🇬🇧 Houken seeking a path by living on the edge with zero-days
CERTFR-2025-CTI-009 Date de la dernière version 01 juillet 2025 In September 2024, ANSSI observed an attack campaign seeking initial access to French entities’ networks through the exploitation of several zero-day vulnerabilities on Ivanti Cloud Service Appliance (CSA) devices. French organizations from governmental, telecommunications, media, finance, and transport sectors were impacted. ANSSI’s investigations led to the conclusion that a unique intrusion set was leveraged to conduct this attack campaign. The Agency named this intrusion set « Houken ». Moderately sophisticated, Houken can be characterized by an ambivalent use of resources. While its operators use zero-day vulnerabilities and a sophisticated rootkit, they also leverage a wide number of open-source tools mostly crafted by Chinese-speaking developers. Houken’s attack infrastructure is made up of diverse elements - including commercial VPNs and dedicated servers. ANSSI suspects that the Houken intrusion set is operated by the same threat actor as the intrusion set previously described by MANDIANT as UNC5174. Since 2023, Houken is likely used by an access broker to gain a foothold on targeted systems, which could eventually be sold to entities interested in carrying out deeper post-exploitation activities. Though already documented for its opportunistic exploitation of vulnerabilities on edge devices, the use of zero-days by a threat actor linked to UNC5174 is new to ANSSI’s knowledge. The operators behind the UNC5174 and Houken intrusion sets are likely primarily looking for valuable initial accesses to sell to a state-linked actor seeking insightful intelligence. However, ANSSI also observed one case of data exfiltration as well as an interest in the deployment of cryptominers, indicating straight-forward profit-driven objectives. 2.1 The attack campaign in a nutshell At the beginning of September 2024, an attacker repeatedly exploited vulnerabilities CVE-2024- 8190, CVE-2024-8963, and CVE-2024-9380 vulnerabilities to remotely execute arbitrary code on vulnerable Ivanti Cloud Service Appliance devices [1, 2, 3, 4]. These vulnerabilities were exploited as zero-days, before the publication of the Ivanti security advisory [5, 6, 7]. The attacker opportunistically chained these vulnerabilities to gain initial access on Ivanti CSA appliances, with the intention of: • Obtaining credentials through the execution of a base64 encoded Python script1 . • Ensuring persistence, by: – deploying or creating PHP webshells; – modifying existing PHP scripts to add webshells capabilities; – occasionally installing a kernel module which acts as a rootkit once loaded. Likely in an effort to prevent exploitation by additional unrelated actors, the attacker attempted to self-patch web resources affected by the vulnerabilities. On occasions, and after establishing a foothold on victim networks through the compromise of Ivanti CSA devices, the attacker performed reconnaissance activities and moved laterally. In-depth compromises allowed the attacker to gather additional credentials and deploy further persistence mechanisms. Most recent activities around this attack campaign were observed at the end of November 2024 by ANSSI. Several incidents affecting French entities, and linked to this attack campaign, were observed by ANSSI at the end of 2024. The campaign targeted french organizations from governmental, telecommunications, media, finance, and transport sectors. In three cases, the compromise of Ivanti CSA devices was followed by lateral movements toward the victims’ internal information systems. The malicious actor also collected credentials and attempted to establish a persistence on these compromised networks. Attacker’s operational activities time zone was UTC+8, which aligns with China Standard Time (CST). ANSSI provided significant support to these entities, a
