A recent vulnerability in Cisco’s firewall systems, identified as CVE-2026-20131, has been actively exploited as a zero-day since late January, according to Amazon’s threat intelligence team. Although patches were released by Cisco earlier this month, this security flaw had already been targeted by cybercriminals, raising significant concerns within the tech community.
Details of the Vulnerability
The security issue affects Cisco’s Secure Firewall Management Center (FMC) software, specifically its web-based management interface. This vulnerability permits remote, unauthenticated attackers to run arbitrary Java code with root access, posing a severe threat to affected systems. Cisco advised that limiting exposure of the FMC management interface to the internet can mitigate the attack risk.
The vulnerability was officially addressed by Cisco on March 4, along with numerous other issues in their FMC, ASA, and Secure FTD products. Despite this, the Interlock cybercrime group had already leveraged the flaw for ransomware operations.
Interlock’s Exploitation and Patterns
An investigation revealed that the Interlock group began exploiting the vulnerability as a zero-day from January 26. Amazon’s researchers discovered a misconfigured server linked to Interlock, revealing insights into their attack strategies, including custom remote access tools, reconnaissance scripts, and evasion methods.
Interlock is notorious for targeting sectors where operational disruptions can pressure victims into paying ransoms. Their attacks primarily focus on education, engineering, architecture, construction, manufacturing, healthcare, and government sectors.
Geographical and Temporal Analysis
Analysis of activity timestamps and server data suggests that Interlock operates predominantly in the UTC+3 time zone, with primary activity occurring from 08:30 to 18:00. These patterns hint at a possible base in Russia, with alternative origins in Belarus or certain Middle Eastern countries.
Amazon has shared indicators of compromise (IoCs) to assist cybersecurity professionals in detecting and countering Interlock’s ransomware activities.
This development underscores the critical need for constant vigilance and timely updates to cybersecurity measures, particularly in sectors vulnerable to high-impact disruptions.
