Amazon Threat Intelligence is warning of an active Interlock ransomware campaign that exploits a recently revealed critical security flaw in Cisco Secure Firewall Management Center (FMC) software.
The vulnerability in question, CVE-2026-20131 (CVSS score: 10.0), is a case of insecure deserialization of a user-supplied Java byte stream, which allows an unauthenticated, remote attacker to bypass authentication and execute arbitrary Java code as root on an affected device.
The security flaw is said to have been exploited as a zero-day since January 26, 2026, more than a month before it was made public by Cisco, according to data collected from the tech giant’s MadPot global sensor network.
“This was more than just a vulnerability exploit. Interlock was in control of the zero-day and was able to get a one-week head start on compromising organizations before defenders knew about it. Upon this discovery, we supported Cisco’s investigation and shared our findings with Cisco to protect our customers,” CJ Moses, Chief Information Security Officer (CISO) at Amazon Integrated Security, told The Hacker News. This is stated in the report shared.
Amazon said the discovery was made possible thanks to an operational security misstep on the part of the attackers that exposed the cybercriminal group’s operational toolkit via misconfigured infrastructure servers, providing insight into its multi-stage attack chain, custom-built remote access Trojans, reconnaissance scripts, and evasion techniques.
This attack chain involves sending a crafted HTTP request to a specific path in the affected software with the intent of executing arbitrary Java code, and then the compromised system issues an HTTP PUT request to an external server to confirm successful exploitation. Once this step is complete, commands are sent to fetch ELF binaries from remote servers hosting other tools linked to Interlock.
The list of tools identified is:
PowerShell reconnaissance script used for systematic Windows environment enumeration. Collects details about the operating system and hardware, running services, installed software, storage configuration, Hyper-V virtual machine inventory, list of user files across desktop, documents, and download directories, browser artifacts from Chrome, Edge, Firefox, Internet Explorer, and 360 browsers, active network connections, and RDP authentication events from the Windows event log. A custom remote access Trojan written in JavaScript and Java for command and control, interactive shell access, arbitrary command execution, bidirectional file transfer, and SOCKS5 proxy functionality. It also supports self-updating and self-removal mechanisms that allow artifacts to be replaced or removed without reinfecting machines or challenging forensic investigation. A Bash script to configure a Linux server as an HTTP reverse proxy and hide the attacker’s true origin. This script provides fail2ban, an open source Linux intrusion prevention tool, and compiles and generates a HAProxy instance that listens on port 80 and forwards all incoming HTTP traffic to a hard-coded target IP address. In addition, the infrastructure laundering script runs a log cleaning routine as a cron job every five minutes, aggressively deleting and purging the contents of *.log files, and unsetting the HISTFILE variable to suppress shell history. A memory-resident web shell for inspecting incoming requests for specially crafted parameters containing encrypted command payloads. It is then decrypted and executed. A lightweight network beacon for making calls to attacker-controlled infrastructure. It could be validating successful code execution after initial exploitation or checking network port reachability. ConnectWise ScreenConnect provides persistent remote access and serves as an alternative route if other scaffolding is detected and removed. Volatility Framework, an open source memory forensics framework
The link to Interlock stems from “intensive” technical and operational indicators, such as an embedded ransom note and the TOR negotiation portal. Evidence indicates that the attacker is likely operating in the UTC+3 time zone.
Given the active exploitation of this flaw, we recommend that users patch as soon as possible, conduct security assessments to identify potential compromises, review ScreenConnect deployments for unauthorized installations, and implement a defense-in-depth strategy.
“The real story here is not just about one vulnerability or one group of ransomware. It’s about the fundamental challenge that zero-day exploits pose to any security model,” said Moses. “If an attacker exploits a vulnerability before a patch exists, even the most diligent patching program will fail to protect users at that critical time.”
“This is exactly why defense in depth is so important. Layered security controls provide protection when a single control fails or is not yet in place. Rapid patching remains fundamental to vulnerability management, but defense in depth helps ensure that organizations are not left vulnerable in the period between exploit and patch.”
The disclosure comes after ransomware attackers revealed that they are changing their tactics in response to lower payout rates, targeting common VPN and firewall vulnerabilities for initial access, and focusing on Windows’ built-in features over external tools.
Multiple threat clusters, both ransomware operators themselves and early access brokers, have also been found to employ malvertising and search engine optimization (SEO) tactics to distribute malware payloads for initial access. Other commonly observed techniques include establishing a foothold using compromised credentials, backdoors, or legitimate remote desktop software, and leveraging built-in or already installed tools for reconnaissance, privilege escalation, and lateral movement.
“We expect ransomware to continue to be one of the world’s most dominant threats, but declining profits may lead some threat actors to seek other monetization methods,” Google said in a statement. “This could manifest as increased data theft, the use of more aggressive extortion tactics, or opportunistic use of access to victims’ environments for secondary monetization mechanisms, such as using compromised infrastructure to send phishing messages.”
Source link
