Two then-zero-day security holes in Cisco and Citrix products were exploited by an advanced threat actor. Amazon's MadPot honeypot network detected the attacks. The activity resulted in the deployment of IdentityAuditAction, a custom web shell that posed as a genuine Cisco ISE component.

Amazon characterized the threat actor as "highly resourced" to exploit multiple zero-day exploits, either by having access to non-public vulnerability information or by having sophisticated vulnerability research capabilities, and described the campaign as indiscriminate. "In a blog post about the attacks, Mike Moses of Amazon stated, "The pre-authentication nature of these exploits reveals that even well-configured and meticulously maintained systems can be affected." "This highlights the significance of putting in place thorough defense-in-depth tactics and building strong detection capabilities that can recognize anomalous behavior patterns," he continued. The results demonstrate once more how threat actors continue to target network edge appliances in order to compromise networks of interest.

As a result, it is critical that organizations restrict access to privileged management portals using firewalls or layered access. It also shows how well-versed the adversary is in Tomcat internals, enterprise Java applications, and the inner workings of Cisco IsE. The web shell can operate completely in memory and inject itself into active threads using Java reflection, giving it the ability to operate covertly.

It uses DES encryption and registers as a listener to keep an eye on all HTTP requests made by the Tomcat server.