Critical Cisco Firewall Zero-Day Exploited to Deploy Interlock Ransomware
In a concerning development, the Interlock ransomware group has been actively exploiting a critical zero-day vulnerability, designated as CVE-2026-20131, within Cisco’s Secure Firewall Management Center (FMC) Software. This flaw enables unauthenticated remote attackers to execute arbitrary Java code with root privileges on affected devices, posing a significant threat to organizational security.
Discovery and Exploitation Timeline
Cisco publicly disclosed CVE-2026-20131 on March 4, 2026. However, Amazon’s threat intelligence team uncovered that Interlock began exploiting this vulnerability as early as January 26, 2026—36 days prior to the public disclosure. This early exploitation window allowed the ransomware group to infiltrate numerous organizations before defensive measures could be implemented. Amazon promptly shared these findings with Cisco to aid in their investigation, clarifying that AWS infrastructure and customer workloads were not compromised during this campaign.
Technical Analysis of the Attack
The investigation gained momentum when a misconfigured server within Interlock’s infrastructure inadvertently exposed their complete operational toolkit. Initial attack vectors involved HTTP requests targeting a vulnerable software path, embedding Java code execution attempts and URLs designed to deliver configuration data. Successful exploitation was confirmed when the attackers triggered HTTP PUT requests to upload generated files. By simulating a compromised system, researchers prompted the deployment of a malicious Linux ELF binary, providing deeper insights into the group’s methodologies.
The exposed staging server revealed that Interlock meticulously organized artifacts into dedicated paths for individual targets. This systematic approach streamlined both the deployment of tools and the exfiltration of stolen data, indicating a high level of operational sophistication.
Attribution to Interlock Ransomware
Technical indicators strongly attribute this activity to the Interlock ransomware family, a financially motivated group that first emerged in September 2024. The recovered ELF binary, embedded ransom notes, and TOR negotiation portals align with established Interlock branding. Notably, their ransom notes uniquely cite regulatory exposure to maximize pressure on victims, fitting their known double extortion model.
Temporal analysis of timestamps suggests that the actors operate within the UTC+3 timezone. Historically, Interlock has targeted sectors where operational disruption compels immediate payment, including education, engineering, construction, manufacturing, healthcare, and government entities.
Deployment of Sophisticated Toolkits
Upon gaining access, Interlock deploys a comprehensive toolkit to escalate privileges and maintain persistence within compromised systems. A recovered PowerShell script conducts extensive Windows environment enumeration, collecting system details, browser artifacts, and network connections. The script organizes results into dedicated directories for each host and compresses them into ZIP archives, signaling preparation for organization-wide encryption.
The group utilizes custom remote access trojans (RATs) implemented in both JavaScript and Java. The JavaScript implant leverages Windows Management Instrumentation for profiling and establishes persistent WebSocket connections with RC4-encrypted messages. It provides interactive shell access, file transfers, and SOCKS5 proxy capabilities. The functionally identical Java backdoor, built on GlassFish libraries, ensures redundant access.
Evasion and Persistence Mechanisms
To obscure their tracks, attackers deploy a Bash script configuring Linux servers as HTTP reverse proxies. This script installs HAProxy to forward traffic and aggressively erases logs every five minutes, complicating forensic analysis. Additionally, a fileless, memory-resident Java webshell intercepts HTTP requests containing AES-128 encrypted commands using a hardcoded seed, further enhancing stealth.
Interlock also abuses legitimate tools, including ConnectWise ScreenConnect, Volatility for memory forensics, and Certify for Active Directory exploitation, alongside its custom malware. This blend of proprietary and legitimate tools underscores the group’s adaptability and resourcefulness.
Mitigation and Recommendations
Organizations utilizing Cisco’s Secure Firewall Management Center (FMC) Software are urged to take immediate action to mitigate the risks associated with CVE-2026-20131. Cisco has released patches addressing this vulnerability, and prompt application is essential to prevent exploitation.
In addition to patching, organizations should implement the following measures:
– Network Segmentation: Isolate critical systems to limit lateral movement by attackers.
– Access Controls: Enforce strict access controls and multi-factor authentication to reduce unauthorized access.
– Monitoring and Logging: Enhance monitoring to detect unusual activity and maintain comprehensive logs for forensic analysis.
– Incident Response Planning: Develop and regularly update incident response plans to ensure swift action in the event of a breach.
By proactively addressing these vulnerabilities and strengthening overall security postures, organizations can better defend against sophisticated threats like the Interlock ransomware group.
