Amazon security boss says crims abused max-security Cisco firewall flaw weeks before disclosure
Summary
Amazon Integrated Security’s CISO CJ Moses reported that ransomware operators linked to the Interlock group exploited CVE-2026-20131 — a maximum-severity remote-code-execution bug in Cisco Secure Firewall Management Center — as a zero-day starting around 26 January, some 36 days before Cisco published fixes on 4 March.
Amazon observed exploit traffic in its MadPot honeypot and discovered a misconfigured server that exposed Interlock’s post-exploit toolkit. The revealed toolkit combines bespoke implants (PowerShell scripts, RATs, Java/GlassFish-based implants, memory-resident backdoors), Linux reverse-proxy scripts, and legitimate remote‑access and forensics tools used to hide and sustain access. Cisco has said it will update its advisory and urges immediate upgrades.
Key Points
- CVE-2026-20131 allowed unauthenticated remote execution of arbitrary Java code as root on Cisco Secure Firewall Management Center devices.
- Amazon says Interlock exploited the flaw from 26 January — 36 days before Cisco’s 4 March patch release.
- Amazon’s honeypot captured exploit traffic and exposed a misconfigured attacker server that leaked Interlock’s toolkit and infrastructure details.
- The toolkit harvests extensive Windows host data (OS, services, Hyper-V inventory, file listings, browser data) and packages per-host ZIPs for exfiltration.
- Interlock employs multiple persistence and remote‑access mechanisms: custom RATs, Java implants, JavaScript browser implants, Bash reverse proxies, SOCKS5 tunnelling, and memory-only backdoors.
- Attackers also use legitimate tools (ConnectWise ScreenConnect, Volatility, Certify) alongside custom malware to blend in and retain access.
- Interlock is a known ransomware actor that has previously hit hospitals and municipal targets and uses threats of regulatory exposure in ransom demands.
- Cisco will update its security advisory; organisations using affected Cisco FMC appliances should apply vendor updates immediately and review telemetry for indicators of compromise.
Why should I read this?
Short version: if you run Cisco Secure Firewall Management Center, stop what you’re doing and patch — now. This story shows a professional ransomware gang had a head start on a max-severity zero-day and that sloppy attacker ops (a misconfigured server) let defenders peek into their whole playbook. It’s a useful wake-up call about patching urgency, layered defences, and hunting for signs of post-exploit toolkits in your network.
Author style
Punchy: this isn’t a hypothetical — it’s evidence of active exploitation before disclosure and a deep, multi-tool intrusion approach. Read the details if you manage network defence or incident response; it’s directly actionable intel.