On Tuesday, the French cybersecurity agency revealed that many entities across the domestic government, telecommunications, media, finance and transportation sectors were affected by a malicious campaign undertaken by Chinese hacking groups by weaponizing zero-day vulnerabilities in Ivanti Cloud Services Appliances (CSA) devices.
The campaign detected in early September 2024 is attributed to the unique intrusion set codenamed Houken, and is rated as sharing some degree of overlap with the threat clusters Google Mandiant tracked under Moniker UNC5174 (aka Uteus or Uetus).
“Operators use zero-day vulnerabilities and sophisticated rootkits, but also utilize a number of open source tools that Chinese-speaking developers mostly create,” says Information Systems Security (ANSI) in France. “Houken’s attack infrastructure is made up of a variety of factors, including commercial VPNs and dedicated servers.”
The agency theorized that Houken is likely used by early access brokers since 2023 with the aim of gaining foothold on the target network. It then shared it with other threat activities that reflect post-mining activity after extraction, as Harfanglab noted, reflecting a multi-party approach to vulnerability exploitation.
“First parties will identify vulnerabilities, and the second will create large opportunities to create opportunities, access will be distributed to third parties, and further develop targets of interest,” the French cybersecurity company noted in early February this year.
“The operators behind the UNC5174 and Houken intrusion set are likely looking for valuable early access to sell to actors associated with states that are primarily seeking insightful intelligence,” the agency added.
Over the past few months, UNC5174 has been linked to an aggressive leverage of SAP NetWeaver’s flaws to provide Goreverse, a variant of Goreshell. Hacking crews have been used in the past to leverage vulnerabilities in Palo Alto Networks, ConnectWise ScreenConnect and F5 Big-IP software to provide Snowlight malware and drop a Golang Tunneling utility called Goheavy.
Another report from Sentinelone attributes threat leaders to invade “major European media organizations” in late September 2024.
In the attack documented by ANSSI, the attacker has been observed using three security flaws: the Ivanti CSA device, CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190.
Modify existing PHP scripts Direct deployment of PHP web shells Insert the web shell functionality and install the kernel module that acts as rootKit
The attack is characterized by the use of publicly available web shells like Beaker and Neo-Regeorg, followed by the development of Goreverse to maintain persistence after the outer movement. It also employs an HTTP proxy tunnel tool called a Linux kernel module called “Sysinitd.ko” documented by Fortinet in October 2024 and January 2025.
“It consists of a kernel module (sysinitd.ko) and a user-space executable (sysinitd) installed on the target device through execution of a shell script: install.sh,” Anssi said. “Sysinitd.ko and sysinitd allow remote execution of commands with root privileges by hijacking inbound TCP traffic across all ports and invoking the shell.”
That’s not all. In addition to conducting reconnaissance and manipulating in UTC+8 time zones (compatible with China’s standard time), attackers have been observed trying to patch the vulnerability, which is likely to prevent exploitation by other unrelated parties, Anssi added.
Threat actors are suspected to have a wide targeting range consisting of the government and education sectors in Southeast Asia, non-governmental organizations in China, including Hong Kong and Macau, and western government, defense, education, media and telecommunication sectors.
In addition, the trademark similarities between Houken and UNC5174 increased the likelihood that they would be run by a common threat actor. That being said, in at least one incident, threat actors are said to have weaponized access to deploy cryptocurrency miners, highlighting their economic motivations.
“The threat actors behind the Houken and the UNC5174 intrusion set may be dealing with private companies and may sell access and valuable data to entities related to several states, seeking their own interests that lead advantageous operations,” Anssi said.
Source link
