INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
AWS Warns Hackers Exploited Cisco Zero-Day Since January
| 2026-03-19 09:50 CRITICAL HIGHExecutive Summary AI-generated
A prolific ransomware group has been exploiting a zero-day vulnerability in a Cisco firewall product since January, according to a new analysis from AWS. The group's tactics include using CVE-2026-20131 in attacks and deploying custom remote access trojans (RATs) written in JavaScript and Java for persistent control. They also use PowerShell scripts to collect details on victims' networks and install ConnectWise ScreenConnect as a backup entry point, evading antivirus detection by intercepting HTTP requests entirely in memory. The group's real story isn't just about one vulnerability or ransomware group - it's about the fundamental challenge zero-day exploits pose to every security model.
Technical Mitigations AI-generated
* Apply Cisco's security patches: Immediately apply the latest security patches for Cisco Secure Firewall Management Center (FMC) Software to prevent exploitation of CVE-2026-20131.
* Monitor logs and detect IoCs: Regularly review logs for indicators of compromise (IoCs), such as suspicious network activity or PowerShell scripts, to detect potential Interlock ransomware operations.
* Implement defense in depth measures: Combine layered security controls with regular threat monitoring/hunting and incident response procedures to provide protection against zero-day exploits like CVE-2026-20131.
* Conduct security assessments and continuous testing: Regularly conduct security assessments and perform continuous threat hunting to identify potential vulnerabilities, including those that may not be patched yet.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-20131CVE-2026-20131
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
healthcarehealthcare
governmentgovernment
healthhealth
defensedefense
Incident Timeline
January 26
Threat actors used Interlock to target Amazon Integrated Security since January 26.
Click on any entity below to view its context and source!
organisation
Amazon Integrated Security
"Our research found that Interlock was exploiting this vulnerability 36 days before its public disclosure, beginning January 26," Moses, the chief information security officer of Amazon Integrated Security,
said
on Wednesday.
vulnerability
CVE-2026-20131
AWS CISO, CJ Moses, warned yesterday that the Interlock operation had been using CVE-2026-20131 in attacks since January 26.
organisation
CJ Moses
AWS CISO, CJ Moses, warned yesterday that the Interlock operation had been using CVE-2026-20131 in attacks since January 26.
March 4
Cisco released software updates to fix the vulnerability on March 4, but hackers had exploited it since January.
Click on any entity below to view its context and source!
organisation
Cisco
Cisco released software updates that fix the vulnerability on March 4 – but the attackers had a head start.
2026-03-18
Threat actors used CVE-2026-20131 to target Interlock operation since January 26.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20131
AWS CISO, CJ Moses, warned yesterday that the Interlock operation had been using CVE-2026-20131 in attacks since January 26.
organisation
CJ Moses
AWS CISO, CJ Moses, warned yesterday that the Interlock operation had been using CVE-2026-20131 in attacks since January 26.
2026-03-19
Interlock deployed a persistent memory-resident backdoor and installed ConnectWise ScreenConnect as a backup entry point.
Click on any entity below to view its context and source!
organisation
Kettering Health
"
Interlock is a ransomware crew that emerged in 2025, and has since infected hospitals and medical facilities – including
kidney dialysis firm Davita
and
Kettering Health
, where the criminals not only disrupted chemotherapy sessions and pre-surgery appointments, but also leaked cancer patients' details online.
organisation
Ransomware
Ransomware criminals exploited CVE-2026-20131, a maximum-severity bug in Cisco Secure Firewall Management Center software, as a zero-day vulnerability more than a month before Cisco patched the hole, according to Amazon security boss CJ Moses.
organisation
CVE-2026
Ransomware criminals exploited CVE-2026-20131, a maximum-severity bug in Cisco Secure Firewall Management Center software, as a zero-day vulnerability more than a month before Cisco patched the hole, according to Amazon security boss CJ Moses.
CVE-2026-20131 is a remote code execution (RCE) flaw in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software.
organisation
Cisco Secure Firewall Management Center
Ransomware criminals exploited CVE-2026-20131, a maximum-severity bug in Cisco Secure Firewall Management Center software, as a zero-day vulnerability more than a month before Cisco patched the hole, according to Amazon security boss CJ Moses.
CVE-2026-20131 is a remote code execution (RCE) flaw in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software.
organisation
AWS
A prolific ransomware group has been exploiting a zero-day vulnerability in a Cisco firewall product since January, according to a new analysis from AWS.
organisation
Check ScreenConnect
Recommendations from AWS
According to Moses, organizations should take the following actions to protect against
Interlock ransomware
operations:
Apply Cisco’s security patches
Review logs for the IoCs listed in its write up
Conduct security assessments to identify compromise
Check ScreenConnect deployments for unauthorized installations
Monitor for PowerShell scripts staging data to network shares with hostname-based directory structures
infrastructure
Windows
Interlock's post-exploit toolkit
That toolkit includes a PowerShell script designed to scoop up information about victims' Windows environments, such as operating system and hardware details; running services; installed software; storage configuration; Hyper-V virtual machine inventory; user file listings across Desktop, Documents, and Downloads directories; and RDP authentication events from Windows event logs.
