Chinese Houken Hackers Leveraging Ivanti CSA Vulnerabilities to Deploy Sophisticated Linux Rootkits

A recent cyberattack campaign has impacted critical sectors in France, with a China-linked threat group dubbed “Houken” exploiting zero-day vulnerabilities in Ivanti Cloud Service Appliance (CSA) devices.

The campaign, observed by France’s ANSSI (Agence nationale de la sécurité des systèmes d’information), highlights a new wave of attacks in which Houken operators used both advanced rootkits and a blend of open-source hacking tools to achieve persistence and facilitate lateral movement across victim networks.

Targeted Exploitation of Ivanti CSA Devices

In September 2024, attackers exploited three critical zero-day vulnerabilities (CVE-2024-8190, CVE-2024-8963, CVE-2024-9380) in Ivanti CSA appliances.

These flaws enabled remote code execution, allowing Houken to harvest credentials, deploy malicious payloads, and establish multiple footholds within organizations.

The attacks were notably opportunistic and multi-faceted. Targets included French government agencies, telecoms, media, finance, and transport industries.

After initial compromise, the attackers quickly moved laterally and conducted in-depth reconnaissance, often focusing on high-value assets such as F5 BIG-IP devices.

Key to their persistence was the deployment of PHP webshells and the modification of legitimate PHP scripts to execute malicious commands.

In particularly valuable targets, Houken operators installed a custom Linux rootkit composed of a kernel module (sysinitd.ko) and a user-space binary (sysinitd), enabling them to hijack inbound TCP traffic and execute arbitrary commands as root.

Infrastructure and Tooling: A Blend of Sophistication and Commodity

Houken’s infrastructure combined commercial VPNs (including NordVPN, ExpressVPN, and ProtonVPN) with virtual private servers and even residential IP addresses to mask the origins of attacks.

ANSSI identified overlapping attack infrastructure used across multiple incidents, revealing a lack of operational segmentation and hinting at a multi-actor or “access broker” approach.

While the rootkit demonstrated advanced development capabilities, Houken was also notable for its extensive use of publicly available offensive tools, many of which were developed by Chinese-speaking security communities.

Tools such as Neo-reGeorg, Behinder (Ice Scorpion), and GOREVERSE were found on compromised systems. These tools, alongside bespoke webshells, enabled further exploitation, tunneling, and credential theft.

The actor’s time zone and tool selection suggest a link to UNC5174, a threat actor identified by Mandiant and Google as an access broker potentially working for China’s Ministry of State Security.

Both intelligence collection and profit motives were observed, including data exfiltration and, in rare cases, cryptocurrency mining.

Implications and Ongoing Threat

The Houken campaign highlights the growing threat posed by access brokers exploiting zero-day vulnerabilities on edge devices.

With a focus on gaining initial access for potential resale to state-linked actors or cybercriminals, these campaigns pose a threat to both national security and commercial interests across Europe and beyond.

Security teams are urged to patch edge devices promptly, monitor for known indicators of compromise, and be vigilant against both commodity and custom attack tools that are now defining the modern threat landscape.