top of page
Buscar

The Identity Beast at the Gates: The APT That Breached Citrix and Cisco Before the World Knew

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • 13 nov
  • 4 Min. de lectura
ree

Before defenders even woke, an unseen Beast tested the walls of the identity fortress. Exploiting two separate zero-days in Citrix NetScaler (CVE-2025-5777, “CitrixBleed 2”) and Cisco Identity Service Engine (CVE-2025-20337), a sophisticated APT infiltrated the very systems enterprises rely on to authenticate users, enforce policies, and guard the perimeter. Using patch-gap timing, custom tooling and in-memory backdoors, the operation revealed a strategic shift: identity infrastructure is now the battlefield, and the Beast has learned how to walk through its gates before anyone sees it coming.


Phase I – Approaching the Fortress Walls: Discovery of a Silent Predator


The first signs of the Beast appeared in Amazon’s MadPot honeypot network. Long before Citrix announced CVE-2025-5777, the sensors detected exploitation attempts tied to a yet-unknown vulnerability in NetScaler ADC and Gateway. These attempts were not random—they were coordinated, repeated, and striking exactly where the identity edge was weakest.

At nearly the same time, the same adversary probed Cisco Identity Service Engine, targeting an undocumented endpoint that contained vulnerable deserialization logic. There was no CVE yet, no advisory, no patch. But the Beast already knew where to strike—a hallmark of a threat actor with access to advanced vulnerability research, private exploit markets, or internal code intelligence.

This early reconnaissance revealed a frightening capability: simultaneous exploitation of two different zero-days in two separate, high-value platforms managing the identity fabric of global enterprises.


Phase II – Breaching the Gates: Dual Zero-Day Exploitation


The attack unfolded through two pre-authentication zero-days, granting the APT unprecedented power:

  1. CitrixBleed 2 – CVE-2025-5777 Allowed attackers to hijack any active administrator session, join NetScaler sessions, and even establish virtual desktop environments. According to research from Kevin Beaumont and later confirmed by Amazon, exploitation had been occurring for at least a month before disclosure.

  2. Cisco ISE RCE – CVE-2025-20337 A deserialization flaw granting pre-authentication remote code execution as root on Cisco ISE. Even worse, exploitation was occurring in the wild before Cisco assigned a CVE or released comprehensive patches.

This “patch-gap exploitation” is the Beast’s preferred method: strike the vulnerabilities defenders don’t yet know they have, and persist before patches even exist.


Phase III – Inside the Inner Keep: Custom Web Shell and Deep Privilege


Once inside Cisco ISE, the APT deployed a custom-built, highly evasive in-memory web shell, disguised as a legitimate component named IdentityAuditAction. It was engineered specifically for Cisco environments, demonstrating deep familiarity with:

  • Tomcat internals

  • Enterprise Java application structures

  • Cisco ISE architectural nuances

The web shell used multiple stealth mechanisms:

  • Full in-memory execution, avoiding disk artifacts

  • Java reflection to inject into running threads

  • Registration as an HTTP listener to watch all inbound requests

  • DES encryption with altered Base64 encoding

  • Activation gated by secret HTTP headers

  • Dynamic class loading to evade behavioral scanners

This was not commodity malware. It was a purpose-built identity intruder designed to live inside the heart of an enterprise’s authentication engine.

With this access, the Beast could observe and potentially manipulate:

  • Identity objects and directory lookups

  • Session tokens

  • Admin activity

  • Policy changes

  • VPN gateway interactions

  • Remote access controls

The compromise wasn’t just a breach—it was an infiltration of the identity bloodstream.


Phase IV – Turning the Keys: Strategic Interest in Identity and Access Control


Across reports from Amazon, Dark Reading, Horizon3.ai, and ReliaQuest, a clear trend emerges: the Beast is shifting the battlefield toward identity and access management systems.

These systems are now prime targets because compromising them:

  • Grants persistent, nearly invisible access

  • Enables privilege escalation through new account creation

  • Allows hijacking of VPN and remote access gateways

  • Permits lateral movement across the network

  • Provides control over policy enforcement points

  • Bypasses traditional endpoint and perimeter defenses

ReliaQuest’s Q3 2025 data shows identity-related issues account for 44% of cloud risk, with 52% of incidents involving privilege escalation. Meanwhile, 99% of cloud identities are over-privileged, offering fertile ground for adversaries.

The Beast understands this better than many defenders: identity is the new perimeter, and it is fragile.


Phase V – Lessons from the Breach: Patch-Gap Exploitation and Exposure-Centric Defense


One of the most alarming revelations is the attacker’s heavy reliance on patch-gap exploitation—the window between initial disclosure, patch release, and full deployment.

According to Sectigo’s Jason Soroko, the better mindset is to assume:

  • Edge devices are always vulnerable

  • Exposure management is more important than patch speed

  • The blast radius must be minimized

  • Detection and containment must activate within hours

This incident shows that speed of patching is no longer enough; enterprises must shift from patch-centric defense to exposure-centric defense, from pure prevention to prevention plus rapid detection and containment.

This campaign marks a turning point in modern intrusion strategies. The Beast didn’t target endpoints or desktops. It didn’t rely on phishing or user interaction. Instead, it attacked the very brainstem of enterprise security—the systems deciding who you are, what you’re allowed to do, and where you’re allowed to go.


Three conclusions define the path ahead:


  1. Identity infrastructure is now the prime target. Cisco ISE, NetScaler, IAM portals, SSO gateways—these are now the crown jewels.

  2. Zero-days are being weaponized before vendors even know they exist. Honeypot telemetry proved exploitation occurred long before disclosure.

  3. Defense must evolve from patching to exposure reduction and rapid detection. Isolate management planes. Minimize privileges. Monitor identity anomalies. Deploy EDR/XDR capable of catching in-memory web shells.


The Beast walked through the gates once.

The next time it approaches, your fortress must be ready.



Amazon


 
 
 

Comentarios

bottom of page