Amazon Threat Intelligence has issued a warning regarding an active Interlock ransomware campaign exploiting a critical zero-day in Cisco Secure Firewall Management Center (FMC) software. The vulnerability, CVE-2026-20131 (CVSS 10.0), stems from insecure deserialization of user-supplied Java byte streams, enabling unauthenticated attackers to execute arbitrary Java code as root.
According to Amazon’s MadPot global sensor network, the flaw has been actively exploited since January 26, 2026, more than a month before Cisco publicly disclosed it. CJ Moses, CJ Moses, said, “Interlock had a zero-day in hand, giving them a head start to compromise organizations before defenders even knew to look.”
The attack chain begins with crafted HTTP requests targeting the vulnerable FMC path. Once the system is exploited, it issues HTTP PUT requests to confirm successful compromise and downloads an ELF binary hosting additional tools tied to Interlock operations.

Tools Used by Interlock
Researchers have identified multiple components employed by the ransomware group:
- PowerShell reconnaissance scripts – Gather Windows environment details including OS, hardware, installed software, running services, storage configuration, virtual machine inventory, browser artifacts, active network connections, and RDP authentication events.
- Custom Java and JavaScript remote access trojans – Provide command-and-control, interactive shells, arbitrary command execution, bidirectional file transfer, SOCKS5 proxy, self-update, and self-delete capabilities.
- Bash scripts for Linux proxy setup – Configure HTTP reverse proxies, deploy fail2ban, compile HAProxy instances forwarding traffic to a hard-coded IP, and periodically erase logs and shell history to evade detection.
- Memory-resident web shells – Inspect incoming requests for encrypted command payloads, decrypt, and execute them.
- Lightweight network beacons – Confirm successful code execution or network reachability.
- ConnectWise ScreenConnect – Serves as a persistent remote access tool or alternative foothold.
- Volatility Framework – Used for memory forensics and analysis.
Operational Insights
Indicators link the attacks to Interlock via embedded ransom notes and a TOR negotiation portal. The threat actor likely operates in the UTC+3 time zone. Active exploitation emphasizes the urgency of patching affected systems, reviewing ScreenConnect deployments, and implementing defense-in-depth strategies.
Defensive Measures
Experts recommend organizations to:
- Apply Cisco FMC patches immediately
- Conduct thorough security assessments for potential compromises
- Review ScreenConnect installations for unauthorized deployment
- Implement layered security controls to minimize risk if a single control fails
- Maintain robust vulnerability management processes to reduce exposure during zero-day windows
CJ Moses emphasized, “Zero-day exploits present a fundamental challenge to every security model. Defense-in-depth ensures protection even when patches are not yet applied.”
Broader Context
Google reports ransomware actors are adapting tactics due to declining payouts, increasingly targeting VPNs and firewalls for initial access, leveraging built-in Windows tools, and using compromised credentials or backdoors. This trend underscores the growing need for continuous monitoring, early detection, and proactive mitigation of ransomware threats.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.


