Amazon Threat Intelligence has issued a warning about an ongoing Interlock ransomware campaign that is taking advantage of a critical security vulnerability in Cisco Secure Firewall Management Center (FMC) Software that was recently disclosed.
The specific vulnerability in question is CVE-2026-20131 (CVSS score: 10.0), which involves insecure deserialization of user-supplied Java byte stream. This flaw could potentially allow a remote, unauthenticated attacker to bypass authentication and run arbitrary Java code as root on a targeted device.
Amazon’s MadPot global sensor network has gathered data indicating that this security flaw has been actively exploited as a zero-day vulnerability since January 26, 2026, more than a month prior to its public disclosure by Cisco.
CJ Moses, the Chief Information Security Officer (CISO) of Amazon Integrated Security, stated in a report shared with The Hacker News that this exploit gave Interlock a significant advantage, allowing them to compromise organizations before defenders were even aware of the vulnerability.
Amazon was able to make this discovery due to a security oversight on the part of the threat actor, which exposed their operational toolkit through a misconfigured infrastructure server. This exposed details of their multi-stage attack chain, custom remote access trojans, reconnaissance scripts, and evasion tactics.
The attack chain involves sending specific HTTP requests to a particular path in the affected software to execute arbitrary Java code. Following successful exploitation, the compromised system communicates with an external server via an HTTP PUT request. Subsequently, commands are sent to retrieve an ELF binary from a remote server, which contains additional tools used by Interlock.
The identified tools used by Interlock include:
- A PowerShell reconnaissance script for Windows environment enumeration.
- Custom remote access trojans for command-and-control purposes.
- A Bash script for configuring Linux servers as HTTP reverse proxies.
- A memory-resident web shell for executing encrypted command payloads.
- A lightweight network beacon for validating successful code execution.
- ConnectWise ScreenConnect for persistent remote access.
- Volatility Framework for memory forensics.
Interlock’s activities are linked through technical and operational indicators, including ransom notes and TOR negotiation portals. Evidence suggests that the threat actor operates in the UTC+3 time zone.
Users are strongly advised to apply patches promptly, conduct security assessments, review ScreenConnect deployments, and implement defense-in-depth strategies to mitigate the risk posed by this vulnerability exploitation.
Moses emphasized the importance of defense-in-depth in the face of zero-day exploits, highlighting the need for layered security controls to protect organizations during the critical window between exploit and patch availability.
Recent reports from Google indicate a shift in ransomware tactics, with threat actors targeting vulnerabilities in VPNs and firewalls for initial access. Additionally, ransomware operators are relying less on external tools and more on built-in Windows capabilities.
Threat actors are increasingly using malvertising and SEO tactics to distribute malware payloads, along with compromised credentials and backdoors for establishing footholds in victim environments.
Google warns that while ransomware remains a prevalent threat, declining profits may lead threat actors to explore alternative monetization methods such as data theft extortion or phishing operations using compromised infrastructure.
