Overview
- Amazon’s CJ Moses said Interlock began exploiting CVE-2026-20131 on January 26, over a month before public disclosure.
- Cisco released fixes on March 4 for the maximum-severity flaw, which enables unauthenticated remote execution of Java code as root on Secure FMC devices.
- Amazon’s MadPot honeypots logged exploit traffic tied to Interlock infrastructure, and a misconfigured server revealed the group’s post-compromise toolset.
- Recovered tools included PowerShell reconnaissance scripts, custom JavaScript and Java RATs, a Bash reverse-proxy setup, a memory-resident web shell, a lightweight beacon, ConnectWise ScreenConnect, Volatility, and Certify.
- Amazon attributed the activity to Interlock via artifacts including an ELF binary, an embedded ransom note, and a TOR negotiation portal, while Cisco urged customers to upgrade and review environments for compromise.