A series of coordinated cyberattacks impacted numerous critical French sectors in late 2024, leveraging previously undisclosed security weaknesses in Ivanti Cloud Services Appliance products. These incidents targeted essential services such as government, telecommunications, finance, media, and transportation. Authorities in France observed significant repercussions from the exploitation, stressing the risk to public and private infrastructures. Many organizations have since sought to strengthen their network defenses and review their dependence on similar technologies. The persistent nature of these threats continues to challenge stakeholders responsible for national resilience and data protection.
Recent analyses reveal a marked escalation in cyberattacks using Ivanti vulnerabilities compared to earlier years. Over the past four years, incidents involving Ivanti’s edge devices have grown, with researchers and security authorities reporting more frequent exploitation of these weaknesses, particularly by actors linked to China. Despite routine patch releases and advisories, adversaries have adapted by developing new attack methods and leveraging open-source tools to evade detection. While Ivanti previously addressed several vulnerabilities, recent campaigns represent a shift towards persistent, credential-stealing operations. Organizations now face greater pressure to maintain up-to-date defenses as threat actors continue to exploit both legacy and current systems.
What Techniques Did the Attackers Use?
The attackers, identified as UNC5174, exploited three Ivanti zero-day flaws known as CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380. According to security investigators, this group employed a combination of zero-day vulnerabilities, a custom rootkit, and a suite of open-source as well as commercial tools to achieve their objectives. By using dedicated servers and VPNs, they sought to maintain undetected access within compromised environments. These methods enabled attackers to steal credentials and establish persistence on the networks of targeted organizations. The French security report notes,
The operators behind the UNC5174 and Houken intrusion sets are likely primarily looking for valuable initial accesses to sell to a state-linked actor seeking insightful intelligence.
Who Was Behind the Incidents?
UNC5174, identified by security experts as a former member of Chinese hacktivist collectives, is suspected of working under contract for China’s Ministry of State Security. This actor has previously targeted several high-profile platforms, including ConnectWise ScreenConnect, F5 BIG-IP, Atlassian Confluence, the Linux kernel, and Zyxel firewalls. In these campaigns, UNC5174 reportedly operated under the persona “Uteus” and repurposed edge device vulnerabilities to obtain and monetize network access. French authorities attribute both the recent and earlier intrusions to this same threat group.
How Did Vendors and Agencies Respond?
Security agencies and Ivanti responded with advisories and updated software patches. The Cybersecurity and Infrastructure Security Agency warned organizations about the chained exploitation of Ivanti’s flaws, emphasizing the risks of credential theft, unauthorized access, and remote code execution. Ivanti stated that fully patched systems and newer versions were not affected. Their spokesperson indicated, “We support information sharing to aid defenders. This report covers threat actor activity from last fall that affected an end-of-life version of Cloud Services Appliance. Customers on fully patched or upgraded versions were not affected.” Ivanti has since released fixes and strongly recommended upgrades to unaffected CSA version 5.0.
As large-scale attacks on edge devices become more sophisticated, organizations must adopt proactive cybersecurity measures and promptly implement vendor patches. The repeated exploitation of Ivanti products places the company under intense scrutiny, particularly because its software has been at the center of multiple high-impact security incidents since 2021. French authorities, alongside international partners, highlight the necessity for coordinated responses and information sharing to counter evolving cyber threats, particularly those from state-linked adversaries. Enterprises should monitor advisories, continuously audit their systems, and avoid reliance on unsupported versions to minimize risk. Timely response and system upgrades remain essential in mitigating similar campaigns targeting critical infrastructure.
