Ethical Hacking News
The French National Agency for the Security of Information Systems (ANSSI) has revealed that a Chinese hacking group known as Houken is exploiting zero-day vulnerabilities in Ivanti CSA devices. The campaign, which began at the start of September 2024, aims to gain credentials and establish persistence using various methods, including the deployment of PHP web shells, modification of existing scripts, and installation of rootkit-style kernel modules.
The French National Agency for the Security of Information Systems (ANSSI) has exposed a sophisticated Chinese hacking group known as Houken. Houken has been linked to high-profile attacks on several sectors in France, leveraging zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices. The group uses publicly available web shells and open-source tools crafted by Chinese-speaking developers, indicating financial motivations. Tradecraft similarities between Houken and UNC5174 suggest they may be operated by a common threat actor. Houken has significant implications for organizations in France and beyond, requiring security professionals to remain vigilant and proactive against emerging threats.
In a recent revelation, the French National Agency for the Security of Information Systems (ANSSI) has exposed the existence of a sophisticated Chinese hacking group known as Houken. This group has been linked to several high-profile attacks on governmental, telecommunications, media, finance, and transport sectors in France, leveraging zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices. The campaign, which began at the start of September 2024, is characterized by its use of publicly available web shells like Behinder and neo-reGeorg, followed by the deployment of GOREVERSE to maintain persistence after lateral movements.
The attacks are notable for their sophistication, with the Houken group utilizing a combination of zero-day vulnerabilities, a sophisticated rootkit, and open-source tools crafted by Chinese-speaking developers. The attackers have also been observed attempting to patch the vulnerabilities, likely to prevent exploitation by other unrelated actors. This behavior suggests that the Houken group may be seeking valuable initial accesses to sell to state-linked actors, highlighting their financial motivations.
Furthermore, the tradecraft similarities between Houken and UNC5174 have raised the possibility that they are operated by a common threat actor. Both groups share similarities in their approach to vulnerability exploitation, with a first party identifying vulnerabilities, a second using them at scale to create opportunities, and then accessing being distributed to third parties which further attempt to develop targets of interest.
In addition to its involvement in the Houken campaign, UNC5174 has also been linked to the active exploitation of SAP NetWeaver flaws to deliver GOREVERSE, a variant of GoReShell. The hacking crew has also leveraged vulnerabilities in Palo Alto Networks, Connectwise ScreenConnect, and F5 BIG-IP software in the past to deliver the SNOWLIGHT malware, which is then used to drop a Golang tunneling utility called GOHEAVY.
The Houken group's activities have significant implications for organizations operating in France and beyond. As the threat actors continue to evolve their tactics, it is essential for security professionals to remain vigilant and proactive in addressing these emerging threats. By staying informed about the latest vulnerabilities and attack vectors, organizations can take necessary steps to protect themselves against sophisticated hacking campaigns like Houken.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-Houken-A-Sophisticated-Chinese-Hacking-Group-Exploits-Zero-Day-Vulnerabilities-in-Ivanti-CSA-Devices-ehn.shtml
Published: Thu Jul 3 06:35:15 2025 by llama3.2 3B Q4_K_M
