Interlock ransomware gang exploited Cisco firewall zero-day weeks before disclosure: Amazon

Steven

Interlock ransomware gang exploited Cisco firewall zero-day weeks before disclosure: Amazon

Summary

Amazon Integrated Security’s CISO CJ Moses has published findings showing the Interlock ransomware group exploited a critical zero-day vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center before it was publicly disclosed. Amazon’s telemetry indicates Interlock began exploiting the bug on 26 January, giving the gang roughly a week’s head start prior to Cisco’s public advisory on 4 March.

Researchers uncovered the exploitation through a misconfigured staging server used by the attackers, recovering custom malware, scripts, evasion techniques, a ransom note and a negotiation portal that tied the activity to Interlock. The report highlights Interlock’s focus on high-impact targets — local government, education and healthcare — and notes the group often operates in the UTC+3 timezone and uses a mix of bespoke malware and legitimate admin/security tooling.

Key Points

  • Interlock exploited CVE-2026-20131 in Cisco Secure Firewall Management Center starting 26 January, before the vulnerability was disclosed on 4 March.
  • Amazon discovered the exploitation by analysing a misconfigured infrastructure server used by the gang as a staging area.
  • Researchers recovered custom malware, reconnaissance and evasion scripts, and the gang’s ransom note and negotiation portal, enabling attribution to Interlock.
  • Interlock targets organisations that cannot afford downtime — local governments, schools and health providers — and pressures victims by citing regulatory exposure.
  • The group uses both bespoke malicious tools and legitimate administration/security software (eg. ConnectWise ScreenConnect, Volatility, Certify).
  • Analysts observed activity in the UTC+3 timezone and noted possible links between Interlock and the Rhysida operation.

Context and Relevance

This is high-impact intelligence: a zero-day in a centralised firewall management platform gives attackers a powerful foothold across multiple organisations. For security teams, the key lessons are the limits of patching alone (attackers can exploit bugs before patches exist), the importance of monitoring for unusual admin-tool usage, and the value of threat hunting that can detect staging infrastructure or leaked attacker artefacts.

Given Interlock’s track record — disruptive incidents against a US city, healthcare providers and numerous schools — this disclosure matters to any organisation running Cisco Secure Firewall Management Center or managing firewall fleets centrally. The incident also underscores broader trends in ransomware: targeted pressure on entities sensitive to downtime and the use of regulatory threats to escalate extortion.

Why should I read this?

Short version: this isn’t academic — it’s practical and urgent. If you run Cisco firewall management, you need to know how attackers got in before patches were public, what they left behind on a staging server, and what behaviours to hunt for. We’ve read the technical mess so you don’t have to — and flagged the bits that matter for defenders right now.

Source

Source: https://therecord.media/cisco-ransomware-interlock-firewalls