5174.
In most incidents investigated by ANSSI, the threat actor was observed self-patching the same vulnerability it had exploited, a behavior also documented by GTIG as part of UNC5174’s tactics, techniques, and procedures.
Houken operators additionally used open-source tools previously attributed to UNC5174 intrusions, including GOREVERSE, VShell, fscan, and ffuff. These tools are developed by Chinese-speaking authors, documented in Chinese, and appear to be used mainly by threat actors linked to Chinese strategic interests. Finally, UNC5174 operators were previously known to deploy suo5 webshells using the OutlookEN[dot]aspx filename.
The French agency detailed that the threat actor behind the Houken and UNC5174 intrusion sets remains active. “Both intrusion sets will likely be operated again to target internet-facing equipment, such as endpoint managers or VPN appliances, through worldwide and opportunistic vulnerability exploitation.”
In April and May this year, the SYSDIG security team and ECLECTICIQ detailed two different attack campaigns taking place between November 2024 and April 2025. “Both firms linked these activities to UNC5174 through the use of the in-memory backdoor VShell dropped by a downloader named SNOWLIGHT by GTIG.
However, ANSSI can not confirm the links between the attack campaigns described and the Houken or UNC5174 intrusion sets, as SNOWLIGHT might not be exclusive to UNC5174.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) had in January issued a joint cybersecurity advisory following the September 2024 exploitation of multiple vulnerabilities in Ivanti Cloud Service Appliances (CSA). The exploited flaws include CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, which allow remote code execution.
According to data from CISA and trusted third-party responders, threat actors chained these vulnerabilities to gain initial access, execute remote code, steal credentials, and implant webshells on victim networks. The attackers primarily relied on two exploitation paths: one combining CVE-2024-8963 with CVE-2024-8190 and CVE-2024-9380, and another chaining CVE-2024-8963 with CVE-2024-9379. In at least one confirmed breach, the attackers moved laterally to two additional servers.
All four vulnerabilities affect Ivanti CSA version 4.6x before build 519. Two of the vulnerabilities, CVE-2024-9379 and CVE-2024-9380, also impact CSA version 5.0.1 and earlier; however, Ivanti reports that these CVEs have not been exploited on version 5.0.
The advisory noted at the time that since Ivanti CSA 4.6 has reached end-of-life status and no longer receives patches or third-party updates, CISA and the FBI strongly urge administrators to upgrade to the latest supported version. Network defenders should proactively hunt for malicious activity using the detection methods and indicators of compromise described in this advisory.
Also, credentials and sensitive data stored on affected Ivanti appliances should be treated as compromised. Organizations are advised to collect and analyze logs and other artifacts for signs of malicious activity and to follow the incident response recommendations provided by CISA and the FBI.
In May, the French foreign ministry attributed a series of cyberattacks on national interests to APT28, a group linked to Russia’s military intelligence agency (GRU). It strongly condemned its use by the Russian state. Since 2021, this attack group has targeted or compromised a dozen French entities.
