Fraud Management & Cybercrime
,
Network Firewalls, Network Access Control
,
Ransomware
AWS Researchers Find an Interlock Server Laden With Tools
Ransomware hackers exploited a flaw with a maximum vulnerability score in Cisco firewall management software weeks before the networking giant disclosed the vulnerability in early March.
See Also: AI Pushes Cyberattacks to New Speed Levels
Researchers from Amazon Web Services said Wednesday they found honeypot data evidence dating to Jan. 26 showing the Interlock ransomware group used CVE-2026-20131 to send malicious HTTP requests containing Java code and embedded URLs – “one used to deliver configuration data supporting the exploit, and another designed to confirm successful exploitation by causing a vulnerable target to perform an HTTP PUT request and upload a generated file.”
Cisco disclosed the Cisco Secure Firewall Management Center flaw March 4 as part of a semi-annual set of bundled firewall security advisories. At the time, Cisco said the flaw hadn’t been exploited in the wild.
Routing gear from the Silicon Valley mainstay has played a role in recent major hacks, whether because of unapplied patches, misconfigurations or zero-day flaws. An unrelated set of zero-day vulnerabilities in a Cisco software defined wide-area networking system caused the U.S. federal government in late February to tell agencies to apply patches within two days. A security firm warned earlier this month that exploitation of a flaw tracked as CVE-2026-20127 in Cisco Catalyst SD-WAN Controller reached “internet-wide” proportions.
The company in late 2025 pledged to proactively alert network administrators “when insecure choices are being made” and to activate secure settings by default (see: Cisco Pledges More Security in Network Equipment).
Interlock Ransomware Exposed
When AWS researchers observed their honeypot performing the expecting HTTP PUT request, automatic commands retrieved and executed a malicious Linux executable file. Poking inside the ELF file, they found an embedded Interlock ransomware note and a link to the group’s darkweb negotiation panel.
They also found a poorly secured Interlock infrastructure server exposing the group’s toolkit. Interlock, active since September 2024, is the rare ransomware operation that doesn’t rely on affiliates. “Instead, they appear to be a smaller, dedicated group of operators who develop and operate their own malware to support most of their kill chain,” firewall firm Fortinet – which has had its own set of exploitable flaws – said in a January blog post.
The group has focused extensively on critical infrastructure sectors in North America and Europe – “sectors where operational disruption creates maximum pressure for payment,” AWS said. Interlock counts its greatest number of victims in the education sector, including a March 2025 attack against a South Carolina school district that stole records of 46,000 students, parents and teachers. The U.S. Cybersecurity and Infrastructure Security Agency warned last July that the group often infects victims through the ClickFix social engineering technique and by compromising legitimate websites.
AWS said the Interlock server examined contains a PowerShell script for enumerating Windows environments, a script for configuring Linux servers as reverse proxies and custom remote access Trojans, one a JavaScript implant and another its functional equivalent, but written in Java.
The group also uses ConnectWise ScreenConnect, a remote monitoring management, as a backup in case victims discover one of the RATs before it deploys crypto locking software. Also on the server was a copy of Volatility, an open-source memory forensics framework, and Certify, an open-source security tool that focuses on misconfigurations in Active Directory Certificate Services.
