Interlock Ransomware Targets Cisco Enterprise Firewalls

THREAT INTELLIGENCE ENDPOINT SECURITY DATA PRIVACY CYBERATTACKS & DATA BREACHES NEWS Interlock Ransomware Targets Cisco Enterprise Firewalls The ransomware gang, known for double-extortion attacks, had access to a critical Cisco firewall vulnerability weeks before it was publicly disclosed. Alexander Culafi,Senior News Writer,Dark Reading March 20, 2026 4 Min Read SOURCE: ZOONAR GMBH VIA ALAMY STOCK PHOTO Threat actors had access to a critical zero-day several weeks before it was patched and publicly disclosed. An Interlock ransomware campaign is targeting Cisco firewalls, according to an advisory recently shared by Amazon Web Services (AWS). Specifically, this campaign leverages CVE-2026-20131, a critical vulnerability (10 CVSS) in the Web-based management interface of Cisco's Secure Firewall Management Center (FMC) Software; if exploited, it can allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an impacted device.  Cisco disclosed the vulnerability on March 4, and said in an advisory at the time that it was caused by "insecure deserialization of a user-supplied Java byte stream." The attacker would send a crafted serialized Java object to a vulnerable device's Web-based management interface.  CVE-2026-20131 impacts all unpatched versions of Cisco Secure FMC Software and Cisco Security Cloud Control (SCC). The latter is a software-as-a-service (SaaS) product and is upgraded without user action, but FMC users should immediately upgrade to a fixed release. Cisco also said that its Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software are unaffected by the vulnerability. Customers can use the Cisco Software Checker to assess their exposure level. Related:EU Sanctions Companies in China, Iran for Cyberattacks CJ Moses, chief information security officer (CISO) of Amazon Integrated Security, published a blog post on March 18 detailing how the Interlock ransomware gang is exploiting the vulnerability to target at risk organizations. Interlock is a financially motivated ransomware actor known for double-extortion attacks (encryption plus data theft). Following Cisco's disclosure, Amazon researchers determined that Interlock exploited CVE-2026-20131 as far back as Jan. 26, making it a zero-day flaw. Through its research, which included the use of honeypots, Amazon discovered a misconfigured infrastructure server that "exposed Interlock's complete operational toolkit."  "This rare mistake provided Amazon's security teams with visibility into the ransomware group's multi-stage attack chain, custom remote-access Trojans (backdoor programs that give attackers control of compromised systems), reconnaissance scripts (automated tools for mapping victim networks), and evasion techniques," Moses wrote. A Look Under Interlock Ransomware's Hood Once Interlock gains initial access — in this case through exploiting the firewall software bug — they use a series of tools such as a PowerShell script to enumerate the Windows environment and collect basic data before creating a directory on the attacker's end with collected data belonging to each compromised computer.  Related:DarkSword: iPhone Exploit Kit Serves Spies & Thieves Alike The Interlock attacker then deploys a remote-access Trojan (RAT) to gain complete access to a compromised device, plus establishing command and control (C2). Amazon detected an effort from Interlock to include JavaScript and Java-based backdoors, which Moses noted would ensure "they maintain access even if defenders detect one version." Other discovered tools included a disposable relay network (in this case a BASH script) so the attacker could hide their true location, a memory-resident backdoor that avoids antivirus detection, connectivity verification tooling, and deployment of legitimate remote-access tools to ensure Interlock would still have a way in if the other backdoors are found.  Fancy attacker tooling is nothing new, but Moses noted that the actual danger in this case is this tooling combined with the possession of a critical zero-day. "The real story here isn't just about one vulnerability or one ransomware group — it's about the fundamental challenge zero-day exploits pose to every security model. When attackers exploit vulnerabilities before patches exist, even the most diligent patching programs can't protect you in that critical window," he wrote. "This is precisely why defense in depth is essential — layered security controls provide protection when any single control fails or hasn't yet been deployed." Related:SideWinder Espionage Campaign Expands Across Southeast Asia Amazon's blog post includes indicators of compromise as well as additional detection recommendations.  Why Are Firewalls Like This? Unfortunately, critical vulnerabilities targeting firewall vendors like Cisco, Ivanti, SonicWall, and Fortinet are a dime a dozen. Recorded Future's H1 2025 Malware and Vulnerability Trends report found that edge security and gateway devices (such as firewalls and VPNs) accounted for 17% of vulnerabilities exploited by threat actors during the first half of last year. As for why, Vincenzo Iozzo, CEO and cofounder at identity vendor SlashID, tells Dark Reading that firewalls are appealing in part because they are Internet-facing and, therefore, generally easily accessible. They also tend to have proprietary software historically "riddled with vulnerabilities" and lacking detection capabilities. Firewalls also "tend to be useful as a pivot point for attackers that want to move laterally into a victim's network." Similarly Jeff Liford, associate director at cyber disaster recovery firm Fenix24, explains that the firewall industry has experienced "substantial security pressure over the past year," and most major vendors have had to patch multiple critical flaws during this time period. "In our incident response work throughout 2025, we saw firewall compromise act as the initial entry point in a significant number of ransomware cases," he says. "These devices are often mission-critical. However, they are sometimes under-maintained, making them attractive targets." Cisco did not respond to Dark Reading's request for comment. About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 THREAT INTELLIGENCE LockBit Ransomware Gang Hacked, Ops Data Leaked by Rob Wright MAY 09, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE