Full Report
Amazon threat intelligence has identified an active Interlock ransomware campaign exploiting CVE-2026-20131, a critical vulnerability in Cisco Secure Firewall Management Center (FMC) Software that could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device, which was disclosed by Cisco on March 4, 2026. After Cisco’s disclosure, Amazon threat intelligence began research into this vulnerability using Amazon MadPot’s global sensor network—a system of honeypot servers that attract and monitor cybercriminal activity. While looking for any current or past exploits of this vulnerability, our research found that Interlock was exploiting this vulnerability 36 days before its public disclosure, beginning January 26, 2026. This wasn’t just another vulnerability exploit, Interlock had a zero-day in their hands, giving them a week’s head start to compromise organizations before defenders even knew to look. Upon making this discovery, we shared our findings with Cisco to help support their investigation and protect customers.
Analysis Summary
# Incident Report: Interlock Ransomware Zero-Day Campaign (CVE-2026-20131)
## Executive Summary
Amazon Threat Intelligence identified an active campaign by the Interlock ransomware group exploiting a zero-day vulnerability in Cisco Secure Firewall Management Center (FMC). The attackers began exploiting the flaw 36 days before public disclosure, using it to execute arbitrary Java code as root. Amazon discovered the activity via its "MadPot" honeypot network and identified the group's entire toolkit due to a misconfigured staging server.
## Incident Details
- **Discovery Date:** March 2026 (following Cisco disclosure)
- **Incident Date:** January 26, 2026 (First observed exploit)
- **Affected Organization:** Global organizations using Cisco FMC (specifically targets in Education, Manufacturing, and Healthcare)
- **Sector:** Multiple (Education, Engineering, Manufacturing, Healthcare, Government)
- **Geography:** Global footprint; Threat Actor likely operates in UTC+3
## Timeline of Events
### Initial Access
- **Date/Time:** January 26, 2026
- **Vector:** Zero-day exploitation of CVE-2026-20131
- **Details:** Unauthenticated remote attackers sent malicious HTTP requests to a specific path in Cisco FMC software. The request bodies contained Java code execution attempts to gain root-level access.
### Lateral Movement
- **Details:** Attackers used custom Remote Access Trojans (RATs) and reconnaissance scripts. They deployed "Ghost" proxy servers (ephemeral servers that erase logs every five minutes) to mask movement and maintain a presence within the victim network.
### Data Exfiltration/Impact
- **Details:** The group utilized a "double extortion" model. While the article focuses on the toolkit discovery, it confirms Interlock exfiltrates data and threatens victims with regulatory fines (GDPR/compliance) in addition to encrypting files.
### Detection & Response
- **Detection:** Amazon’s "MadPot" global sensor network captured exploit attempts. Analysts "tricked" the attacker by emulating a compromised system, which triggered the delivery of the second-stage payload.
- **Response:** Amazon shared findings with Cisco to support patch development, analyzed the attacker's misconfigured staging server to recover the full toolkit, and integrated intelligence into AWS security services.
## Attack Methodology
- **Initial Access:** Exploitation of CVE-2026-20131 (RCE in Cisco FMC).
- **Persistence:** Implementation of custom Linux-based (ELF) backdoors and RATs.
- **Privilege Escalation:** Exploit naturally granted **root** privileges due to the nature of the FMC vulnerability.
- **Defense Evasion:** Use of "Ghost" proxy servers with 5-minute log-wiping cycles; staging area paths customized to individual targets.
- **Discovery:** Automated scripts for mapping victim networks.
- **Lateral Movement:** Custom tunneling tools and proxying through compromised infrastructure.
- **Collection:** Scripts designed for identifying sensitive data for exfiltration.
- **Impact:** Encryption of files and "regulatory pressure" extortion (citing fines and compliance violations).
## Impact Assessment
- **Financial:** High (potential for ransom payments and regulatory fines).
- **Data Breach:** Exposure of sensitive organizational data across Education and Healthcare sectors.
- **Operational:** Critical (firewall management infrastructure compromise allows for total network visibility and control by attackers).
- **Reputational:** High for affected organizations due to public data leaks.
## Indicators of Compromise
- **Network:**
- Outbound HTTP PUT requests to confirm exploitation.
- TCP connections to unusual high-numbered ports (e.g., `45588`).
- Traffic to/from "Ghost" proxy nodes.
- **File:** Malicious ELF binaries (Linux executables) used as secondary payloads.
- **Behavioral:** Unexpected Java code execution originating from Cisco FMC web-facing paths.
## Response Actions
- **Containment:** AWS blocked identified malicious infrastructure within its space.
- **Eradication:** Cisco released patches for CVE-2026-20131 on March 4, 2026.
- **Recovery:** Organizations advised to apply urgent patches and rotate credentials for any system managed by the compromised FMC.
## Lessons Learned
- **Zero-Day Gap:** Attackers held a 36-day "head start" before defenders were aware of the vulnerability, highlighting that patching alone is insufficient.
- **Attacker Error:** A single misconfigured staging server by the Interlock group allowed defenders to unmask their entire methodology.
- **Proactive Hunting:** Honeypots (like MadPot) are essential for identifying zero-day activity before it is reported by vendors.
## Recommendations
- **Immediate:** Apply Cisco security patches for CVE-2026-20131.
- **Monitoring:** Monitor Cisco FMC logs for unusual HTTP PUT requests and root-level Java execution.
- **Infrastructure:** Implement defense-in-depth; ensure management interfaces (like FMC) are not exposed directly to the public internet but are behind VPNs/Zero Trust gateways.
- **Logging:** Centralize logs to a write-once, read-many (WORM) storage system to prevent attackers from wiping local logs.