“`html
A current operation by the Interlock ransomware collective is taking advantage of a severe zero-day flaw (CVE-2026-20131) within Cisco Secure Firewall Management Center (FMC) Software.
This defect may permit an unauthenticated remote intruder to run arbitrary Java code with root privileges on an impacted device.
Cisco revealed the vulnerability on March 4, 2026; it enables unauthorized remote assailants to execute arbitrary Java code as root. Amazon threat intelligence analysts identified Interlock leveraging this flaw 36 days prior to its public announcement, beginning on January 26, 2026.
This early advantage allowed the ransomware group to aggressively infiltrate organizations while defenses remained uninformed. Amazon provided these insights to Cisco to assist in their inquiry. AWS infrastructure and customer workloads were not implicated in this operation.
The investigation progressed when a misconfigured infrastructure server exposed Interlock’s full operational toolkit. Initial threat activity was characterized by HTTP requests to a vulnerable software path, featuring attempts at Java code execution and embedded URLs.
These URLs supplied configuration information and verified successful exploitation by triggering an HTTP PUT request to upload a generated file. By simulating a compromised system, researchers prompted the attackers to deploy a malicious Linux ELF binary.
The exposed staging server indicated that the group organized artifacts into specific paths for each target, streamlining both the downloading of tools and the uploading of compromised operational data.
Cisco Firewall 0-day Flaw Exploited
Technical indicators firmly associate this activity with the Interlock ransomware family, a financially driven group that first appeared in September 2024.
The retrieved ELF binary, incorporated ransom note, and TOR negotiation portal align with known Interlock branding. Their ransom notes distinctly cite regulatory exposure to amplify pressure on victims, aligning with their established double extortion model.
Amazon threat intelligence team’s temporal assessment of timestamps implies the actors function in the UTC+3 timezone. Historically, Interlock targets industries where operational disruptions mandate immediate payment, primarily concentrating on education, engineering, construction, manufacturing, healthcare, and governmental organizations.
Once inside, Interlock deploys a sophisticated toolkit to escalate privileges and maintain persistence. A retrieved PowerShell script conducts comprehensive Windows environment enumeration, gathering system details, browser artifacts, and network connections.
The script organizes findings into designated directories for each host and compresses them into ZIP files, indicating preparation for organization-wide encryption.
The group leverages custom remote access trojans implemented in both JavaScript and Java. The JavaScript implant utilizes Windows Management Instrumentation for profiling and establishes persistent WebSocket connections with RC4-encrypted messages.
It offers interactive shell access, file transfers, and SOCKS5 proxy capabilities. The functionally identical Java backdoor, built on GlassFish libraries, ensures redundant access.
To conceal their tracks, attackers deploy a Bash script configuring Linux servers as HTTP reverse proxies. This script installs HAProxy to forward traffic and aggressively wipes logs every five minutes.
Moreover, a fileless, memory-resident Java webshell captures HTTP requests carrying AES-128 encrypted commands using a hardcoded seed.
Interlock also misuses legitimate tools, including ConnectWise ScreenConnect, Volatility for memory forensics, and Certify for Active Directory exploitation, alongside its custom malware.
Organizations utilizing Cisco Secure Firewall Management Center must promptly apply the latest security updates. As the threat actor heavily customized downloaded artifacts for each specific target network, traditional file hashes are largely unreliable for signature-based detection.
Defenders should instead concentrate on identifying behavioral patterns, memory-resident anomalies, and the specific network reconnaissance tactics related to Interlock’s intricate attack chain.
“`