惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
WordPress大学
WordPress大学
宝玉的分享
宝玉的分享
人人都是产品经理
人人都是产品经理
博客园 - 聂微东
IT之家
IT之家
V
V2EX
Jina AI
Jina AI
V
Visual Studio Blog
有赞技术团队
有赞技术团队
博客园 - 司徒正美
博客园 - 叶小钗
The Cloudflare Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
小众软件
小众软件
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
博客园 - 三生石上(FineUI控件)
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Google DeepMind News
Google DeepMind News
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
腾讯CDC
Google Online Security Blog
Google Online Security Blog
博客园 - 【当耐特】
Apple Machine Learning Research
Apple Machine Learning Research
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
N
News and Events Feed by Topic
N
News and Events Feed by Topic
The Last Watchdog
The Last Watchdog
W
WeLiveSecurity
月光博客
月光博客
Security Archives - TechRepublic
Security Archives - TechRepublic
Webroot Blog
Webroot Blog
SecWiki News
SecWiki News
博客园_首页
罗磊的独立博客
量子位
Latest news
Latest news
I
Intezer
V
Vulnerabilities – Threatpost
A
Arctic Wolf
Last Week in AI
Last Week in AI
Recent Commits to openclaw:main
Recent Commits to openclaw:main
S
SegmentFault 最新的问题
S
Security Affairs
阮一峰的网络日志
阮一峰的网络日志
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
酷 壳 – CoolShell
酷 壳 – CoolShell
P
Palo Alto Networks Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
N
News | PayPal Newsroom

The Register - Security: Patches

Cisco SD-WAN make-me-root bug under attack Ivanti tells Sentry customers to patch now as critical bugs hit 10.0 and 9.9 AI is making Patch Tuesday (kinda) fun again Anthropic to release Mythos-class models to the public Clear your calendar, Drupal user: You have a critically urgent patch to install Welcome to the vulnpocalypse, as vendors use AI to find bugs and patches multiply like rabbits Doozy of a Patch Tuesday includes 30 critical Microsoft CVEs Critical cPanel, WHM flaw probs exploited as 0-day, pros say Microsoft patch fell short. New Windows flaw exploited More Cisco SD-WAN bugs battered in attacks Critical Fortinet sandbox bugs allow auth bypass and RCE Ancient Excel bug comes out of retirement for active attacks Microsoft's massive Patch Tuesday: It's raining bugs Ransomware scum, other crims exploit 4 old Microsoft bugs Attackers exploited the FortiClient EMS bug as a 0-day Citrix NetScaler bug may be multiple flaws in one Google rushes Chrome update to fix zero-days under attack CISA warns max-severity n8n bug is being exploited in the wild Cisco warns of two more SD-WAN bugs under active attack LexisNexis Legal & Professional confirms data breach Five Eyes warn: Patch your Cisco SD-WAN or risk root takeover Patch these 4 critical, make-me-root SolarWinds bugs ASAP Attacker gets into France's DB listing all bank accounts CISA gives feds 3 days to patch actively exploited Dell bug CISA gives feds 3 days to patch actively exploited Dell bug Google fixes exploited Chrome CSS zero-day Critical Microsoft bug from 2024 under exploitation Apple patches decade-old iOS zero-day exploited in the wild Microsoft's Valentine's gift to admins: 6 zero-day fixes Microsoft's Valentine's gift to admins: 6 zero-day fixes Critical SolarWinds Web Help Desk bug under attack Critical React Native Metro dev server bug under attack Critical React Native Metro dev server bug under attack OpenClaw patches one-click RCE as security Whac-A-Mole continues Ivanti's January bad luck continues as 0-days hit customers Critical VMware vCenter Server bug under attack Critical VMware vCenter Server bug under attack FortiGate SSO bug still exploitable despite December patch Ancient telnet bug happily hands out root to attackers Cisco plugs up Unified Comms zero-day under active exploit Cloudflare whacks WAF bypass bug that opened side door Cloudflare whacks WAF bypass bug that opened side door Anthropic quietly fixed flaws in its Git MCP server Sorry Dave, I’m afraid I can’t do that! PCs refuse to shut down after Microsoft patch Patch Tuesday update makes Windows PCs refuse to shut down Cisco finally fixes max-severity bug under active attack for weeks Cisco finally fixes max-severity bug under attack for weeks Windows info-disclosure 0-day bug gets a fix as CISA sounds alarm Python libraries in AI/ML models can be poisoned w metadata Python libraries in AI/ML models can be poisoned w metadata Ruh-roh, there's a Cisco ISE bug POC on the loose Ruh-roh, there's a Cisco ISE bug POC on the loose CISA flags exploited Office relic alongside fresh HPE flaw Critical n8n bug allows unauthenticated server takeover Logitech mouse mayhem traced to expired dev certificate 'Heartbleed of MongoDB' under active exploit Microsoft fixes Message Queuing issue in new update Microsoft fixes Message Queuing issue in new update Critical-rated WatchGuard Firebox flaw under active attack HPE OneView RCE bug scores a perfect 10 Apple, Google forced to issue emergency 0-day patches Microsoft RasMan DoS 0-day gets unofficial patch - and a working exploit Microsoft RasMan 0-day gets an unofficial patch and exploit New React vulns leak secrets, invite DoS attacks Google fixes super-secret 8th Chrome 0-day Microsoft fixes Windows shortcut flaw exploited for years Microsoft fixes Windows shortcut flaw exploited for years Two Android 0-day bugs patched, plus 105 more fixes Fortinet finally cops to critical bug under active exploit Cisco warns of 'new attack variant' battering firewalls Docker Compose vulnerability opens door to host-level writes Microsoft issues out-of-band patch for critical WSUS flaw Vulnerable Rust crate exposes uv Python packager Oracle rushes out another emergency E-Business Suite patch 50K Cisco firewalls remain vulnerable to advanced attacks Exploits using GoAnywhere perfect-10 bug confirmed Critical Cisco firewall holes under active attack SonicWall releases rootkit-busting firmware update SolarWinds patches critical RCE - for the third time Fortra discloses 10/10 severity bug in GoAnywhere MFT OpenAI plugs ShadowLeak bug in ChatGPT Google pushes emergency patch for Chrome 0-day Apple backports patch to older kit after 0-day exploitation
Ransomware crims abused Cisco 0-day weeks before disclosure
Jessica Lyons Jessica Lyons · 2026-03-19 · via The Register - Security: Patches

