Cisco Firewall 0-day Vulnerability Exploited in the Wild to Deploy Interlock Ransomware

An active campaign by the Interlock ransomware group is exploiting a critical zero-day vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center (FMC) Software.

Cisco disclosed the flaw on March 4, 2026; it allows unauthenticated remote attackers to execute arbitrary Java code as root. Amazon threat intelligence researchers discovered Interlock exploiting this vulnerability 36 days before its public disclosure, starting January 26, 2026.

This head start allowed the ransomware group to aggressively compromise organizations while defenders remained unaware. Amazon shared these findings with Cisco to support their investigation. AWS infrastructure and customer workloads were not involved in this campaign.

The investigation advanced when a misconfigured infrastructure server exposed Interlock’s complete operational toolkit. Initial threat activity involved HTTP requests to a vulnerable software path, containing Java code execution attempts and embedded URLs.

These URLs delivered configuration data and confirmed successful exploitation by triggering an HTTP PUT request to upload a generated file. By simulating a compromised system, researchers prompted the attackers to deploy a malicious Linux ELF binary.

The exposed staging server revealed that the group organized artifacts into dedicated paths for individual targets, streamlining both the downloading of tools and the uploading of stolen operational data.

Technical indicators confidently attribute this activity to the Interlock ransomware family, a financially motivated group that first emerged in September 2024.

The recovered ELF binary, embedded ransom note, and TOR negotiation portal align with established Interlock branding. Their ransom notes uniquely cite regulatory exposure to maximize pressure on victims, fitting their known double extortion model.

Amazon threat intelligence team’s temporal analysis of timestamps suggests the actors operate in the UTC+3 timezone. Historically, Interlock targets sectors where operational disruption forces immediate payment, primarily focusing on education, engineering, construction, manufacturing, healthcare, and government entities.

Upon gaining access, Interlock deploys a sophisticated toolkit to escalate privileges and maintain persistence. A recovered PowerShell script conducts extensive Windows environment enumeration, collecting system details, browser artifacts, and network connections.

The script organizes results into dedicated directories for each host and compresses them into ZIP archives, signaling preparation for organization-wide encryption.

The group utilizes custom remote access trojans implemented in both JavaScript and Java. The JavaScript implant uses Windows Management Instrumentation for profiling and establishes persistent WebSocket connections with RC4-encrypted messages.

It provides interactive shell access, file transfers, and SOCKS5 proxy capabilities. The functionally identical Java backdoor, built on GlassFish libraries, ensures redundant access.

To obscure their tracks, attackers deploy a Bash script configuring Linux servers as HTTP reverse proxies. This script installs HAProxy to forward traffic and aggressively erases logs every five minutes.

Additionally, a fileless, memory-resident Java webshell intercepts HTTP requests containing AES-128 encrypted commands using a hardcoded seed.

Interlock also abuses legitimate tools, including ConnectWise ScreenConnect, Volatility for memory forensics, and Certify for Active Directory exploitation, alongside its custom malware.

Organizations running Cisco Secure Firewall Management Center must apply the latest security patches immediately. Because the threat actor heavily customized downloaded artifacts for each individual target network, traditional file hashes are largely unreliable for signature-based detection.

Defenders should instead focus on identifying behavioral patterns, memory-resident anomalies, and the specific network reconnaissance tactics associated with Interlock’s multifaceted attack chain.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

Original article can be found here

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.