Amazon Integrated Security researchers reported that the Interlock ransomware gang exploited a zero-day in Cisco Secure Firewall Management Center (CVE-2026-20131) as early as January 26, before the vulnerability was publicly disclosed. The report links Interlock to disruptive attacks on local governments, healthcare, and education, and details the gang’s use of custom malware, legitimate administration tools, and a misconfigured staging server that revealed their operations. #Interlock #CVE-2026-20131
Keypoints
- Interlock exploited CVE-2026-20131 in Cisco Secure Firewall Management Center before public disclosure.
- Amazon researchers attributed the exploitation to Interlock after discovering custom malware, scripts, a ransom note, and a negotiation portal on a misconfigured staging server.
- Interlock has targeted organizations that cannot easily absorb downtime, including local governments, K-12 schools, and healthcare providers.
- The actors combine custom malicious tools with legitimate administration and security products during intrusions.
- Analysts observed activity in the UTC+3 timezone and noted potential links between Interlock and the Rhysida ransomware operation.
Read More: https://therecord.media/cisco-ransomware-interlock-firewalls