Chinese Hackers

[kyonides]

Chinese Hackers Exploit Ivanti CSA Zero-Days in Attacks on French Government, Telecoms

The French cybersecurity agency on Tuesday revealed that a number of entities spanning governmental, telecommunications, media, finance, and transport sectors in the country were impacted by a malicious campaign undertaken by a Chinese hacking group by weaponizing several zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices.

The campaign, detected at the beginning of September 2024, has been attributed to a distinct intrusion set codenamed Houken, which is assessed to share some level overlaps with a threat cluster tracked by Google Mandiant under the moniker UNC5174 (aka Uteus or Uetus).

"While its operators use zero-day vulnerabilities and a sophisticated rootkit, they also leverage a wide number of open-source tools mostly crafted by Chinese-speaking developers," the French National Agency for the Security of Information Systems (ANSSI) said. "Houken's attack infrastructure is made up of diverse elements -- including commercial VPNs and dedicated servers."

The agency theorized that Houken is likely being used by an initial access broker since 2023 with an aim to gain a foothold into target networks and then shared with other threat actors interested in carrying out follow-on post-exploitation activities, reflective of a multi-party approach to vulnerability exploitation, as pointed out by HarfangLab.

"A first party identifies vulnerabilities, a second uses them at scale to create opportunities, then accesses are distributed to third parties which further attempt to develop targets of interest," the French cybersecurity company noted earlier this February.

"The operators behind the UNC5174 and Houken intrusion sets are likely primarily looking for valuable initial accesses to sell to a state-linked actor seeking insightful intelligence," the agency added.

In recent months, UNC5174 has been linked to the active exploitation of SAP NetWeaver flaws to deliver GOREVERSE, a variant of GoReShell. The hacking crew has also leveraged vulnerabilities in Palo Alto Networks, Connectwise ScreenConnect, and F5 BIG-IP software in the past to deliver the SNOWLIGHT malware, which is then used to drop a Golang tunneling utility called GOHEAVY.

Another report from SentinelOne attributed the threat actor to an intrusion against a "leading European media organization" in late September 2024.

In the attacks documented by ANSSI, the attackers have been observed exploiting three security defects in Ivanti CSA devices, CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190, as zero-days to obtain credentials and establish persistence using one of the three methods -

Directly deploying PHP web shells
Modifying existing PHP scripts to inject web shell capabilities, and
Installing a kernel module that serves as a rootkit

The attacks are characterized by the use of publicly available web shells like Behinder and neo-reGeorg, followed by the deployment of GOREVERSE to maintain persistence after lateral movements. Also employed is an HTTP proxy tunneling tool called suo5 and a Linux kernel module named "sysinitd.ko" that was documented by Fortinet in October 2024 and January 2025.

"It is composed of a kernel module (sysinitd.ko) and a user-space executable file (sysinitd) installed on the targeted device through the execution of a shell script: install.sh," ANSSI said. "By hijacking inbound TCP traffic over all ports, and invoking shells, sysinitd.ko and sysinitd allow the remote execution of any command with root privileges."

Taiwan NSB Alerts Public on Data Risks from TikTok, Weibo, and RedNote Over China Ties

Taiwan's National Security Bureau (NSB) has warned that China-developed applications like RedNote (aka Xiaohongshu), Weibo, TikTok, WeChat, and Baidu Cloud pose security risks due to excessive data collection and data transfer to China.

The alert comes following an inspection of these apps carried out in coordination with the Ministry of Justice Investigation Bureau (MJIB) and the Criminal Investigation Bureau (CIB) under the National Police Agency.

"The results indicate the existence of security issues, including excessive data collection and privacy infringement," the NSB said. "The public is advised to exercise caution when choosing mobile apps."

The agency said it evaluated the apps against 15 indicators spanning five broad categories: Personal data collection, excessive permission usage, data transmission and sharing, system information extraction, and biometric data access.

According to the analysis, RedNote violated all 15 indicators, followed by Weibo and TikTok that were found to breach 13 indicators. WeChat and Baidu Cloud violated 10 and 9 of the 15 indicators, respectively.

These issues encompassed extensive collection of personal data, including facial recognition information, screenshots, clipboard contents, contact lists, and location information. All the apps have also been flagged for harvesting the list of installed apps and device parameters.

"With regard to data transmission and sharing, the said five apps were found to send packets back to servers located in China," the NSB said. "This type of transmission has raised serious concerns over the potential misuse of personal data by third-parties."

NSB also pointed out that companies operating in China are obligated to turn over user data under domestic laws for national security, public security, and intelligence purposes, and that using these apps can breach the privacy of Taiwanese users.

The development comes as countries like India have enacted bans against Chinese-made apps, citing security concerns. In November 2024, Canada ordered TikTok to dissolve its operations in the country, although its fate in the U.S. still remains in limbo, as the ban – which was supposed to take effect in January 2025 – has been extended for a third time.