China-linked group Houken targeted French government, telecom, media, finance, and transport sectors using Ivanti CSA zero-days, according to France’s ANSSI.
The campaign, active since September 2024, involved an intrusion set named Houken, leveraging zero-day exploits and a rootkit, and utilizing Chinese open-source tools and diverse infrastructure like VPNs and dedicated servers.
The attackers exploited vulnerabilities CVE-20248190, CVE-2024-8963, and CVE-2024-9380 on Ivanti CSA devices, aiming to obtain credentials, ensure persistence, move laterally, conduct reconnaissance, steal credentials, and maintain control over compromised systems.
The Houken intrusion set's tactics suggest a proficient actor aiming at high-value systems, possibly for espionage or selling access. ANSSI points out links between Houken and UNC5174, indicating a shared operator involved in selling access and intelligence.