Full Report
Amazon’s threat intelligence teams have uncovered a new cyber campaign linked to the Interlock ransomware group. The campaign centers around a flaw affecting Cisco Secure Firewall Management Center (FMC) software. The vulnerability, tracked as CVE-2026-20131, was disclosed by Cisco on March 4. It allows an unauthenticated remote attacker to execute arbitrary Java code with root privileges on affected FMC devices. However, research conducted through Amazon MadPot, a global honeypot network designed to observe malicious activity, revealed that Interlock had already begun exploiting this flaw as early as January 26, 2026, 36 days before public disclosure. This meant the attackers were operating with a zero-day advantage, enabling them to compromise organizations before defenders were even aware of the risk. According to Amazon’s findings, the exploitation involved crafted HTTP requests targeting specific paths in vulnerable systems. These requests carried embedded Java code and URLs—one delivering configuration data to support the exploit, and another confirming successful compromise by triggering an HTTP PUT request from the victim system. To deepen the investigation, researchers simulated a compromised device by responding to the attacker’s verification mechanism. This triggered the next phase of the attack, where Interlock issued commands to download and execute a malicious Linux binary. Amazon MadPot Reveals Interlock’s Toolkit The use of Amazon MadPot proved critical in exposing the full scope of the operation. A misconfigured infrastructure server used by the attackers inadvertently revealed their entire toolkit. This included reconnaissance scripts, custom remote access trojans (RATs), and evasion mechanisms, offering rare visibility into Interlock’s multi-stage attack chain. The infrastructure was organized in a way that separated data by target, with directories used both to distribute tools and collect stolen information. This level of organization reflects a structured and repeatable attack methodology. Importantly, Amazon confirmed that its own cloud infrastructure and customer workloads were not impacted by this campaign. Interlock Ransomware Tactics and Attribution The recovered malware and artifacts were attributed to the Interlock ransomware family based on several consistent indicators. These included a ransom note and a TOR-based negotiation portal aligned with Interlock’s known branding and operational style. The ransom notes notably referenced multiple data protection regulations, a tactic used by Interlock to pressure victims by threatening not only data encryption but also potential regulatory penalties. Each victim was assigned a unique organization identifier, consistent with the group’s tracking model. Historically, Interlock has targeted industries where disruption creates maximum leverage. The education sector has been the most affected, followed by engineering, construction, manufacturing, healthcare, and public sector organizations. Temporal analysis of the attack activity suggests the operators likely function in a UTC+3 time zone, with activity typically beginning around 08:30, peaking between 12:00 and 18:00, and declining overnight. Post-Exploitation Once access is gained through CVE-2026-20131, Interlock deploys a range of tools to expand control within the compromised network. A PowerShell-based reconnaissance script systematically collects detailed system and network information, including installed software, running services, browser data, and active connections. The script organizes this data into per-host directories on a centralized network share, compressing it into ZIP archives for exfiltration. This structured approach indicates preparation for large-scale ransomware deployment across multiple systems. Interlock uses multiple RATs to maintain persistent access. One variant, written in JavaScript, suppresses debugging output and gathers system details before establishing encrypted communication with command-and-control servers via WebSockets. Messages are encrypted using RC4 with unique keys for each transmission. A second variant, implemented in Java, provides the same capabilities using different libraries. This dual-implementation strategy ensures continued access even if one version is detected and removed. To hide their tracks, Interlock employs a Bash script that converts compromised Linux servers into HTTP reverse proxies. These proxies forward traffic to attacker-controlled systems while erasing logs every five minutes, making forensic analysis extremely difficult. Fileless Backdoors and Advanced Techniques One of the more advanced components observed in the campaign is a memory-resident webshell. Delivered as a Java class, it operates entirely in memory, avoiding disk-based detection. It intercepts HTTP requests and executes encrypted payloads dynamically within the Java Virtual Machine. Additionally, a lightweight TCP server tool was identified, used to verify successful exploitation by confirming connectivity on a specific port. Interlock also blends malicious activity with legitimate software. The group deployed ConnectWise ScreenConnect, a commercial remote desktop tool, to maintain access while avoiding detection. This redundancy ensures attackers retain control even if custom malware is removed. Other tools found in the attack environment include Volatility, typically used for memory forensics, and Certify, an offensive security tool targeting Active Directory Certificate Services. These tools enable credential access, privilege escalation, and persistent footholds within compromised environments.
Analysis Summary
# Incident Report: Interlock Ransomware Group Exploitation of CVE-2026-20131
## Executive Summary
Amazon threat intelligence uncovered a campaign by the Interlock ransomware group targeting a critical vulnerability in Cisco Secure Firewall Management Center (FMC). The group utilized the flaw (CVE-2026-20131) as a zero-day for 36 days prior to public disclosure, primarily targeting the education and manufacturing sectors. Through the use of Amazon MadPot honeypots, researchers identified a sophisticated toolkit including custom RATs, memory-resident webshells, and log-erasing reverse proxies.
