Amazon Threat Intelligence has issued a significant alert regarding an active ransomware campaign known as Interlock, which is currently exploiting a critical security vulnerability in Cisco’s Secure Firewall Management Center (FMC) Software. This vulnerability, labeled as CVE-2026-20131, has been rated with a maximum CVSS score of 10.0. The issue is related to an insecure deserialization of a user-supplied Java byte stream, creating an opportunity for an unauthenticated remote attacker to bypass authentication and execute arbitrary Java code with root privileges on affected devices.

The stakes are high: this flaw has apparently been utilized as a zero-day vulnerability since January 26, 2026—over a month before Cisco publicly announced it. CJ Moses, the Chief Information Security Officer (CISO) of Amazon Integrated Security, elaborated on the situation by stating that the immediate exploitation of this flaw provided Interlock with a significant advantage, offering them a week to compromise various organizations before defenders were even aware. In response to this troubling discovery, Amazon promptly alerted Cisco to aid in their investigation and bolster security for impacted customers.

The mechanism behind this discovery was attributed to what Amazon described as an operational security lapse from the threat actors. A misconfigured infrastructure server inadvertently exposed their operational toolkit, thereby granting valuable insights into their multi-stage attack chain, custom remote access capabilities, reconnaissance scripts, and obfuscation techniques.

An analysis of the attack chain reveals a series of sophisticated techniques. The initial phase involves the attacker sending crafted HTTP requests to exploit the vulnerability within the Cisco software to execute arbitrary Java code. Following a successful exploitation, the compromised system issues an HTTP PUT request to an external server to confirm the breach. Once that step is completed, the attacker is able to send commands to retrieve an ELF binary from a remote server, which contains additional tools related to the Interlock operation.

The tools actively employed by Interlock include:

1. PowerShell Reconnaissance Script: Designed for systematic enumeration of Windows environments, this script gathers extensive details such as the operating system and hardware specifications, running services, installed software, storage configurations, Hyper-V virtual machine inventories, and even user file listings throughout various directories. Additionally, it collects browser artifacts from Chrome, Edge, Firefox, Internet Explorer, and even the 360 browser, alongside tracking active network connections and Remote Desktop Protocol (RDP) authentication events.

2. Custom Remote Access Trojans: Written in JavaScript and Java, these trojans facilitate command-and-control operations, interactive shell access, arbitrary command execution, bidirectional file transfer, and SOCKS5 proxy capabilities. They also include self-update and self-delete mechanisms, allowing for the smooth replacement or removal of malicious artifacts without triggering further infections or complicating forensic investigations.

3. Bash Script for HTTP Reverse Proxies: This script configures Linux servers to hide the attacker’s actual location. It deploys the fail2ban intrusion prevention tool while also setting up an HAProxy instance that forwards all HTTP traffic to a predetermined target IP address. To further cover their tracks, the script runs a log cleaning routine every five minutes to eliminate evidence.

4. Memory-Resident Web Shell: This tool is designed to inspect incoming requests for encrypted command payloads, which are subsequently decrypted and executed.

5. Lightweight Network Beacon: This component notifies the attacker’s infrastructure to confirm successful code execution or check network port accessibility.

6. ConnectWise ScreenConnect: Used for persistent remote access, this tool serves as a backup entry point in case other access methods are detected and shut down.

7. Volatility Framework: A well-known open-source memory forensics framework used to analyze compromised systems.

Evidence linking these operations to Interlock has been established through both technical and operational indicators, currently suggesting that the threat actors operate primarily within the UTC+3 time zone.

The continued exploitation of this vulnerability highlights the urgent need for immediate action from users. They are advised to apply available patches, perform thorough security assessments to uncover any potential compromises, review their deployments of ScreenConnect, and adopt comprehensive defense-in-depth strategies.

Moses emphasized that the broader implications stretch beyond just this single flaw or the Interlock group. He noted that zero-day exploits represent a fundamental challenge to every security model. When attackers leverage vulnerabilities before patches are available, even the most diligent patching initiatives cannot prevent breaches during that critical window.

He underscored the necessity of a layered security approach, stating, “Rapid patching is essential for effective vulnerability management. However, defense in depth is crucial to prevent organizations from being left defenseless during the period between exploit and patch.”

The disclosure arrives against a backdrop of evolving tactics among ransomware actors. Google has recently indicated that these criminals are shifting their strategies in response to falling payment rates. They are increasingly targeting vulnerabilities in widely-used VPNs and firewalls to gain initial access, eschewing reliance on external tools in favor of built-in capabilities within Windows systems.

Moreover, a range of threat clusters is employing both malvertising and SEO techniques to distribute malware payloads. Other frequently noted methods include using compromised credentials and legitimate remote desktop software to establish footholds within victim networks.

Experts from Google predict that while ransomware will likely continue to pose a significant global threat, the declining profitability may lead some actors to explore alternative monetization strategies. This shift could include more aggressive extortion tactics or opportunistically leveraging access to victim networks to execute secondary monetization operations, like disseminating phishing emails.

Source link