Amazon security boss says crims abused max-security Cisco firewall flaw weeks before disclosure

Interlock's post-exploit toolkit exposed

Ransomware criminals exploited CVE-2026-20131, a maximum-severity bug in Cisco Secure Firewall Management Center software, as a zero-day vulnerability more than a month before Cisco patched the hole, according to Amazon security boss CJ Moses.

The critical security flaw allows an unauthenticated, remote attacker to execute arbitrary Java code as root on vulnerable devices. Cisco released software updates that fix the vulnerability on March 4 – but the attackers had a head start. 

"Our research found that Interlock was exploiting this vulnerability 36 days before its public disclosure, beginning January 26," Moses, the chief information security officer of Amazon Integrated Security, said on Wednesday.

A Cisco spokesperson told The Register that it will update its security advisory to reflect the exploitation. 

"We appreciate Amazon's partnership on this, and we have updated our security advisory with the latest information," the spokesperson said. "We strongly urge customers to upgrade as soon as possible and reference our security advisory for more details and guidance." 

Interlock is a ransomware crew that emerged in 2025, and has since infected hospitals and medical facilities – including kidney dialysis firm Davita and Kettering Health, where the criminals not only disrupted chemotherapy sessions and pre-surgery appointments, but also leaked cancer patients' details online.

This criminal group also claimed to have stolen 43 GB of files from the city of Saint Paul over the summer, forcing the Minnesota capital to declare a state of national emergency.

Amazon caught the intruders in its MadPot honeypot network, which logged exploit traffic tied to Interlock's infrastructure. And – in a helpful turn for network defenders – the threat intel team also spotted a misconfigured infrastructure server that exposed Interlock's attack toolkit. 

Interlock's post-exploit toolkit

That toolkit includes a PowerShell script designed to scoop up information about victims' Windows environments, such as operating system and hardware details; running services; installed software; storage configuration; Hyper-V virtual machine inventory; user file listings across Desktop, Documents, and Downloads directories; and RDP authentication events from Windows event logs. It also hoovers up browser history such as bookmarks, stored credentials, and extensions from Chrome, Edge, Firefox, Internet Explorer, and 360 browsers.

After collecting all of this data from victims' computers, the script compresses it into ZIP archives named for each host. "This structured per-host output format indicates the script operates across multiple machines within a network – a hallmark of ransomware intrusion chains that prepare for organization-wide encryption," Moses wrote.

Interlock also uses several custom remote access trojans (RATs) to maintain persistent access to compromised machines. A JavaScript implant overrides browser console methods to hide from malware-detection tools, and then collects a ton more information about the infected host using PowerShell and Windows Management Instrumentation. The implant also hoovers up system identity, domain membership, username, OS version, and privilege context, and then encrypts this data, sending it to the attacker-controlled command-and-control server using persistent WebSocket connections.

Plus, it provides interactive shell access, arbitrary command execution, bidirectional file transfer, and SOCKS5 proxy capability for tunneling TCP traffic. It updates itself and can self-delete, allowing the ransomware operators to remove or replace it without reinfecting the computer.

After breaking in, Interlock also uses its illicit access to drop a second implant, this one Java-based and built on GlassFish ecosystem libraries for identical capabilities. Using nearly identical implants in two different programming languages provides a backup for the criminals, ensuring that they can maintain access to victims' devices even if one of the implants is detected.

Additionally, Amazon spotted a Bash script that configures Linux servers as HTTP reverse proxies, performing system updates, wiping logs every five minutes, and ensuring persistence even when the machine reboots.

The attackers also deployed additional Java class files including memory-resident backdoor that intercepts HTTP requests in memory – it doesn't write the files to disk – to further evade antivirus scanning tools, and a tool that functions as a lightweight network beacon to verify code execution and confirm network port reachability.

But wait, there's more…

In addition to using custom malware, the ransomware slingers also deployed legitimate software to make their traffic blend in with authorized remote access. This includes ConnectWise ScreenConnect for remote desktop control; open source memory forensics tool Volatility; and Certify, another open source offensive security tool used by red teams to exploit misconfigurations in Active Directory Certificate Services (AD CS).

"When ransomware operators deploy legitimate remote access tools alongside their custom malware, they're buying insurance – if defenders find and remove one backdoor, they still have another way in," Moses wrote. "This indicates multiple redundant remote access mechanisms – a pattern consistent with ransomware operators seeking to maintain access even if individual footholds are removed."

Amazon attributed the malicious activity to Interlock based on an ELF binary, embedded ransom note, and TOR negotiation portal, among other artifacts. The ransom note, we're told, also threatened to expose victims to regulators, using the pressure of fines and compliance violations – in addition to data encryption and leaks – to solicit payment. ®