Cisco Firewall Zero-day Vulnerability Exploited to Deploy Interlock Ransomware
Amazon Threat Intelligence has uncovered an active Interlock ransomware campaign exploiting CVE‑2026‑20131, a critical zero‑day vulnerability in Cisco Secure Firewall Management Center (FMC) Software that enables unauthenticated, remote attackers to execute arbitrary Java code as root on affected devices.
Cisco formally disclosed the flaw on March 4, 2026, but Amazon’s analysis shows Interlock had already weaponized it 36 days earlier, beginning January 26, 2026, giving the group a significant head start over patched environments.
CVE‑2026‑20131 is a maximum‑severity (CVSS 10.0) remote code execution vulnerability in the FMC web‑based management interface, stemming from insecure deserialization of a user‑supplied Java byte stream.
By sending a crafted serialized Java object to the management endpoint, an attacker can gain root‑level execution without authentication, effectively turning the firewall management console into a beachhead for lateral movement and ransomware deployment.
Using Amazon MadPot’s global honeypot‑like sensor network, Amazon threat intelligence teams identified HTTP requests targeting a specific FMC‑exposed path, with payloads containing Java‑based RCE attempts and embedded URLs used to deliver configuration data and to have the exploited host perform an HTTP PUT back to the attacker‑controlled server.
By mimicking a successfully exploited host and responding to this PUT, Amazon’s analysts triggered Interlock’s next stage, which delivered a malicious ELF binary from a remote server and exposed the ransomware group’s full operational toolkit.
Once inside an organization via the FMC, Interlock executes a structured, multi‑stage intrusion pattern. A PowerShell reconnaissance script collects OS and hardware details, running services, installed software, storage layouts, Hyper‑V VMs, and user file listings from Desktop, Documents, and Downloads, then compresses the data into a hostname‑indexed ZIP archive stored on a centralized network share (e.g., \\JK‑DC2\\Temp\\{hostname}). This structured, per‑host output is typical of ransomware operators preparing for organization‑wide encryption.
The group then deploys custom remote access trojans (RATs) to maintain long‑term control. A JavaScript‑based implant hides its activities by overriding browser console methods, profiles the host via PowerShell and WMI. It communicates with command‑and‑control (C2) over persistent WebSocket connections using RC4‑encrypted messages with per‑message 16‑byte random keys.
A functionally equivalent Java‑based RAT built around GlassFish, Grizzly, and Tyrus libraries provides the same capabilities, ensuring fallback access if one variant is detected and removed.
To avoid attribution, Interlock configures Linux servers as HTTP reverse proxies using a Bash script that installs HAProxy 3.1.2, hardcodes a forwarding target, and ensures persistence via systemd.
A five‑minute cron job continuously truncates /var/log/*.log and turns off shell history, effectively erasing forensic traces and indicating that these nodes are disposable “traffic‑laundering” relays for exploit traffic, C2, or data exfiltration.
Amazon also observed a memory‑resident Java webshell that registers a ServletRequestListener within the server’s StandardContext.
This fileless backdoor decrypts command payloads using AES‑128 with a key derived from the MD5 hash of a hardcoded seed, then dynamically loads and executes the decrypted bytecode directly in the JVM, bypassing traditional file‑based AV detection.
A separate Java‑based TCP server on port 45588, obfuscated by encoding the port as a Unicode character, acts as a lightweight connectivity beacon, confirming that exploitation succeeded and that network reachability is intact.
Interlock combines its custom malware with legitimate remote‑access and offensive tools to deepen compromise and complicate detection. The group deploys ConnectWise ScreenConnect, a commercial remote‑desktop solution, alongside its implants, providing redundant access channels that persist even if one Trojan is eradicated.
The attackers also drop open‑source tools such as Volatility (a memory‑forensics framework) and Certify, an offensive security utility that exploits misconfigurations in Active Directory Certificate Services (AD CS).
Certify enables attackers to identify vulnerable certificate templates and enroll authentication‑capable certificates, which can be used to impersonate users, escalate privileges, or obtain persistent access key capabilities for both ransomware and espionage‑style operations.
Indicators of compromise and defensive guidance
Given the heavy use of content‑varying scripts and binaries, Amazon opted not to publish static file hashes as reliable IoCs, instead focusing on network‑centric indicators. The advisory lists multiple exploit‑source IPs (e.g., 206.251.239.164, 199.217.98.153, 89.46.237.33), C2 and staging IPs, domains such as browser‑updater[.]com, os‑update‑server[.]com, and TOR‑hosted negotiation portals like ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid[.]onion. TLS fingerprints (JA3/JA4) and a specific Firefox‑style User‑Agent string are also highlighted as useful detection signals.
Organizations should:
- Apply Cisco patches immediately and review logs for IoCs.
- Monitor for PowerShell scripts staging data to shares, Java ServletRequestListener registrations, HAProxy with aggressive log deletion, and TCP connections to port 45588.
- Implement defense-in-depth, continuous threat hunting, centralized logging, incident response drills, and educate on Interlock’s TTPs. AWS workloads were unaffected; intelligence is integrated into AWS security services.
Site: cybersecuritypath.com
About the Author
