Full Report
Vendors (still) keep mum An "advanced" attacker exploited CitrixBleed 2 and a max-severity Cisco Identity Services Engine (ISE) bug as zero-days to deploy custom malware, according to Amazon Chief Information Security Officer CJ Moses.…
Analysis Summary
# Incident Report: Advanced Threat Exploiting Citrix and Cisco Zero-Days
## Executive Summary
An advanced attacker utilized zero-day exploits in both Citrix (CVE-2025-5777, dubbed CitrixBleed 2) and Cisco Identity Services Engine (Cisco ISE, CVE-2025-20337) to gain initial access and deploy sophisticated, custom malware. The exploitation, detected by an Amazon honeypot, leveraged a patch-gap technique, indicating a highly resourced threat actor. The custom backdoor featured advanced evasion techniques, operating in-memory within Cisco ISE systems.
## Incident Details
- Discovery Date: Undisclosed, but exploitation was observed before public disclosure of the Cisco flaw.
- Incident Date: Attempted exploitation occurred leading up to and around June/July 2025.
- Affected Organization: Amazon (detected via honeypot).
- Sector: Cloud Services / Technology.
- Geography: Not explicitly stated, but involving global vendors (Citrix, Cisco).
## Timeline of Events
### Initial Access
- Date/Time: Before June 17, 2025 (when Citrix disclosed the severity of CVE-2025-5777).
- Vector: Exploitation of Citrix NetScaler ADC and NetScaler Gateway devices.
- Details: Attackers exploited CVE-2025-5777 (an Out-of-Bounds Read flaw, CitrixBleed 2) to leak memory contents, likely to steal session secrets.
### Lateral Movement / Secondary Exploitation
- Date/Time: Following initial access, leading up to July 2025.
- Vector: Exploitation of a previously undocumented endpoint in Cisco ISE via CVE-2025-20337 (vulnerable deserialization logic).
- Details: Amazon Threat Intelligence identified the anomalous payload targeting the Cisco ISE flaw after investigating the Citrix activity. This second exploit allowed unauthenticated, remote attackers to execute arbitrary code with root privileges on the ISE operating system.
### Data Exfiltration/Impact
- Custom malware (backdoor) deployed post-Cisco ISE compromise.
- The attacker aimed to establish persistence and monitor systems, evidenced by the backdoor registering as an HTTP request listener.
### Detection & Response
- Detection: Amazon's honeypot detected the attempted break-in targeting the buggy Citrix devices.
- Response: Amazon Threat Intelligence identified the custom payload, investigated, and shared details about the secondary Cisco ISE vulnerability with Cisco.
## Attack Methodology
- Initial Access: Exploitation of Citrix NetScaler ADC/Gateway via CVE-2025-5777 (CitrixBleed 2).
- Persistence: Deployment of a custom backdoor on Cisco ISE systems.
- Privilege Escalation: Exploitation of CVE-2025-20337 on Cisco ISE, allowing root-level code execution.
- Defense Evasion: Custom malware operated in-memory, left minimal forensic artifacts, used DES encryption with non-standard Base64 encoding, and required specific HTTP headers for access.
- Credential Access: (Inferred, likely to leverage root access on ISE)
- Discovery: (Inferred, but the custom malware monitored all HTTP requests.)
- Lateral Movement: (Initial movement via Citrix, further pivot into ISE via Cisco vulnerability.)
- Collection: Monitoring all HTTP requests via a listener registered in the backdoor.
- Exfiltration: (Not explicitly detailed, but a clear goal given the advanced setup.)
- Impact: Deep compromise of enterprise security infrastructure (Cisco ISE).
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Not disclosed, but the access to Cisco ISE implies access to authentication and authorization data.
- Operational: Potential operational impact due to the compromise of critical identity services infrastructure.
- Reputational: Public disclosure by Amazon CISO highlights the risk posed by zero-day exploitation.
## Indicators of Compromise
- Network indicators: Custom HTTP headers expected for backdoor access (details redacted).
- File indicators: Custom backdoor designed for Cisco ISE environments, operating primarily in memory.
- Behavioral indicators: Injection of code into running threads using Java reflection; monitoring of all HTTP requests across the Tomcat server.
## Response Actions
- Containment: Identification and reporting of the zero-day vulnerabilities to the respective vendors (Citrix and Cisco).
- Eradication: (Not detailed, but mandatory steps would involve patching/rebuilding compromised ISE systems).
- Recovery: Applying patches released by June 17 (Citrix) and subsequent patches from Cisco.
## Lessons Learned
- Zero-day exploitation, particularly chain exploitation (Citrix into Cisco), signals highly resourced, advanced threat actors.
- "Patch-gap" exploitation—weaponizing vulnerabilities immediately after disclosure but before widespread patching—is a key tactic used by sophisticated actors.
- Vendors were slow to communicate or provide effective patches, increasing the risk window for customers.
## Recommendations
- Immediately prioritize patching for vulnerabilities like CVE-2025-5777 and CVE-2025-20337 upon disclosure, even before comprehensive vendor communications are available.
- Enhance network monitoring specifically for appliance/security infrastructure (like NetScaler and ISE) to detect anomalous behavior like in-memory injection or unexpected network listeners.
- Invest in advanced threat hunting capabilities focused on Java application introspection (e.g., Java reflection usage) within enterprise systems prone to deserialization flaws.