CSO that the “week’s head start” he referred to was the gap between the date of the first exploit that Amazon’s later analysis had unearthed and Cisco’s discovery of the bug.Amazon gained insight into the attacker’s infrastructure by using the honeypot to mimic a vulnerable firewall system. This resulted in an attack on the honeypot, which received a malicious binary from the attackers; it also revealed that the ransomware depended on a single server with a poorly-secured staging area.From this, researchers were able to analyze the group’s full attack chain, including Trojans, reconnaissance scripts, and evasion techniques.
Unlocking Interlock: According to Amazon, the tools and techniques connect the malware to Interlock, a ransomware actor that appeared in 2024, possibly as a ransomware-as-a-service (RaaS) offshoot of the notorious Rhysida group which was behind the hugely disruptive 2023 ransomware attack on The British Library.”The ELF [Linux executable] binary and associated artifacts are attributable to the Interlock ransomware family based on convergent technical and operational indicators. The embedded ransom note and TOR negotiation portal are consistent with Interlock’s established branding and infrastructure,” said Amazon’s Moses.In the past, Interlock had targeted sectors such as education, engineering, architecture, construction, manufacturing, and healthcare, as well as government and public sector entities, Moses said.However, given that the group has been able to exploit a zero-day vulnerability in equipment as prevalent as Cisco firewalls for more than a month, any vulnerable organization might be at risk.
The ‘fundamental challenge’ of zero-day exploits: “The real story here isn’t just about one vulnerability or one ransomware group, it’s about the fundamental challenge zero-day exploits pose to every security model,” said Moses.”When attackers exploit vulnerabilities before patches exist, even the most diligent patching programs can’t protect you in that critical window. This is precisely why defense in depth is essential.”It’s still unclear how many victims Interlock might have compromised during the period it was able to exploit CVE-2026-20131 as a zero-day vulnerability, but they are likely to be numerous. The Amazon blog includes a list of IP addresses, malicious domains, and JA3 client fingerprint hashes that security teams can search for in logs as evidence of possible compromise.The procedure for patching CVE-2026-20131, and the other 47 CVEs included in Cisco’s March 4 update, varies depending on the FMC software version installed. Cisco recommends using its software checker to determine the appropriate update.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4147770/ransomware-group-exploited-cisco-firewall-vulnerability-as-a-zero-day-weeks-before-a-patch-appeared.html
