Amazon’s threat intelligence team has identified an advanced persistent threat (APT) group exploiting zero-day vulnerabilities in Cisco Identity Service Engine and Citrix NetScaler products. This exploitation took place before the vendors were able to disclose and patch these defects. Specifically, CVE-2025-5777 in Citrix and CVE-2025-20337 in Cisco were noted, with Amazon’s MadPot honeypot service detecting ongoing attacks. CJ Moses, Amazon’s Chief Information Security Officer, asserted that the same threat actor was likely responsible for both vulnerabilities.
The investigation into the attacks revealed that the threat group developed custom malware tailored for the Cisco ISE environments, employing advanced evasion techniques that underscore their sophistication. Although the identity of this APT group remains uncertain, the primary objective appears to be prolonged access for espionage. The increasing attention of such threat groups on identity and network infrastructure, coupled with their capacity to rapidly weaponize vulnerabilities, reinforces the significant risks they pose to organizations. Amazon also reported that between early July and mid-July, over 11.5 million attack attempts were recorded, demonstrating the scale of the threat posed by these vulnerabilities.
👉 Pročitaj original: CyberScoop
