Ethical Hacking News
A Chinese hacktivist group has been identified by France's cyber agency ANSSI as the perpetrator behind a sophisticated cyberattack that exploited zero-day vulnerabilities in Ivanti CSA devices. The Houken intrusion set targeted French organizations across key sectors, including government, telecom, media, finance, and transport, using advanced techniques such as rootkits and PHP webshells. The attack is part of a larger trend of Chinese-speaking hacking groups developing sophisticated tools and techniques to exploit zero-day vulnerabilities.
The French cyber agency ANSSI reported a sophisticated cyberattack by the Chinese hacking group Houken targeting several French organizations. The attack exploited zero-day vulnerabilities in Ivanti CSA devices to gain initial access to compromised systems. The Houken group used unique techniques, including VPNs, dedicated servers, and rootkits, to maintain persistence and control over the compromised systems. The attackers likely served as an access broker, selling system footholds to other malicious actors and were involved in data theft and cryptomining. The attack highlights the need for organizations to prioritize vulnerability management, patching, and incident response capabilities to protect against such threats.
The French cyber agency ANSSI has recently reported on a sophisticated cyberattack carried out by a Chinese hacking group, known as Houken. The attack, which began in September 2024, targeted several French organizations across key sectors such as government, telecom, media, finance, and transport. The Houken intrusion set exploited zero-day vulnerabilities in Ivanti CSA devices to gain initial access to the compromised systems.
The attackers used a unique combination of techniques, including the use of Chinese open-source tools, VPNs, dedicated servers, and a sophisticated rootkit to maintain persistence and control over the compromised systems. The rootkit was used to hijack TCP traffic, allowing the attackers to remain undetected for an extended period. The attack also involved the deployment or creation of PHP webshells, as well as the occasional installation of kernel modules that acted as rootkits once loaded.
ANSSI reported that the Houken group targeted French entities across key sectors and prioritized Southeast Asian governments and education sectors, NGOs, and Western institutions linked to state functions. The attackers likely served as an access broker, selling system footholds to other malicious actors. Some activity suggested data theft and cryptomining.
The attack on French organizations is part of a larger trend in recent years, where Chinese-speaking communities have developed sophisticated hacking tools and techniques to exploit zero-day vulnerabilities. These groups often target high-value systems, likely for espionage or the sale of access. The Houken group's use of advanced techniques and its focus on selling system footholds suggest that it may be a private entity operating outside of state-sponsored actors.
The attack has raised concerns about the security of Ivanti CSA devices and the need for organizations to prioritize vulnerability management and patching. ANSSI's report highlights the importance of monitoring threat actor tactics, technique, and procedures (TTPs) to improve incident response capabilities.
In conclusion, the Houken group's sophisticated cyberattack on French organizations using zero-day vulnerabilities in Ivanti CSA devices demonstrates the growing sophistication of Chinese-speaking hacking groups. The attack highlights the need for organizations to prioritize vulnerability management, patching, and incident response capabilities to protect against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Chinese-Hacktivist-Group-Exploits-Zero-Day-Vulnerabilities-to-Gain-Access-to-French-Organizations-ehn.shtml
https://securityaffairs.com/179602/apt/china-linked-group-houken-hit-french-organizations-using-zero-days.html
https://thehackernews.com/2025/07/chinese-hackers-exploit-ivanti-csa-zero.html
https://securityonline.info/anssi-exposes-houken-china-linked-threat-actor-exploiting-ivanti-csa-zero-days-deploying-linux-rootkits/
Published: Thu Jul 3 16:55:37 2025 by llama3.2 3B Q4_K_M