## Incident Details
- **Discovery Date:** January 26, 2026 (via Amazon MadPot)
- **Incident Date:** Continuous from January 26, 2026 – March 4, 2026 (Public Disclosure)
- **Affected Organization:** Multiple (Global)
- **Sector:** Education, Engineering, Construction, Manufacturing, Healthcare, and Public Sector
- **Geography:** Global footprint; threat actor suspected UTC+3 time zone.
## Timeline of Events
### Initial Access
- **Date/Time:** January 26, 2026
- **Vector:** Exploitation of CVE-2026-20131 (Cisco FMC)
- **Details:** Unauthenticated remote attackers sent crafted HTTP requests with embedded Java code to execute arbitrary commands with root privileges.
### Lateral Movement
- Attackers deployed a PowerShell reconnaissance script to identify network shares and host data.
- Use of commercial remote desktop software (ConnectWise ScreenConnect) to maintain persistent access across the environment.
### Data Exfiltration/Impact
- **Details:** Attackers compressed host-specific discovery data (software, services, browser data) into ZIP archives on network shares. Ransomware deployment involved double-extortion tactics, threatening regulatory penalties.
### Detection & Response
- **Discovery:** Detected via Amazon MadPot honeypot network tracking "zero-day" exploitation trends.
- **Response Actions:** Amazon simulated compromised devices to trigger and analyze the secondary attack stages; Cisco disclosed the vulnerability and issued patches on March 4, 2026.
## Attack Methodology
- **Initial Access:** RCE via CVE-2026-20131 (Cisco FMC).
- **Persistence:** Redundant RATs (Java and JavaScript variants) and ConnectWise ScreenConnect.
- **Privilege Escalation:** Exploitation provided root privileges; Certify tool used for Active Directory Certificate Services.
- **Defense Evasion:** Memory-resident (fileless) Java shells; Bash scripts converting servers to reverse proxies; log deletion every 5 minutes.
- **Credential Access:** Utilization of "Certify" and browser data harvesting.
- **Discovery:** PowerShell scripts for system/network mapping and Volatility for memory forensics.
- **Lateral Movement:** ConnectWise ScreenConnect and remote access trojans.
- **Collection:** Automated host data organization and compression into ZIP files.
- **Exfiltration:** Standardized directories on actor-controlled infrastructure.
- **Impact:** Encryption of files; extortion via TOR portal; utilization of regulatory landscape (e.g., GDPR) to pressure victims.
## Impact Assessment
- **Financial:** Not specified; however, ransomware demands were processed via a TOR portal.
- **Data Breach:** Compromise of system configurations, browser data, and internal network maps.
- **Operational:** Potential total business disruption via ransomware encryption and loss of firewall management control.
- **Reputational:** High risk due to the group's tactic of referencing regulatory failures in public-facing ransom notes.
## Indicators of Compromise
- **Inbound Requests:** Crafted HTTP requests targeting vulnerable Cisco FMC paths carrying embedded Java URLs.
- **File Indicators:**
- `malicious_linux_binary` (SHA-256 not provided in text)
- PowerShell discovery scripts
- Memory-resident Java `.class` webshells
- **Behavioral Indicators:**
- HTTP PUT requests from Cisco FMC to external IPs as "check-ins."
- Systematic log deletion on Linux servers every five minutes.
- WebSockets traffic using RC4 encryption for C2.
- Traffic to defanged negotiation portal: `hXXp : // [Interlock TOR Address] .onion`
## Response Actions
- **Containment:** Amazon researchers interacted with the C2 to capture payloads without compromising real secondary systems.
- **Eradication:** Cisco released official patches for CVE-2026-20131 on March 4, 2026.
- **Recovery:** Organizations must patch FMC devices and audit for the presence of unauthorized ScreenConnect or persistent RATs.
## Lessons Learned
- **Zero-Day Gap:** Attackers had a 36-day head start before public defenders were alerted.
- **Tooling Redundancy:** Interlock uses dual-language RATs (Java/JS) to ensure persistence if one is removed.
- **Honeypot Efficacy:** Global honeypot networks (MadPot) are essential for identifying exploitation patterns before vulnerability disclosure.
## Recommendations
- **Immediate Patching:** Prioritize updates for Cisco Secure Firewall Management Center (FMC).
- **Audit Remote Access:** Monitor for unauthorized installations of legitimate tools like ScreenConnect and Volatility.
- **Network Segmentation:** Isolate management interfaces (like FMC) from the public internet.
- **Log Monitoring:** Implement SIEM alerts for the recurring deletion of Linux system logs or unauthorized HTTP Put requests originating from firewalls.