A JavaScript implant overrides browser console methods to hide from malware-detection tools, and then collects a ton more information about the infected host using PowerShell and Windows Management Instrumentation.
organisation
Desktop, Documents
Interlock's post-exploit toolkit
That toolkit includes a PowerShell script designed to scoop up information about victims' Windows environments, such as operating system and hardware details; running services; installed software; storage configuration; Hyper-V virtual machine inventory; user file listings across Desktop, Documents, and Downloads directories; and RDP authentication events from Windows event logs.
organisation
Downloads
Interlock's post-exploit toolkit
That toolkit includes a PowerShell script designed to scoop up information about victims' Windows environments, such as operating system and hardware details; running services; installed software; storage configuration; Hyper-V virtual machine inventory; user file listings across Desktop, Documents, and Downloads directories; and RDP authentication events from Windows event logs.
organisation
RDP
Interlock's post-exploit toolkit
That toolkit includes a PowerShell script designed to scoop up information about victims' Windows environments, such as operating system and hardware details; running services; installed software; storage configuration; Hyper-V virtual machine inventory; user file listings across Desktop, Documents, and Downloads directories; and RDP authentication events from Windows event logs.
infrastructure
Linux
Additionally, Amazon spotted a Bash script that configures Linux servers as HTTP reverse proxies, performing system updates, wiping logs every five minutes, and ensuring persistence even when the machine reboots.
organisation
Amazon
Amazon security boss says crims abused max-security Cisco firewall flaw weeks before disclosure.
organisation
The Register
A Cisco spokesperson told
The Register
that it will update its
security advisory
to reflect the exploitation.
organisation
Interlock
And – in a helpful turn for network defenders – the threat intel team also spotted a misconfigured infrastructure server that exposed Interlock's attack toolkit.
organisation
Chrome, Edge
It also hoovers up browser history such as bookmarks, stored credentials, and extensions from Chrome, Edge, Firefox, Internet Explorer, and 360 browsers.
organisation
WebSocket
The implant also hoovers up system identity, domain membership, username, OS version, and privilege context, and then encrypts this data, sending it to the attacker-controlled command-and-control server using persistent WebSocket connections.
organisation
TCP
Plus, it provides interactive shell access, arbitrary command execution, bidirectional file transfer, and SOCKS5 proxy capability for tunneling TCP traffic.
organisation
ConnectWise ScreenConnect
This includes ConnectWise ScreenConnect for remote desktop control; open source memory forensics tool Volatility; and Certify, another open source offensive security tool used by red teams to exploit misconfigurations in Active Directory Certificate Services (AD CS).
The group also deployed a “persistent memory-resident backdoor” (webshell) that intercepted HTTP requests entirely in memory to evade antivirus detection, and installed ConnectWise ScreenConnect as a backup entry point in case they were discovered.
organisation
Certify
This includes ConnectWise ScreenConnect for remote desktop control; open source memory forensics tool Volatility; and Certify, another open source offensive security tool used by red teams to exploit misconfigurations in Active Directory Certificate Services (AD CS).
organisation
Active Directory Certificate Services
This includes ConnectWise ScreenConnect for remote desktop control; open source memory forensics tool Volatility; and Certify, another open source offensive security tool used by red teams to exploit misconfigurations in Active Directory Certificate Services (AD CS).
organisation
ELF
"
Amazon attributed the malicious activity to Interlock based on an ELF binary, embedded ransom note, and TOR negotiation portal, among other artifacts.
organisation
TOR
"
Amazon attributed the malicious activity to Interlock based on an ELF binary, embedded ransom note, and TOR negotiation portal, among other artifacts.
data_breach
43 GB
This criminal group also claimed to have
stolen 43 GB of files from the city of Saint Paul
over the summer, forcing the Minnesota capital to
declare a state of national emergency
.
organisation
CVSS
Given a maximum CVSS score of 10, it could “allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device,”
according to Cisco
.
organisation
Identify HAProxy
Detect Java ServletRequestListener registrations in web application contexts
Identify HAProxy installations with aggressive log deletion cron jobs
Watch for TCP connections to unusual high-numbered ports (e.g., 45588)
organisation
Watch for TCP
Detect Java ServletRequestListener registrations in web application contexts
Identify HAProxy installations with aggressive log deletion cron jobs
Watch for TCP connections to unusual high-numbered ports (e.g., 45588)
Tactical Metrics
Metrics
infrastructure
Windows
Affected Product
Click for context!
Interlock's post-exploit toolkit
That toolkit includes a PowerShell script designed to scoop up information about victims' Windows environments, such as operating system and hardware details; running services; installed software; storage configuration; Hyper-V virtual machine inventory; user file listings across Desktop, Documents, and Downloads directories; and RDP authentication events from Windows event logs.
A JavaScript implant overrides browser console methods to hide from malware-detection tools, and then collects a ton more information about the infected host using PowerShell and Windows Management Instrumentation.
Metrics
infrastructure
Linux
Affected Product
Additionally, Amazon spotted a Bash script that configures Linux servers as HTTP reverse proxies, performing system updates, wiping logs every five minutes, and ensuring persistence even when the machine reboots.
Metrics
data_breach
43
Gb
This criminal group also claimed to have
stolen 43 GB of files from the city of Saint Paul
over the summer, forcing the Minnesota capital to
declare a state of national emergency
.
Intelligence Sources
The Register - Cybercrime
2026-03-18
Amazon security boss says crims abused max-security Cisco firewall flaw weeks before disclosure
The Register - Cybercrime
Infosecurity-Magazine
2026-03-19
AWS Warns Hackers Have Abused Cisco Firewall Zero-Day Since January
Infosecurity-Magazine
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T11:10
Comprehensive Tactical Telemetry
Highly Correlated Entities
26x
organisation
Identified Entity
Kettering Health
entity
5x
timeline
Temporal Reference
2025
date
4x
industry
Targeted Sector
Health
sector
4x
tactic
MITRE ATT&CK Technique
T1059.001 - PowerShell
technique
2x
tactic
Cyber Operation Type
Ransomware
tactic
2x
infrastructure
Affected Product
Windows
software
Contextual Telemetry
Context Block
4 METRICS
vulnerability
Exploited CVE
CVE-2026-20131
cve
general metric
Browsers
360
browsers
data breach
Gb
43
gb
target region
Target Country
United States
country
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.