{ "Event": { "analysis": "2", "date": "2025-07-01", "extends_uuid": "", "info": "Houken seeking a path by living on the edge with zero-days", "publish_timestamp": "1751553086", "published": true, "threat_level_id": "2", "timestamp": "1751552976", "uuid": "c4ff8fa3-9860-48da-a74a-f087aa0a76dd", "Orgc": { "name": "CUDESO", "uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"France\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Finance\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Government, Administration\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"News - Media\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Telecoms\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Transport\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1751552529", "to_ids": false, "type": "link", "uuid": "cd7027bb-5545-4d93-a08b-ae91cc6f0085", "value": "https://www.cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-009/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1751552529", "to_ids": false, "type": "link", "uuid": "60e35356-1c54-4bd1-8d61-d2d43f827c16", "value": "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2025-CTI-009.pdf" }, { "category": "Network activity", "comment": "GOREVERSE C2", "deleted": false, "disable_correlation": false, "timestamp": "1751552649", "to_ids": true, "type": "ip-dst", "uuid": "71c882d6-3ab4-4973-95ff-c9645ae5ef7b", "value": "107.173.111.26" }, { "category": "Network activity", "comment": "GOREVERSE C2", "deleted": false, "disable_correlation": false, "timestamp": "1751552649", "to_ids": true, "type": "ip-dst", "uuid": "100d9cf4-0afd-4c46-9fec-53e32f004de7", "value": "195.133.52.87" }, { "category": "Network activity", "comment": "VPS contacted using Netcat to establish a reverse shell", "deleted": false, "disable_correlation": false, "timestamp": "1751552649", "to_ids": true, "type": "ip-dst", "uuid": "1c6185dd-5548-4c76-bb74-11b857b0bd1f", "value": "45.33.101.53" }, { "category": "Network activity", "comment": "Controlled server contacted to download additional tools and to establish a reverse shell using Python", "deleted": false, "disable_correlation": false, "timestamp": "1751552649", "to_ids": true, "type": "ip-dst", "uuid": "3749460f-f1ac-4484-a61c-680630982d74", "value": "156.234.193.18" }, { "category": "Network activity", "comment": "Controlled server contacted to download additional tools", "deleted": false, "disable_correlation": false, "timestamp": "1751552649", "to_ids": true, "type": "ip-dst", "uuid": "f0ad02e5-1890-46ed-83b6-33c097705952", "value": "198.98.54.209" }, { "category": "Network activity", "comment": "Vulnerabilities exploitation", "deleted": false, "disable_correlation": false, "timestamp": "1751552649", "to_ids": true, "type": "ip-dst", "uuid": "95031f02-2be7-42eb-8c5c-03697a2b00d2", "value": "23.236.66.97" }, { "category": "Network activity", "comment": "VPS contacted using SSH, SCP and TELNET", "deleted": false, "disable_correlation": false, "timestamp": "1751552649", "to_ids": true, "type": "ip-dst", "uuid": "747d8ac3-8121-4494-8322-4f1d428fe24d", "value": "134.195.90.71" }, { "category": "Network activity", "comment": "Vulnerabilities exploitation", "deleted": false, "disable_correlation": false, "timestamp": "1751552649", "to_ids": true, "type": "ip-dst", "uuid": "276f9d96-05da-4d55-9f5a-1880c5e1a8b3", "value": "64.176.49.160" }, { "category": "Network activity", "comment": "Connection attempts from compromised equipment", "deleted": false, "disable_correlation": false, "timestamp": "1751552649", "to_ids": true, "type": "hostname", "uuid": "c7ae1ad7-f75c-4fe0-b03b-5f4ab7ce8247", "value": "oyr2ohrm.eyes.sh" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1751552672", "to_ids": false, "type": "vulnerability", "uuid": "90110468-a728-479c-bb52-7554bb122e0b", "value": "CVE-2024-8190" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1751552976", "to_ids": false, "type": "vulnerability", "uuid": "9f555a18-cce6-4fcf-a429-99b4d29dbab6", "value": "CVE-2024-8963" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1751552976", "to_ids": false, "type": "vulnerability", "uuid": "6436adc1-271e-4f06-a8b0-0381cecc6413", "value": "CVE-2024-9380" } ], "EventReport": [ { "uuid": "1ca83dda-f61f-48d7-a273-5df05d72b196", "name": "Summary", "content": "## The attack campaign in a nutshel\r\n\r\nAt the beginning of September 2024, an attacker repeatedly exploited vulnerabilities CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380 vulnerabilities to remotely execute arbitrary code\r\non vulnerable Ivanti Cloud Service Appliance devices. These vulnerabilities were exploited as zero-days, before the publication of the Ivanti security advisory.\r\n\r\nThe attacker opportunistically chained these vulnerabilities to gain initial access on Ivanti CSA appliances, with the intention of:\r\n\r\n- Obtaining credentials through the execution of a base64 encoded Python script1.\r\n- Ensuring persistence, by:\r\n - deploying or creating PHP webshells;\r\n - modifying existing PHP scripts to add webshells capabilities;\r\n - occasionally installing a kernel module which acts as a rootkit once loaded.\r\n\r\nLikely in an effort to prevent exploitation by additional unrelated actors, the attacker attempted\r\nto self-patch web resources affected by the vulnerabilities.\r\n\r\nOn occasions, and after establishing a foothold on victim networks through the compromise\r\nof Ivanti CSA devices, the attacker performed reconnaissance activities and moved laterally.\r\nIn-depth compromises allowed the attacker to gather additional credentials and deploy further\r\npersistence mechanisms. Most recent activities around this attack campaign were observed\r\nat the end of November 2024 by ANSSI.\r\n\r\n## Incidents in France\r\n\r\nSeveral incidents affecting French entities, and linked to this attack campaign, were observed\r\nby ANSSI at the end of 2024. The campaign targeted french organizations from governmental,\r\ntelecommunications, media, finance, and transport sectors.\r\n\r\nIn three cases, the compromise of Ivanti CSA devices was followed by lateral movements toward\r\nthe victims\u2019 internal information systems. The malicious actor also collected credentials and\r\nattempted to establish a persistence on these compromised networks. Attacker\u2019s operational\r\nactivities time zone was UTC+8, which aligns with China Standard Time (CST).\r\n\r\nANSSI provided significant support to these entities, assisting in the conduct of forensic anal-\r\nysis and corrective actions regarding these incidents.", "id": "91", "event_id": "478", "timestamp": "1751552966", "deleted": false } ] } }