Chinese Hackers Exploit Ivanti CSA Zero-Days to Target French Government and Telecoms

On July 3, 2025, France’s cybersecurity agency disclosed that multiple sectors—including government, telecommunications, media, finance, and transport—were affected by a cyber campaign led by a Chinese hacking group. This group exploited several zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices. The campaign, identified in early September 2024, has been linked to an intrusion set known as Houken, which reportedly shares characteristics with the threat cluster tracked by Google Mandiant as UNC5174 (also referred to as Uteus or Uetus). According to the French National Agency for the Security of Information Systems (ANSSI), “Houken’s operators use both zero-day vulnerabilities and sophisticated rootkits, alongside a variety of open-source tools primarily developed by Chinese-speaking programmers.” The attack infrastructure utilized by Houken features a mix of components, including commercial VPNs and other tools.

Chinese Hackers Target French Government and Telecoms Using Ivanti CSA Zero-Days

On July 3, 2025, the French cybersecurity agency disclosed a significant cyberattack that has affected various sectors, including government, telecommunications, media, finance, and transport. The assault has been attributed to a Chinese hacking collective that exploited multiple zero-day vulnerabilities within Ivanti Cloud Services Appliance (CSA) devices. The campaign, identified in early September 2024, is linked to a unique intrusion set known as Houken. Analysts believe this group shares some characteristics with the threat cluster referred to by Google Mandiant as UNC5174.

The French National Agency for the Security of Information Systems (ANSSI) provided insight into the sophistication of Houken’s operations. Not only have the hackers employed zero-day vulnerabilities and an advanced rootkit, but they have also utilized a plethora of open-source tools primarily developed by Chinese-speaking engineers. This adds a layer of complexity to the threat, as it indicates a well-resourced and versatile attacker.

Houken’s attack infrastructure features a blend of diverse resources, including commercial VPN services and other tools designed to obfuscate their operations. This highlights the attackers’ strategic approach to maintaining operational security while launching sophisticated cyber incursions. The coordinated nature of the attack suggests a high level of planning and execution, targeting critical infrastructures vital to national safety and economic stability.

The implications of this attack extend beyond immediate data loss or service disruptions. The sectors affected play crucial roles in France’s governmental and economic framework, raising concerns about potential data exfiltration and long-term damage to these foundational institutions. For business owners and IT security professionals, understanding the nature of such attacks is paramount for developing robust defenses against similar incursions.

In terms of tactics utilized during the operation, the MITRE ATT&CK framework provides valuable insights. Techniques concerning initial access, persistence, and privilege escalation appear to be relevant in the context of this attack. The exploitation of zero-day vulnerabilities offers an avenue for initial access, while the rootkit may serve to maintain persistence within compromised systems. The use of open-source tools also indicates a capability to exploit widely available resources for privilege escalation, further complicating incident response strategies.

As businesses analyze their own cybersecurity postures in light of this incident, the lessons from the Houken campaign are particularly instructive. The increasing sophistication and targeting of such advanced persistent threats necessitate a proactive approach to cybersecurity. Organizations should consider the importance of patch management, continuous monitoring for anomalous activities, and the deployment of advanced threat detection solutions.

Ultimately, the targeting of critical infrastructure by state-sponsored actors signals an evolving threat landscape. Businesses must remain vigilant and informed about the tactics used by adversaries, reflecting an ongoing need for investment in cybersecurity measures. As the cyber realm becomes more intricate, a strategic response aligned with comprehensive frameworks like MITRE ATT&CK will be essential for safeguarding sensitive information and operational integrity.

Source link

Related Posts

TA829 and UNK_GreenSec Collaborate on Strategies and Infrastructure in Ongoing Malware Campaigns

July 01, 2025
Cyber Espionage / Vulnerability

Cybersecurity experts have identified striking tactical parallels between the threat actors behind the RomCom RAT and a group observed deploying a loader named TransferLoader. Enterprise security firm Proofpoint is tracking this activity back to a group recognized as UNK_GreenSec, alongside the RomCom RAT actors, referred to as TA829. This group is also known by multiple aliases, including CIGAR, Nebulous Mantis, Storm-0978, Tropical Scorpius, UAC-0180, UAT-5647, UNC2596, and Void Rabisu. According to Proofpoint’s findings, UNK_GreenSec emerged during their investigation of TA829, with notable similarities in infrastructure, delivery tactics, landing pages, and email lure themes. TA829 stands out in the threat landscape for its capacity to engage in both espionage and financially motivated attacks. This hybrid group, aligned with Russia, has been linked to the exploitation of zero-day vulnerabilities in Mozilla software.

Critical Flaw in Anthropic’s MCP Poses Remote Exploitation Risk for Developer Systems

July 01, 2025
Vulnerability / AI Security

Cybersecurity experts have identified a severe security flaw in Anthropic’s Model Context Protocol (MCP) Inspector project, potentially enabling remote code execution (RCE) and granting attackers total access to affected systems. Identified as CVE-2025-49596, this vulnerability boasts a CVSS score of 9.4 out of 10, indicating a critical risk level. “This represents one of the first significant RCE vulnerabilities within Anthropic’s MCP framework, opening the door to a new wave of browser-based attacks targeting AI development tools,” stated Avi Lumelsky from Oligo Security in a recent report. “With the ability to execute code on a developer’s machine, attackers can compromise sensitive data, install malware, and navigate through networks—posing serious threats to AI teams, open-source initiatives, and enterprises utilizing MCP.” Introduced by Anthropic in November 2024, MCP is an open protocol aimed at standardizing large language model (LLM) applications…

Hackers Exploit PDFs to Impersonate Microsoft, DocuSign, and Others in Callback Phishing Schemes

Cybersecurity experts have raised alarms about phishing campaigns that mimic well-known brands, deceiving victims into calling phone numbers managed by cybercriminals. According to Cisco Talos researcher Omid Mirzaei, “A notable percentage of email threats featuring PDF payloads persuade victims to dial adversary-controlled numbers, showcasing a prevalent social engineering tactic referred to as Telephone-Oriented Attack Delivery (TOAD) or callback phishing.” An analysis of phishing emails with PDF attachments from May 5 to June 5, 2025, found that Microsoft and DocuSign were the most frequently impersonated brands. Other notable targets in TOAD emails included NortonLifeLock, PayPal, and Geek Squad. This surge in activity forms part of broader phishing efforts that leverage the trust associated with popular brands to provoke harmful actions. Typically, these messages include PDF attachments…

Severe Cisco Vulnerability in Unified CM Allows Root Access via Hard-Coded Credentials

July 3, 2025
Vulnerability / Network Security

Cisco has issued patches to fix a critical security flaw in Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (Unified CM SME). This vulnerability could enable an attacker to access susceptible devices with root privileges, achieving a CVSS score of 10.0 under the identifier CVE-2025-20309. In an advisory released on Wednesday, Cisco noted that “this vulnerability arises from the use of static user credentials for the root account, which are meant for development use only.” An attacker could exploit this flaw to log into an affected system and execute arbitrary commands as a root user. Hard-coded credentials often stem from testing or temporary fixes during development, but they should never be present in live environments.