zero-day spree hits Ivanti gateways

Chinese hackers weaponise new Ivanti CSA bugs to hit French public and private sector

Chinese threat group “Houken” (overlapping Google Mandiant’s UNC5174) exploited three zero-day flaws in Ivanti Cloud Services Appliance (CSA) – CVE-2024-8963, CVE-2024-9380 and CVE-2024-8190 – to breach French government, telecoms, media, finance and transport bodies in September 2024. According to France’s cyber-security agency ANSSI, the attackers planted PHP web-shells or a bespoke “sysinitd” Linux rootkit, then used open-source tools such as Behinder, neo-reGeorg and GOREVERSE to move laterally and tunnel traffic. ANSSI believes Houken acts as an initial-access broker: one party finds the bugs, a second compromises devices at scale, and access is sold on to state-linked actors or criminals, sometimes for cryptocurrency mining.

France’s cyber watchdog ANSSI has revealed that a China-linked crew dubbed “Houken” silently abused three previously unknown flaws in Ivanti Cloud Services Appliance (CSA) gateways last autumn. Targets included government departments as well as telecoms, media, finance and transport companies.

What happened?
• In early September 2024 the attackers exploited CVE-2024-8963, CVE-2024-9380 and CVE-2024-8190 before any patches existed.
• They dropped PHP web-shells or a custom rootkit called sysinitd, giving them root-level persistence.
• Open-source implants such as Behinder and neo-reGeorg plus the GOREVERSE backdoor were used for lateral movement and data tunnelling.

Bigger picture
ANSSI says Houken is likely an initial-access broker that sells footholds to other groups – a “multi-party” model increasingly common in Chinese operations. Some buyers went on to deploy cryptominers, showing both espionage and financial motives.

Recommended actions for UK organisations
1. Patch Ivanti CSA appliances immediately – or isolate if patches are unavailable.
2. Hunt for unusual PHP files, the sysinitd.ko module and outbound Go-based tunnels.
3. Monitor for requests to /dana-na/ or /geo paths that indicate web-shell activity.
4. Review VPN and edge-device logs – initial-access brokers favour unmonitored gateways.
Staying on top of firmware updates and hardening remote-access gear remains the simplest way to stop well-resourced actors before they reach your core network.