patch-gap exploitation technique is a hallmark of sophisticated threat actors who closely monitor security updates and quickly weaponize vulnerabilities.”Amazon did not immediately respond to CSO’s queries on why it’s sharing information about the zero-day exploits months after.After gaining access, the actor deployed a tailor-made web shell disguised as the “IdentityAuditAction” component of Cisco ISE. It ran entirely in memory, registered as an HTTP listener in the Tomcat server, used DES encryption with non-standard Base-64 encoding, and required specific HTTP headers for access.
Implication for enterprise defense: The attack challenges assumptions that identity management and network-access systems are inherently secure. The pre-authentication nature of these exploits, the blog noted, reveals that even well-configured and meticulously maintained systems can be affected.”The campaign underscored the evolving tactics of threat actors targeting critical enterprise infrastructure at the network edge,” Moses said. “The threat actor’s custom tooling demonstrated a deep understanding of enterprise Java applications, Tomcat internals, and the specific architectural nuances of the Cisco Identity Service Engine.”Amazon recommends organizations adopt a layered defence, which includes limiting access to privileged security appliance endpoints (firewall, proxies, access gateways), employing monitoring for unusual in-memory activity, and treating identity systems as high-risk zones subject to the same scrutiny as public-facing servers.The revelation fits into a broader pattern of attackers moving to remote-access and identity infrastructure, a trend that first came into focus during the Citrix Bleed wave in late 2023, when credential harvesting exploits against Citrix ADC and Gateway appliances fuelled widespread intrusions. Since then, more such campaigns have emerged, including one by Scattered Spider involving a help-desk hack enabling access to the C-suite’s identity infrastructure (Microsoft Entra ID/ Active Directory).
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4089200/zero-day-exploits-hit-cisco-ise-and-citrix-systems-in-an-advanced-campaign.html
