Amazon’s security team has revealed that the Interlock ransomware gang exploited a critical Cisco firewall vulnerability as a zero-day for five weeks before it was publicly disclosed, giving attackers a significant head start against defenders.
Zero-Day Exploitation Timeline
According to CJ Moses, CISO of Amazon Integrated Security, Interlock began exploiting CVE-2026-20131 on January 26, 2026 — more than five weeks before Cisco disclosed the vulnerability on March 4.
“This wasn’t just another vulnerability exploit, Interlock had a zero-day in their hands, giving them a week’s head start to compromise organizations before defenders even knew to look,” Moses stated in Amazon’s threat intelligence report.
Cisco has since updated its advisory to confirm active exploitation of the vulnerability, which affects Cisco Secure Firewall Management Center — a centralized platform used by administrators to manage Cisco firewalls across enterprises.
Why This Matters
The discovery highlights the fundamental challenge zero-day exploits pose to security programs. Even organizations with robust patching practices remained vulnerable during the critical window between initial exploitation and public disclosure.
“When attackers exploit vulnerabilities before patches exist, even the most diligent patching programs can’t protect you in that critical window,” Moses emphasized.
Discovery Through Misconfigured Infrastructure
Amazon’s threat intelligence team discovered the exploitation through a misconfigured Interlock infrastructure server that served as a staging area for the ransomware operation. Researchers found:
- Custom malware and reconnaissance scripts
- Evasion techniques
- Ransom notes and negotiation portals
- Evidence of Interlock’s operational patterns
The actors typically operated in UTC+3, the timezone of Moscow and several Middle Eastern countries.
Interlock’s Target Profile
Interlock has historically targeted organizations that cannot afford operational downtime:
- Local Government: The city of St. Paul, Minnesota struggled for weeks to recover from an Interlock attack, with the governor forced to call in the National Guard to assist recovery efforts
- Healthcare: Attacks on DaVita dialysis centers and Kettering Health (one of Ohio’s largest healthcare systems) exposed millions of patients’ sensitive health information
- Education: The education sector represents the largest share of Interlock’s activity, with multiple K-12 schools listed on their leak site
Double Extortion Tactics
Interlock’s ransom notes invoke multiple data protection regulations to pressure victims, threatening organizations not just with data encryption but with regulatory fines and compliance violations — a sophisticated double extortion approach.
Potential Links to Rhysida
The FBI and federal agencies have noted that Interlock emerged in September 2024 and has repeatedly targeted critical infrastructure across North America and Europe. Security analysts have identified potential links between Interlock and the Rhysida ransomware operation, known for its attacks on governments worldwide.
Defensive Recommendations
Organizations running Cisco Secure Firewall Management Center should:
- Apply patches for CVE-2026-20131 immediately
- Review firewall logs for suspicious activity dating back to late January 2026
- Implement network segmentation to limit lateral movement
- Monitor for indicators of compromise from Amazon’s threat intelligence report
- Assume breach and conduct threat hunting if running vulnerable versions during the exploitation window
Source: The Record
