[ad_1]
Threat actors had access to a critical zero-day several weeks before it was patched and publicly disclosed.
An Interlock ransomware campaign is targeting Cisco firewalls, according to an advisory recently shared by Amazon Web Services (AWS). Specifically, this campaign leverages CVE-2026-20131, a critical vulnerability (10 CVSS) in the Web-based management interface of Cisco’s Secure Firewall Management Center (FMC) Software; if exploited, it can allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an impacted device.
Cisco disclosed the vulnerability on March 4, and said in an advisory at the time that it was caused by “insecure deserialization of a user-supplied Java byte stream.” The attacker would send a crafted serialized Java object to a vulnerable device’s Web-based management interface.
CVE-2026-20131 impacts all unpatched versions of Cisco Secure FMC Software and Cisco Security Cloud Control (SCC). The latter is a software-as-a-service (SaaS) product and is upgraded without user action, but FMC users should immediately upgrade to a fixed release. Cisco also said that its Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software are unaffected by the vulnerability. Customers can use the Cisco Software Checker to assess their exposure level.
CJ Moses, chief information security officer (CISO) of Amazon Integrated Security, published a blog post on March 18 detailing how the Interlock ransomware gang is exploiting the vulnerability to target at risk organizations. Interlock is a financially motivated ransomware actor known for double-extortion attacks (encryption plus data theft).
Following Cisco’s disclosure, Amazon researchers determined that Interlock exploited CVE-2026-20131 as far back as Jan. 26, making it a zero-day flaw. Through its research, which included the use of honeypots, Amazon discovered a misconfigured infrastructure server that “exposed Interlock’s complete operational toolkit.”
“This rare mistake provided Amazon’s security teams with visibility into the ransomware group’s multi-stage attack chain, custom remote-access Trojans (backdoor programs that give attackers control of compromised systems), reconnaissance scripts (automated tools for mapping victim networks), and evasion techniques,” Moses wrote.
A Look Under Interlock Ransomware’s Hood
Once Interlock gains initial access — in this case through exploiting the firewall software bug — they use a series of tools such as a PowerShell script to enumerate the Windows environment and collect basic data before creating a directory on the attacker’s end with collected data belonging to each compromised computer.
The Interlock attacker then deploys a remote-access Trojan (RAT) to gain complete access to a compromised device, plus establishing command and control (C2). Amazon detected an effort from Interlock to include JavaScript and Java-based backdoors, which Moses noted would ensure “they maintain access even if defenders detect one version.”
Other discovered tools included a disposable relay network (in this case a BASH script) so the attacker could hide their true location, a memory-resident backdoor that avoids antivirus detection, connectivity verification tooling, and deployment of legitimate remote-access tools to ensure Interlock would still have a way in if the other backdoors are found.
Fancy attacker tooling is nothing new, but Moses noted that the actual danger in this case is this tooling combined with the possession of a critical zero-day.
“The real story here isn’t just about one vulnerability or one ransomware group — it’s about the fundamental challenge zero-day exploits pose to every security model. When attackers exploit vulnerabilities before patches exist, even the most diligent patching programs can’t protect you in that critical window,” he wrote. “This is precisely why defense in depth is essential — layered security controls provide protection when any single control fails or hasn’t yet been deployed.”
Amazon’s blog post includes indicators of compromise as well as additional detection recommendations.
Why Are Firewalls Like This?
Unfortunately, critical vulnerabilities targeting firewall vendors like Cisco, Ivanti, SonicWall, and Fortinet are a dime a dozen. Recorded Future’s H1 2025 Malware and Vulnerability Trends report found that edge security and gateway devices (such as firewalls and VPNs) accounted for 17% of vulnerabilities exploited by threat actors during the first half of last year.
As for why, Vincenzo Iozzo, CEO and cofounder at identity vendor SlashID, tells Dark Reading that firewalls are appealing in part because they are Internet-facing and, therefore, generally easily accessible. They also tend to have proprietary software historically “riddled with vulnerabilities” and lacking detection capabilities. Firewalls also “tend to be useful as a pivot point for attackers that want to move laterally into a victim’s network.”
Similarly Jeff Liford, associate director at cyber disaster recovery firm Fenix24, explains that the firewall industry has experienced “substantial security pressure over the past year,” and most major vendors have had to patch multiple critical flaws during this time period.
“In our incident response work throughout 2025, we saw firewall compromise act as the initial entry point in a significant number of ransomware cases,” he says. “These devices are often mission-critical. However, they are sometimes under-maintained, making them attractive targets.”
Cisco did not respond to Dark Reading’s request for comment.
[ad_2]
Source link
