Full Report
The Interlock ransomware gang has been exploiting a maximum severity remote code execution (RCE) vulnerability in Cisco's Secure Firewall Management Center (FMC) software in zero-day attacks since late January. [...]
Analysis Summary
# Incident Report: Interlock Ransomware Exploitation of Cisco FMC Zero-Day
## Executive Summary
The Interlock ransomware gang exploited a maximum-severity remote code execution (RCE) vulnerability (CVE-2026-20131) in Cisco’s Secure Firewall Management Center (FMC) as a zero-day for over a month. The flaw allowed attackers to execute arbitrary Java code as root via insecure deserialization. While Cisco patched the issue in March 2026, many organizations were compromised during the 36-day window preceding public disclosure.
## Incident Details
- **Discovery Date:** March 2026 (Reported by Amazon Threat Intelligence)
- **Incident Date:** January 26, 2026 (Start of zero-day exploitation)
- **Affected Organization:** Multiple enterprise organizations
- **Sector:** Various (including Healthcare, Education, and Government)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Beginning January 26, 2026
- **Vector:** Exploitation of CVE-2026-20131 (Insecure Deserialization)
- **Details:** Attackers sent crafted serialized Java objects to the web-based management interface of the Cisco FMC, gaining unauthenticated RCE.
### Lateral Movement
- **Details:** Following the compromise of the firewall management layer, the Interlock gang typically leverages the root access on network infrastructure to bridge into internal segments.
### Data Exfiltration/Impact
- **Details:** Consistent with Interlock's history, the group utilizes double-extortion tactics. Data is harvested from the network before the deployment of ransomware or the "Slopoly" malware strain.
### Detection & Response
- **Detection:** Identified by Amazon Integrated Security team through proactive research into Cisco FMC vulnerabilities.
- **Response Actions:** Amazon shared intelligence with Cisco; Cisco released patches on March 4, 2026.
## Attack Methodology
- **Initial Access:** Zero-day exploitation of Cisco Secure FMC (CVE-2026-20131).
- **Persistence:** Implementation of "NodeSnake" RAT or "Slopoly" malware.
- **Privilege Escalation:** Exploited the Java byte stream flaw to gain **root** privileges on the device.
- **Defense Evasion:** Use of "Slopoly" malware (likely AI-generated) designed to evade traditional sandbox detection and "hide in plain sight."
- **Credential Access:** Not explicitly detailed in the article, but typical of the group's "ClickFix" fake tool campaigns.
- **Discovery:** Scanning for vulnerable web-based management interfaces of Cisco FMC devices.
- **Lateral Movement:** Pivoting from compromised perimeter security management software into the internal enterprise network.
- **Collection:** Identifying and gathering sensitive data for extortion purposes.
- **Exfiltration:** Transferring data to attacker-controlled infrastructure before encryption.
- **Impact:** Encryption of files and public leaking of data via the Interlock dark web portal.
## Impact Assessment
- **Financial:** High; ransom demands from Interlock and remediation costs for network-wide compromise.
- **Data Breach:** High; history includes breaches affecting millions of records (e.g., DaVita and Texas Tech University).
- **Operational:** Severe; compromise of firewall management can lead to total loss of network integrity and business downtime.
- **Reputational:** Significant; affects trust in perimeter security infrastructure and the management of sensitive healthcare/government data.
## Indicators of Compromise
- **Network indicators:** Traffic to/from management interfaces on port 443 (or custom management ports) involving suspicious Java serialized objects.
- **File indicators:**
- Presence of "NodeSnake" RAT.
- Presence of "Slopoly" malware.
- **Behavioral indicators:** Unexpected root-level execution of Java processes on Cisco FMC appliances; unauthorized configuration changes.
## Response Actions
- **Containment:** Immediately disconnect vulnerable FMC interfaces from the public internet or restrict access via ACLs.
- **Eradication:** Apply Cisco security patches for CVE-2026-20131. Perform a full forensic sweep of the network for backdoors (RATs) planted during the zero-day window.
- **Recovery:** Restore impacted systems from secure offline backups; rotate all credentials managed by or stored within the FMC.
## Lessons Learned
- **Visibility Gap:** There was a 36-day gap where attackers had a "head start" because the vulnerability was unknown to defenders.
- **Infrastructure Risk:** Security management tools (FMC) are high-value targets; if they are compromised, the entire security posture of the organization is undermined.
- **AI-Enhanced Threats:** The emergence of AI-generated malware like "Slopoly" suggests attackers are evolving to bypass standard heuristic detections.
## Recommendations
- **Patch Management:** Prioritize patching of perimeter management software immediately upon release.
- **Zero Trust:** Do not expose management interfaces (like FMC) to the public internet; utilize VPNs or zero-trust access gateways.
- **Logging:** Enable and monitor Audit Logs on firewall management appliances for unauthorized root-level commands.
- **Proactive Hunting:** Regularly review Amazon/Cisco threat intelligence feeds to identify if internal infrastructure was communicating with known Interlock C2 nodes during the January–March window.