Full Report
Amazon Threat Intelligence is warning of an active Interlock ransomware campaign that's exploiting a recently disclosed critical security flaw in Cisco Secure Firewall Management Center (FMC) Software. The vulnerability in question is CVE-2026-20131 (CVSS score: 10.0), a case of insecure deserialization of user-supplied Java byte stream, which could allow an unauthenticated, remote attacker to
Analysis Summary
# Incident Report: Interlock Ransomware Exploitation of Cisco FMC Zero-Day
## Executive Summary
Amazon Threat Intelligence identified an active campaign by the Interlock ransomware group exploiting a zero-day vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center (FMC). The attackers utilized a critical Java deserialization flaw to gain root-level access, deploying a sophisticated toolkit for reconnaissance, persistence, and data exfiltration. The incident underscores a high level of technical sophistication, characterized by the use of bespoke malware and an operational security failure that allowed investigators to uncover the group's infrastructure.
## Incident Details
- **Discovery Date:** March 2026 (Publicly reported)
- **Incident Date:** January 26, 2026 (Initial zero-day exploitation began)
- **Affected Organization:** Global enterprise users of Cisco FMC
- **Sector:** Cross-sector (Enterprise Infrastructure)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** January 26, 2026
- **Vector:** Exploitation of CVE-2026-20131 (Cisco FMC Zero-Day).
- **Details:** Attackers sent specifically crafted HTTP requests to insecurely deserialize Java byte streams, bypassing authentication to execute arbitrary code as the root user.
### Lateral Movement
- Attackers utilized SOCKS5 proxies and ConnectWise ScreenConnect for persistent access.
- Extensive Windows environment enumeration was performed via PowerShell to identify high-value targets, virtual machine inventories (Hyper-V), and network configurations.
### Data Exfiltration/Impact
- **Impact:** System-level compromise (Root access) of security infrastructure.
- **Details:** Extraction of browser artifacts (Chrome, Edge, Firefox), user file listings, and RDP authentication logs. The Interlock ransomware payload follows these stages to encrypt and extort victims.
### Detection & Response
- **Discovery:** Amazon’s "MadPot" global sensor network detected the activity.
- **Response:** Amazon identified a misconfigured infrastructure server belonging to the threat actors, allowing for the analysis of their entire toolkit. Findings were shared with Cisco for patch development.
## Attack Methodology
- **Initial Access:** Insecure deserialization (CVE-2026-20131) via HTTP requests.
- **Persistence:** ConnectWise ScreenConnect and bespoke JavaScript/Java remote access trojans (RATs).
- **Privilege Escalation:** Exploited vulnerability directly grants **root** privileges.
- **Defense Evasion:**
- Use of memory-resident web shells.
- Automated log purging via cron jobs (every 5 minutes).
- Bash scripts to configure Linux servers as HTTP reverse proxies to hide origin IPs.
- Unsetting the `HISTFILE` variable to suppress shell history.
- **Credential Access:** Harvesting browser artifacts and RDP event logs.
- **Discovery:** PowerShell scripts for OS, hardware, software, and storage enumeration.
- **Lateral Movement:** SOCKS5 proxy capabilities within custom RATs.
- **Collection:** Targeting Desktop, Documents, and Downloads directories.
- **Exfiltration:** Bidirectional file transfer via custom C2 tools.
- **Impact:** Ransomware encryption and operational disruption of network firewalls.
## Impact Assessment
- **Financial:** High potential (Ransomware extortion and recovery costs).
- **Data Breach:** High; includes system credentials, browser data, and sensitive user files.
- **Operational:** Critical; compromise of the "Command and Control" center for enterprise firewalls.
- **Reputational:** High for affected organizations and the vendor due to the zero-day nature of the attack.
## Indicators of Compromise
- **Network Indicators:**
- Inbound HTTP PUT requests to confirm exploitation.
- Traffic to/from SOCKS5 proxies on attacker-controlled nodes.
- Port 80 traffic forwarded via HAProxy.
- **File Indicators:**
- ELF binaries found on Cisco Linux-based backends.
- `fail2ban` and `HAProxy` configurations on unauthorized proxy nodes.
- **Behavioral Indicators:**
- Frequent deletion of `*.log` files (every 5 mins).
- Unsetting of `HISTFILE`.
- Automated Windows enumeration commands via PowerShell.
## Response Actions
- **Containment:** Infrastructure laundering servers identified and monitored; IPs flagged in Amazon’s global sensor network.
- **Eradication:** Provided intelligence to Cisco to facilitate the release of security patches.
- **Recovery:** Restoration of firewall configurations and rotation of all credentials managed by the FMC.
## Lessons Learned
- **Visibility:** Global honeypot networks (like MadPot) are critical for detecting zero-day exploitation before public disclosure.
- **Attacker OPSEC:** Even sophisticated groups make mistakes (misconfigured C2 servers), which can provide defenders with a complete view of an attack chain.
- **Criticality of FMC:** Security management consoles are "Tier 0" assets and must be isolated from the public internet.
## Recommendations
- **Patch Management:** Immediately apply updates for CVE-2026-20131 on all Cisco FMC instances.
- **Network Hardening:** Restrict access to the Cisco FMC interface to trusted internal management subnets via VPN or ACLs.
- **Monitoring:** Enable enhanced file integrity monitoring (FIM) and log-aggregation to detect attempted log deletions or unauthorized cron jobs.
- **Audit:** Inspect ConnectWise ScreenConnect instances for unauthorized access or unknown sessions.