Amazon Uncovers APT Targeting Cisco and Citrix Zero Day Vulnerabilities

By Ash K
Amazon Uncovers APT Targeting Cisco and Citrix Zero Day Vulnerabilities

Amazon’s threat intelligence team has identified an advanced persistent threat actor actively exploiting zero day vulnerabilities in Cisco Identity Services Engine and Citrix NetScaler systems. The activity was uncovered through Amazon’s global honeypot network, which logged multiple attempts to compromise internet facing network appliances long before the vulnerabilities were publicly disclosed or patched.

Discovery Through Amazon’s MadPot Honeypot Network

Amazon analysts detected anomalous traffic targeting Citrix NetScaler appliances that leveraged a previously unknown flaw. The malicious traffic triggered deeper investigation, ultimately revealing exploitation of a then undisclosed weakness that allowed remote code execution. Around the same time, the same actor was seen probing and attacking Cisco Identity Services Engine using a separate zero day vulnerability that had not yet been documented by Cisco.

The actor demonstrated precision and familiarity with the internal architecture of both vendors’ products, suggesting access to specialized knowledge or extensive reconnaissance. The attacks were executed quietly and selectively, with no signs of mass exploitation, indicating a targeted and strategically motivated campaign.

Targeting Network Access and Identity Infrastructure

Cisco ISE and Citrix NetScaler represent some of the most critical components of modern enterprise networks. Cisco ISE controls authentication, device trust, and policy enforcement, while Citrix NetScaler is widely used for application delivery, VPN access, and secure remote connectivity. Compromising either appliance allows an attacker to obtain direct visibility into authentication flows, internal applications, and network segmentation boundaries.

By exploiting these systems, the threat actor gained high level access to identity and access mechanisms, enabling them to intercept credentials, issue rogue sessions, and deploy remote payloads inside the victim network. These appliances often sit at the boundary between internal systems and the public internet, giving attackers a powerful vantage point once compromised.

Custom Web Shell and In Memory Tooling

During analysis, Amazon researchers identified a custom web shell implanted in compromised Cisco ISE systems. The shell was disguised as a benign service component and relied on Java based injection techniques to blend into the underlying application server. It operated entirely in memory, used encrypted command channels, and left minimal forensic evidence.

The Citrix exploitation involved a separate chain that delivered remote commands to the underlying operating system with similar stealth. The attacker relied on short lived connections and concealed their operational footprint through obfuscation, encoded payloads, and rapid cleanup routines.

Motivations and Threat Profile

Based on the tools, precision, and limited scope of targeting, the actor is believed to have long term intelligence objectives rather than financial motivations. Their interest in identity infrastructure and network edge appliances aligns with typical APT behavior where the goal is durable access and covert data collection.

The ability to exploit multiple zero days from different vendors indicates significant resources, either through internal development, access to private vulnerability markets, or cooperation across specialized groups.

Risk to Organisations Worldwide

Many enterprises rely heavily on Cisco ISE for authentication and Citrix for secure connectivity. A breach in either product can lead to lateral movement, credential theft, policy manipulation, and exposure of sensitive applications. Because the attacks took place before vendor patches were available, organisations using outdated or unmonitored appliances may have been unknowingly vulnerable.

These attacks highlight the strategic risk associated with edge devices. Once compromised, they provide a single point of access into vast portions of an organisation’s infrastructure.

Recommended Mitigations

  • Apply the latest security patches for Cisco ISE and Citrix NetScaler immediately.
  • Restrict public exposure of management interfaces and isolate these appliances behind firewalls.
  • Increase monitoring of authentication anomalies, unexpected listeners, and new processes on network appliances.
  • Review historical logs for suspicious access attempts in the months leading up to the disclosure.
  • Implement network segmentation to prevent compromised infrastructure from providing full lateral movement capability.

Conclusion

Amazon’s discovery of coordinated exploitation against Cisco and Citrix zero day vulnerabilities reinforces the shift in attacker focus from user endpoints to core identity and access infrastructure. These appliances serve as gateways to critical business systems, making them high value targets for advanced threat actors. Organisations must strengthen visibility, adopt strict access controls, and treat edge appliances as strategic assets requiring the same level of security attention as internal servers and applications.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.