Amazon says Interlock exploited critical Cisco firewall bug weeks before patch
Mar 18th 2026
Amazon security chief says Interlock exploited a maximum severity Cisco Secure Firewall Management Center bug starting January 26, 36 days before public disclosure, and Cisco issued fixes on March 4.
- Amazon CISO CJ Moses says Interlock exploited CVE-2026-20131 beginning January 26, 36 days before the vulnerability was publicly disclosed
- The flaw allowed an unauthenticated remote attacker to execute arbitrary Java code as root on Cisco Secure Firewall Management Center
- Cisco released fixes on March 4 and said it will update its advisory to reflect active exploitation
- Amazon detected the activity in its MadPot honeypot and found a misconfigured server exposing Interlock's toolkit
- Interlock's toolkit harvests extensive host and browser data, compresses per-host ZIPs, and uses custom RATs and implants for persistent access
- The group deploys redundant implants including a Java GlassFish backdoor, memory-only Java classes, Bash reverse proxy scripts, and legitimate remote access tools to blend in
- Amazon attributed the activity to Interlock using artifacts such as an ELF binary, an embedded ransom note, and a TOR negotiation portal, and noted the group has previously hit hospitals and the city of Saint Paul
Articles
- Federal Cyber Experts Thought Microsoft’s Cloud Was “a Pile of Shit.” They Approved It Anyway. www.propublica.org
- Federal cyber experts called Microsoft’s cloud a “pile of shit,” approved it anyway arstechnica.com
- Amazon security boss says crims abused max-security Cisco firewall flaw weeks before disclosure go.theregister.com
- Federal Cyber Experts Thought Microsoft’s Cloud Was Garbage. They Approved It Anyway. gizmodo.com