Interlock Ransomware Exploiting Cisco FMC Vulnerability (CVE-2026-20131)

CVE-2026-20131 is an unauthenticated remote code execution (RCE) vulnerability in Cisco Secure Firewall Management Center (FMC), caused by insecure Java deserialization. It has been actively exploited in the wild, notably by the Interlock ransomware group, including pre-disclosure (zero-day) exploitation starting January 2026.

Severity: Critical

Vulnerability Overview

• CVE ID: CVE-2026-20131
• CVSS Score: 10.0
• Type: Insecure Deserialization (CWE-502).
• Impact: Unauthenticated, remote attackers can execute arbitrary Java code as root via the web-based management interface.
• Affected Products: Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management.

Threat Actor Profile: Interlock Ransomware

• Origin: Highly likely to operate in UTC+3 (75–80% confidence).
• Targets: Education (primary), engineering, architecture, manufacturing, healthcare, and government sectors.
• Strategy: Utilizes “double extortion” by threatening both data encryption and regulatory fines (GDPR/compliance) to pressure victims.

Attack Details

1. Initial Access & Exploitation

• Technique: Sends crafted serialized Java objects to the FMC web interface.
• Execution: Drops a malicious ELF binary or a functionally equivalent Java-based implant.

2. Persistence & Command-and-Control (C2)

• Redundant Backdoors: Uses both JavaScript and Java-based Remote Access Trojans (RATs).
• Fileless Persistence: Registers a ServletRequestListener in memory to intercept HTTP requests, evading traditional disk-based antivirus.
• Infrastructure Laundering: Deploys HAProxy on Linux servers as reverse proxies to hide the attacker’s true IP address.
• Log Evasion: Employs a cron job that wipes all system logs every five minutes.

3. Reconnaissance & Lateral Movement

• Network Mapping: Uses PowerShell scripts to systematically enumerate Windows environments, staging data for extraction.
• Tool Abuse: Deploys legitimate tools like ConnectWise ScreenConnect for redundant access and Certify to exploit Active Directory Certificate Services (AD CS).

Recommendations

1. Prioritize upgrading Cisco Secure FMC and Cisco SCC Firewall Management to the fixed software releases.
2. Review all environments for unauthorized installations of ConnectWise ScreenConnect.
3. Implement detections for the registration of new ServletRequestListener objects within Java web applications.
4. Monitor for outbound TCP traffic on unusual high-numbered ports, specifically port 45588, which is used by Interlock as a “phone home” beacon.
5. Audit Linux-based proxy servers for HAProxy installations that feature aggressive cron jobs designed to truncate or delete *.log files every five minutes.
6. Watch for PowerShell scripts that stage data into network shares using hostname-based directory structures.
7. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/284e7c25a7301d665172939dfde1bb519a37efd49cd821d146554f5137f203b4/iocs

Source:

• https://aws.amazon.com/blogs/security/amazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls/
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.