Ivanti Zero-Day Exploited by Chinese Hackers

Chinese state-linked actors (Houken / UNC5174) exploited three Ivanti CSA zero-days (CVE-2024-8963, CVE-2024-9380, CVE-2024-8190) beginning September 2024 to compromise French government, telecom, finance and media organizations and others worldwide, deploying PHP web shells, open-source tunneling tools and a custom Linux kernel rootkit (sysinitd.ko) to gain root execution, persistence and stealth; operators also patched the exploited flaws to deny rivals, conducted initial access brokering, and carried out opportunistic cryptojacking while primarily pursuing intelligence collection.