French authorities said government agencies and businesses spanning telecom, media, finance and transportation were impacted by the widely exploited Ivanti vulnerabilities.
The post China-linked attacker hit France’s critical infrastructure via trio of Ivanti zero-days last year appeared first on CyberScoop.
Multiple critical infrastructure sectors were hit last year during an attack spree in France via a trio of zero-day vulnerabilities affecting Ivanti Cloud Service Appliance devices, the country’s cybersecurity agency said in a report released Tuesday.
Government agencies and organizations in the telecommunications, media, finance and transportation industries were impacted by widespread zero-day exploits of CVE-2024-8190, CVE-2024-8963 and CVE-2024-9380 from early September to late November 2024, according to the French National Agency for the Security of Information Systems.
French authorities attribute the attacks to UNC5174, a former member of Chinese hacktivist collectives likely working as a contractor for China’s Ministry of State Security, according to Mandiant. The attacker, believed to use the persona “Uteus,” previously exploited edge device vulnerabilities in ConnectWise ScreenConnect, F5 BIG-IP, Atlassian Confluence, the Linus kernel and Zyxel firewalls.
Authorities in France concluded UNC5174 used a unique intrusion set it dubbed “Houken,” which used zero-day vulnerabilities, a sophisticated rootkit, various open-source tools, commercial VPNs and dedicated servers. Officials said Houken and UNC5174 are likely operated by the same threat actor, an initial access broker that also steals credentials and deploys mechanisms to achieve persistent access to victim networks.
“Though already documented for its opportunistic exploitation of vulnerabilities on edge devices, the use of zero-days by a threat actor linked to UNC5174 is new,” France’s cybersecurity agency said in the report. “The operators behind the UNC5174 and Houken intrusion sets are likely primarily looking for valuable initial accesses to sell to a state-linked actor seeking insightful intelligence.”
The Cybersecurity and Infrastructure Security Agency issued an advisory in January warning that threat actors chained the three Ivanti zero-days to gain initial access, conduct remote code execution, obtain credentials and implant webshells on victim networks.
Sysdig researchers in April said they observed the China state-sponsored hacking group, UNC5174, using open-source offensive security tools, such as VShell and WebSockets, to blend in with more common cybercriminal activity.
Multiple attackers, including China-linked espionage groups, have repeatedly exploited a long run of vulnerabilities in Ivanti products. Ivanti is a repeat offender, shipping software with a high number of vulnerabilities — more than any other vendor in this space since the start of last year — across at least 10 different product lines since 2021.
CISA’s known exploited vulnerabilities catalog contains 30 Ivanti defects in the past four years, and attackers have exploited seven vulnerabilities in Ivanti products so far this year, according to cyber authorities.
Ivanti wasn’t immediately available to comment on the French authorities’ report.
The post China-linked attacker hit France’s critical infrastructure via trio of Ivanti zero-days last year appeared first on CyberScoop.
Source: CyberScoop
Source Link: https://cyberscoop.com/france-government-ivanti-zero-days-china/