Amazon Threat Intelligence Teams Identify Interlock Ransomware Campaign Targeting Enterprise Firewal
Summary:
Amazon threat intelligence identified an active Interlock ransomware campaign exploiting CVE-2026-20131, a critical vulnerability in Cisco Secure Firewall Management Center (FMC) Software. This flaw allows an unauthenticated, remote attacker to execute arbitrary Java code as root on affected devices. Interlock leveraged this vulnerability as a zero-day, beginning exploitation on January 26, 2026, giving them a 36-day head start before Cisco’s public disclosure on March 4, 2026. The ransomware group primarily targets the education sector, followed by engineering, architecture, construction, manufacturing, healthcare, and public sector entities, often citing regulatory exposure to pressure victims into paying ransoms. Security researchers gained visibility into Interlock's operations due to a misconfigured staging server, which exposed the group's complete operational toolkit, including custom remote access trojans, reconnaissance scripts, and evasion techniques.
Interlock operates with a high degree of operational security, utilizing disposable infrastructure to launder its traffic. However, temporal analysis of artifacts from a misconfigured server indicates the threat actor likely operates in the UTC+3 timezone, with peak activity between 12:00 and 18:00. The exposed server revealed a highly organized file structure, using dedicated paths corresponding to individual targets for both downloading tools and uploading stolen data.
Security Officer Comments:
The attack vector centers on the exploitation of CVE-2026-20131. The initial attack phase involves HTTP requests directed at a specific path within the vulnerable Cisco FMC software. These requests contain Java code execution attempts alongside embedded URLs used to deliver configuration data and confirm successful exploitation. To verify the exploit, the compromised target is forced to perform an HTTP PUT request to upload a generated file back to the attacker.
Once initial access is secured, Interlock deploys a highly specialized operational toolkit beginning with a custom PowerShell reconnaissance script. This script enumerates the Windows environment by targeting OS details, Hyper-V inventories, browser artifacts, and network data. The collected intelligence is staged on a centralized network share using hostname-based directories, compressed into ZIP archives, and the original raw data is subsequently deleted. For persistent control, operators utilize two functionally equivalent Remote Access Trojans. The JavaScript variant suppresses debugging output and communicates via RC4-encrypted WebSocket connections using per-message random keys, while the Java variant leverages GlassFish ecosystem libraries. Both RATs provide interactive shell access, bidirectional file transfer, SOCKS5 proxy tunneling, and self-delete functions.
To establish a fileless foothold, a memory-resident Java webshell registers a ServletRequestListener to intercept HTTP requests, decrypting AES-128 payloads using a key derived from the MD5 hash of a hardcoded seed. A lightweight Java TCP server also acts as a network beacon on a specific high-numbered port, which is obfuscated using a Unicode character to evade static analysis. To hide command-and-control traffic, a Bash script configures Linux servers as HTTP reverse proxies via HAProxy, aided by a cron job that aggressively deletes log files every five minutes. Finally, the group supplements these custom tools by abusing legitimate software, deploying ConnectWise ScreenConnect for redundant access, Volatility for memory forensics and credential dumping, and Certify to exploit Active Directory Certificate Services misconfigurations.
Suggested Corrections:
Actionable Suggested Correctionss
Link(s):
https://aws.amazon.com/blogs/security/amazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls/
Amazon threat intelligence identified an active Interlock ransomware campaign exploiting CVE-2026-20131, a critical vulnerability in Cisco Secure Firewall Management Center (FMC) Software. This flaw allows an unauthenticated, remote attacker to execute arbitrary Java code as root on affected devices. Interlock leveraged this vulnerability as a zero-day, beginning exploitation on January 26, 2026, giving them a 36-day head start before Cisco’s public disclosure on March 4, 2026. The ransomware group primarily targets the education sector, followed by engineering, architecture, construction, manufacturing, healthcare, and public sector entities, often citing regulatory exposure to pressure victims into paying ransoms. Security researchers gained visibility into Interlock's operations due to a misconfigured staging server, which exposed the group's complete operational toolkit, including custom remote access trojans, reconnaissance scripts, and evasion techniques.
Interlock operates with a high degree of operational security, utilizing disposable infrastructure to launder its traffic. However, temporal analysis of artifacts from a misconfigured server indicates the threat actor likely operates in the UTC+3 timezone, with peak activity between 12:00 and 18:00. The exposed server revealed a highly organized file structure, using dedicated paths corresponding to individual targets for both downloading tools and uploading stolen data.
Security Officer Comments:
The attack vector centers on the exploitation of CVE-2026-20131. The initial attack phase involves HTTP requests directed at a specific path within the vulnerable Cisco FMC software. These requests contain Java code execution attempts alongside embedded URLs used to deliver configuration data and confirm successful exploitation. To verify the exploit, the compromised target is forced to perform an HTTP PUT request to upload a generated file back to the attacker.
Once initial access is secured, Interlock deploys a highly specialized operational toolkit beginning with a custom PowerShell reconnaissance script. This script enumerates the Windows environment by targeting OS details, Hyper-V inventories, browser artifacts, and network data. The collected intelligence is staged on a centralized network share using hostname-based directories, compressed into ZIP archives, and the original raw data is subsequently deleted. For persistent control, operators utilize two functionally equivalent Remote Access Trojans. The JavaScript variant suppresses debugging output and communicates via RC4-encrypted WebSocket connections using per-message random keys, while the Java variant leverages GlassFish ecosystem libraries. Both RATs provide interactive shell access, bidirectional file transfer, SOCKS5 proxy tunneling, and self-delete functions.
To establish a fileless foothold, a memory-resident Java webshell registers a ServletRequestListener to intercept HTTP requests, decrypting AES-128 payloads using a key derived from the MD5 hash of a hardcoded seed. A lightweight Java TCP server also acts as a network beacon on a specific high-numbered port, which is obfuscated using a Unicode character to evade static analysis. To hide command-and-control traffic, a Bash script configures Linux servers as HTTP reverse proxies via HAProxy, aided by a cron job that aggressively deletes log files every five minutes. Finally, the group supplements these custom tools by abusing legitimate software, deploying ConnectWise ScreenConnect for redundant access, Volatility for memory forensics and credential dumping, and Certify to exploit Active Directory Certificate Services misconfigurations.
Suggested Corrections:
Actionable Suggested Correctionss
- Immediately apply Cisco’s security patches for Cisco Secure Firewall Management Center to remediate CVE-2026-20131.
- Review Active Directory and endpoint logs for PowerShell scripts staging data to network shares with hostname-based directory structures.
- Monitor web application contexts for unusual modifications, specifically malicious Java ServletRequestListener registrations.
- Audit Linux infrastructure for unauthorized HAProxy installations coupled with aggressive log deletion cron jobs (e.g., wiping /var/log every five minutes).
- Monitor network traffic for anomalous TCP connections to unusual high-numbered ports, specifically port 45588.
- Review all ConnectWise ScreenConnect deployments in the environment for unauthorized installations or abnormal usage patterns.
- Implement defense-in-depth strategies with multiple layers of security controls to reduce the impact of zero-day exploitation.
- Maintain continuous threat monitoring and active threat hunting capabilities within the environment.
- Ensure comprehensive logging is enabled and forward logs to a secure, centralized log storage system physically or logically separated from potentially compromised systems.
- Regularly test and update incident response procedures, specifically tailoring tabletop exercises to ransomware scenarios.
- Educate security and SOC teams on Interlock’s specific tactics, techniques, and procedures to improve detection and response times.
Link(s):
https://aws.amazon.com/blogs/security/amazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls/