The Interlock ransomware group exploited CVE-2026-20131, a maximum-severity remote code execution flaw in Cisco Secure Firewall Management Center, as a zero-day for 36 days before Cisco patched it on March 4. Amazon's CISO CJ Moses disclosed the findings, noting that Amazon's MadPot honeypot network caught the exploit traffic and also discovered a misconfigured Interlock infrastructure server that exposed their full post-exploitation toolkit. That toolkit includes PowerShell reconnaissance scripts, a JavaScript browser implant using WebSocket C2 communications, a Java-based GlassFish implant as a backup, a Linux reverse proxy Bash script, memory-resident backdoors that avoid disk writes, and legitimate tools like ConnectWise ScreenConnect, Volatility, and Certify to blend in with normal traffic. Interlock has previously targeted hospitals, medical facilities, and municipal governments.
Sort: