Interlock Ransomware Exploits Cisco FMC Zero-Day Vulnerability 36 Days Prior to Public Disclosure
A recent investigation by Amazon’s threat intelligence teams has unveiled a significant cyber campaign linked to the Interlock ransomware group. This campaign exploits a critical vulnerability in Cisco’s Secure Firewall Management Center (FMC) software, tracked as CVE-2026-20131. Disclosed by Cisco on March 4, this vulnerability allows unauthenticated remote attackers to execute arbitrary Java code with root privileges on affected FMC devices.
Early Exploitation of the Vulnerability
Research conducted through Amazon’s MadPot, a global honeypot network designed to monitor malicious activities, revealed that Interlock had begun exploiting this vulnerability as early as January 26, 2026—36 days before Cisco’s public disclosure. This early exploitation provided the attackers with a zero-day advantage, allowing them to compromise organizations before defenders were even aware of the risk.
Amazon’s findings indicate that the exploitation involved crafted HTTP requests targeting specific paths in vulnerable systems. These requests contained embedded Java code and URLs—one delivering configuration data to facilitate the exploit, while another confirmed successful compromise by triggering an HTTP PUT request from the victim system.
Investigation and Attack Progression
To further investigate the attack, researchers simulated a compromised device by responding to the attacker’s verification mechanism. This action triggered the next phase of the attack, during which Interlock issued commands to download and execute a malicious Linux binary.
The use of Amazon MadPot was crucial in exposing the full scope of the operation. A misconfigured infrastructure server used by the attackers inadvertently revealed their entire toolkit, which included reconnaissance scripts, custom remote access trojans (RATs), and evasion mechanisms. This level of organization reflects a structured and repeatable attack methodology.
Importantly, Amazon confirmed that its own cloud infrastructure and customer workloads were not impacted by this campaign.
Tactics and Attribution of Interlock Ransomware
The malware and artifacts recovered during the investigation were attributed to the Interlock ransomware family based on several consistent indicators. These included a ransom note and a TOR-based negotiation portal that aligned with Interlock’s known branding and operational style. The ransom notes notably referenced multiple data protection regulations, a tactic used by Interlock to pressure victims by threatening not only data encryption but also potential regulatory penalties.
Historically, Interlock has targeted industries where disruption creates maximum leverage. The education sector has been the most affected, followed by engineering, construction, manufacturing, healthcare, and public sector organizations. Temporal analysis of the attack activity suggests that the operators likely function in a UTC+3 time zone, with activity typically beginning around 08:30, peaking between 12:00 and 18:00, and declining overnight.
Post-Exploitation Techniques
Once access is gained through CVE-2026-20131, Interlock deploys a range of tools to expand control within the compromised network. A PowerShell-based reconnaissance script systematically collects detailed system and network information, including installed software, running services, browser data, and active connections. This data is organized into per-host directories on a centralized network share and compressed into ZIP archives for exfiltration, indicating preparation for large-scale ransomware deployment across multiple systems.
Interlock employs multiple RATs to maintain persistent access. One variant, written in JavaScript, suppresses debugging output and gathers system details before establishing encrypted communication with command-and-control servers via WebSockets. Messages are encrypted using RC4 with unique keys for each transmission. A second variant, implemented in Java, provides the same capabilities using different libraries, ensuring continued access even if one version is detected and removed.
To hide their tracks, Interlock employs a Bash script that converts compromised Linux servers into HTTP reverse proxies. These proxies forward traffic to attacker-controlled systems while erasing logs every five minutes, making forensic analysis extremely difficult.
Advanced Techniques and Tools
Among the more advanced components observed in the campaign is a memory-resident webshell, delivered as a Java class. This webshell operates entirely in memory, avoiding disk-based detection, intercepting HTTP requests, and executing encrypted payloads dynamically within the Java Virtual Machine. Additionally, a lightweight TCP server tool was identified, used to verify successful exploitation by confirming connectivity on a specific port.
Interlock also blends malicious activity with legitimate software. The group deployed ConnectWise ScreenConnect, a commercial remote desktop tool, to maintain access while avoiding detection. This redundancy ensures that attackers retain control even if custom malware is removed.
Other tools found in the attack environment include Volatility, typically used for memory forensics, and Certify, an offensive security tool targeting Active Directory Certificate Services. These tools enable credential access, privilege escalation, and persistent footholds within compromised environments.
According to publicly available reporting, the implications of this campaign highlight the urgent need for organizations to enhance their cybersecurity measures, especially in light of the sophisticated tactics employed by the Interlock ransomware group.
Follow the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
