Prolific Ransomware Group Exploits Zero-Day Vulnerability in Cisco Firewall
A recent analysis from Amazon Web Services (AWS) has unveiled a concerning trend in cybersecurity, revealing that a notorious ransomware group, known as Interlock, has been taking advantage of a serious zero-day vulnerability in a Cisco firewall product since the beginning of January. This alarming development was highlighted by AWS Chief Information Security Officer (CISO) CJ Moses, who warned that the attacks utilizing this vulnerability, designated CVE-2026-20131, began on January 26.
The vulnerability in question is a remote code execution (RCE) flaw located within the web-based management interface of the Cisco Secure Firewall Management Center (FMC) Software. Given its maximum Common Vulnerability Scoring System (CVSS) score of 10, this exploit is particularly dangerous as it allows an unauthenticated, remote attacker to execute arbitrary Java code with root privileges on the compromised device. Such a level of access can have grave implications for the security and functionality of affected networks, making swift remediation vital.
In a surprising turn of events, the AWS security team was able to obtain comprehensive visibility into Interlock’s operational methods, thanks to a "misconfigured infrastructure server." With this rare insight, they observed the tactics, techniques, and procedures (TTPs) employed by the group following their initial breach. After exploiting the zero-day vulnerability, the group relied on a PowerShell script to glean sensitive details about their victims’ networks. Additionally, they employed two custom remote access trojans (RATs) developed in JavaScript and Java to maintain persistent control over the breached systems.
The sophistication of Interlock’s approach is further underscored by their development of a “persistent memory-resident backdoor” known as a webshell. This malicious tool operates discreetly by intercepting HTTP requests entirely in memory, thereby evading traditional antivirus detection systems. Moreover, the group installed ConnectWise ScreenConnect as a secondary entry point, designed to be utilized in the event they were discovered. This multi-faceted method demonstrates the determination and planning behind the group’s operations.
In light of these developments, AWS has issued several recommendations aimed at helping organizations defend against potential Interlock ransomware attacks. CISO Moses advised that companies apply the security patches provided by Cisco for the CVE-2026-20131 vulnerability. Additionally, they should conduct thorough reviews of their logs for indicators of compromise (IoCs) as outlined in AWS’s write-up. Performing security assessments to ascertain any signs of infection or unauthorized access is also strongly encouraged.
Organizations are advised to check any deployments of ScreenConnect for unapproved installations and to closely monitor network activity for PowerShell scripts that may be staging data to shared network folders. They should also be vigilant in detecting Java ServletRequestListener registrations in web application contexts and in identifying installations of HAProxy that are running aggressive log deletion cron jobs. Furthermore, there should be heightened awareness of TCP connections to unusually high-numbered ports, such as 45588, which could indicate malicious activity.
Looking toward the future, AWS emphasizes that adopting a multi-layered security approach, known as "defense in depth," is crucial for organizations. This strategy entails continuous threat monitoring and hunting, regular testing of incident response protocols, and continuous training for security personnel on the evolving TTPs of groups like Interlock. The challenges posed by zero-day exploits illustrate the ongoing vulnerabilities that exist in cybersecurity frameworks.
Moses underscored an important takeaway from this situation: "The real story here isn’t just about one vulnerability or one ransomware group – it’s about the fundamental challenge zero-day exploits pose to every security model." He elaborated that when attackers successfully exploit vulnerabilities before patches are made available, even the most diligent patching programs fail to protect organizations during this critical window.
This underscores the necessity of layered security controls that can provide protection even when a single defense mechanism fails or has not yet been deployed. While rapid patching remains a foundational aspect of vulnerability management, the importance of a comprehensive defense strategy cannot be overstated. As interlock attacks continue, Cisco has confirmed that these threats remain an ongoing concern. Ensuring robust cybersecurity measures is essential for protecting sensitive information and maintaining the integrity of organizational systems in an increasingly perilous digital landscape.