Citrix and Cisco attacks discovered via Amazon honeypot

Citrix and Cisco attacks discovered via Amazon honeypot

Briefly

"An unidentified hacker group exploited the critical zero-day vulnerabilities CVE-2025-5777 in Citrix NetScaler and CVE-2025-20337 in Cisco Identity Service Engine. Amazon's threat intelligence team discovered the attacks via their MadPot honeypot before the vulnerabilities became public knowledge. Amazon's MadPot honeypot detected exploitation attempts for Citrix Bleed 2 (CVE-2025-5777) before the vulnerability was publicly disclosed. This provided evidence that an attacker was already exploiting the leak. Through further investigation of the same attacker, Amazon also discovered a previously undocumented vulnerability in Cisco ISE, or a zero-day."

"MadPot is AWS's honeypot program. It is a global network of secret digital targets designed to attract attackers so that their methods can be investigated. Tens of thousands of sensors record more than 100 million connection attempts to these honeypots every day. That raw telemetry is analyzed to extract malware samples, indicators of compromise, and exploit patterns, after which the insights end up in Amazon's threat intelligence and security services such as GuardDuty, Shield, WAF, and Inspector."

"In addition to detection, MadPot also uses that intelligence to actively disrupt threats. Through AWS network controls and collaboration with hosters and other internet players, malicious infrastructures can be blocked or taken offline, and customers and government agencies can be alerted. The system, originally set up by an AWS security engineer, has repeatedly helped identify advanced attack groups and prevent incidents, and is now a core component of Amazon's cyber defense"