Linux: Ivanti CSA critical flaws exploited by Houken for rootkit access

You’ll want to sit down for this one, because they’re not just grabbing credentials or tossing a webshell onto your server (although they’re doing that, too). Houken is injecting a full-on Linux kernel rootkit, and if just reading that makes your stomach drop, you’re not alone. Let’s walk through what’s happening here and what steps we can take to push back. 

This Isn’t Just a "Patch It and Forget It" Situation

Here’s the deal: the Houken campaign is patient, crafty, and relentless. They’ve been at it since late 2024, zeroing in on unpatched Ivanti CSA devices. These appliances, often deployed in environments where uptime is sacred, are being exploited via zero-day vulnerabilities. The attack doesn’t end with an initial breach—they bring a whole toolkit with them.

The first thing they do is snatch admin credentials. With those in hand, they’re off to the races: deploying webshells (both off-the-shelf and their own nasty creations) and setting up persistence. And then comes the real kicker—their pièce de résistance—the dreaded Linux kernel rootkit.

Once this rootkit gets loaded (we’re talking about a nasty piece of work called sysinitd.ko), you’re no longer in charge of your system, no matter what top or netstat says. They can intercept kernel operations, monitor traffic, tweak system behaviors, and most importantly, cover their tracks. This isn’t your garden-variety “oops, reboot and fix it” kind of malware. This is deep.

Anatomy of the Attack: How Does Houken Get Its Hooks In?

Breaking down their strategy is a bit like dissecting a stealth bomber—you marvel at the engineering while sweating how to defend against it. Here’s what Houken’s doing, step by step:

Ivanti CSA Exploits

The attackers leverage vulnerabilities in Ivanti CSA devices to break into networks. These devices often sit at the edge, acting as gateways to bigger systems. Perfect targets.

Credential Theft

Once they’re in, they extract administrative credentials using Python scripts. Here’s the clever part: these scripts encode data in Base64 to fly under the radar. Logs that seem fine at first glance? Yeah, not so much.

Webshell Deployment

PHP webshells are dropped onto the system to allow remote access. They’ll use these shells—both prebuilt versions and ones tailored for your environment—to walk through your network quietly.

Kernel Rootkit Deployment

This is where things get terrifying. The sysinitd.ko kernel rootkit gets installed, and suddenly, everything you rely on to monitor the system—whether it’s ps, lsof, or kernel trace logs—is prone to manipulation. It slides in undetected, controlling what the system shows you.

Persistence and Lateral Movement

If the rootkit wasn’t bad enough, there’s a user-space controller (sysinitd) working alongside it. This piece lets attackers manipulate the rootkit later on and ensures their presence doesn’t go away after a reboot.

Step Zero: Mitigation Starts with Hardening Access

First things first: if you’re using Ivanti CSA devices, lock them down now. These devices often sit in tightly controlled, sensitive environments, but the moment they’re left unpatched or misconfigured, they become entry points for the nightmare that’s Houken. Start by applying any available patches immediately.

Oh, and do not—under any circumstances—leave these devices directly accessible from the internet. Put them behind proper firewalls. Ideally, pair that with strict access rules, like IP whitelists or strictly managed VPN connections. If you have these devices running “out in the wild” with poor access policies, you’re leaving the front door wide open for attackers to walk in.

For Linux systems, make sure your kernel module handling isn’t wide open. Limiting dynamic module loading on production systems is a lifesaver here. If your system doesn’t need to load modules on the fly, make that the default state.

What Indicators of Compromise Should I Watch Out For?

The thing is, many administrators don’t realize their systems are compromised until it’s too late. With a kernel rootkit in play, basic commands like ps or lsmod can’t always be trusted. You’ll want to think more advanced:

• Check for weird Base64-encoded Python scripts. Attackers love these because they slip unnoticed under standard file monitoring.
• Hunt for anomalies in kernel activity. Tools like rkhunter and chkrootkit might help catch something the attackers missed, but know this: a stealthy rootkit can slip past even these tools. 
• Examine logs for strange PHP webshell behavior. Look for unusual IP-based admin access or commands issued outside normal operational hours.

Kernel Rootkit Defense (This Isn’t a Game)

Linux admins, take this bit seriously—kernel rootkits are not your average virus. Here’s what you can do to get ahead of them:

• Kernel Hardening: Use tools like SELinux or AppArmor to restrict untrusted code. For managed live patching, look into solutions like Ksplice.
• Log Everything: Rootkits aim to leave few traces, but pair kernel-level security with external logging to detect what slips through. Forward logs to hardened remote logging servers.
• Keep Systems Minimal: If you’re running a server that doesn’t need random modules, use a hardened kernel with strict module loading policies.

Real-World Tips for the Haul

If a system smells fishy—whether it’s sudden performance degradation, admin credentials getting locked out, or netstat showing strange connections—assume the worst until proven otherwise. Isolate the machine immediately. Once a rootkit gets deployed, scrubbing the system clean might be wishful thinking. Plan to rebuild the box instead.

Add EDR solutions into your stack if you can (open-source solutions like Wazuh or OSSEC can be a good start). These tools chew through logs better than human eyes ever could, pointing you toward unusual behavior before it spirals.

Our Final Thoughts: Step Up & Shut It Down

The Houken group represents exactly the kind of adversary that keeps security teams up at night. They’ve got the skill to play long games, the patience to stay in stealth mode, and the tools to turn your Linux server into their playground. The good news? They’re not invincible. Targeted attacks like this require a proactive, vigilant defense.

Stay patched, lock down network access, and deploy every logging and monitoring tactic you can manage. The Linux community often wins because of its shared vigilance—let’s keep that tradition alive!