Security

Ransomware crims abused Cisco 0-day weeks before disclosure, says Amazon security boss

Interlock's post-exploit toolkit exposed

Ransomware criminals exploited CVE-2026-20131, a maximum-severity bug in Cisco Secure Firewall Management Center software, as a zero-day vulnerability more than a month before Cisco patched the hole, according to Amazon security boss CJ Moses.

The critical security flaw allows an unauthenticated, remote attacker to execute arbitrary Java code as root on vulnerable devices. Cisco released software updates that fix the vulnerability on March 4 – but the attackers had a head start. 

"Our research found that Interlock was exploiting this vulnerability 36 days before its public disclosure, beginning January 26," Moses, the chief information security officer of Amazon Integrated Security, said on Wednesday.

A Cisco spokesperson told The Register that it will update its security advisory to reflect the exploitation. 

"We appreciate Amazon's partnership on this, and we have updated our security advisory with the latest information," the spokesperson said. "We strongly urge customers to upgrade as soon as possible and reference our security advisory for more details and guidance." 

Ransomware crims are among those abusing this critical flaw, according to the US Cybersecurity and Infrastructure Agency. Late Wednesday, CISA added CVE-2026-20131 to its Known Exploited Vulnerability catalog, said it’s known to be used in ransomware infections, and gave federal agencies three days to patch.

Interlock is a ransomware crew that emerged in 2025, and has since infected hospitals and medical facilities – including kidney dialysis firm Davita and Kettering Health, where the criminals not only disrupted chemotherapy sessions and pre-surgery appointments, but also leaked cancer patients' details online.

This criminal group also claimed to have stolen 43 GB of files from the city of Saint Paul over the summer, forcing the Minnesota capital to declare a state of national emergency.

Amazon caught the intruders in its MadPot honeypot network, which logged exploit traffic tied to Interlock's infrastructure. And – in a helpful turn for network defenders – the threat intel team also spotted a misconfigured infrastructure server that exposed Interlock's attack toolkit. 

Interlock's post-exploit toolkit

That toolkit includes a PowerShell script designed to scoop up information about victims' Windows environments, such as operating system and hardware details; running services; installed software; storage configuration; Hyper-V virtual machine inventory; user file listings across Desktop, Documents, and Downloads directories; and RDP authentication events from Windows event logs. It also hoovers up browser history such as bookmarks, stored credentials, and extensions from Chrome, Edge, Firefox, Internet Explorer, and 360 browsers.

After collecting all of this data from victims' computers, the script compresses it into ZIP archives named for each host. "This structured per-host output format indicates the script operates across multiple machines within a network – a hallmark of ransomware intrusion chains that prepare for organization-wide encryption," Moses wrote.

Interlock also uses several custom remote access trojans (RATs) to maintain persistent access to compromised machines. A JavaScript implant overrides browser console methods to hide from malware-detection tools, and then collects a ton more information about the infected host using PowerShell and Windows Management Instrumentation. The implant also hoovers up system identity, domain membership, username, OS version, and privilege context, and then encrypts this data, sending it to the attacker-controlled command-and-control server using persistent WebSocket connections.

Plus, it provides interactive shell access, arbitrary command execution, bidirectional file transfer, and SOCKS5 proxy capability for tunneling TCP traffic. It updates itself and can self-delete, allowing the ransomware operators to remove or replace it without reinfecting the computer.

After breaking in, Interlock also uses its illicit access to drop a second implant, this one Java-based and built on GlassFish ecosystem libraries for identical capabilities. Using nearly identical implants in two different programming languages provides a backup for the criminals, ensuring that they can maintain access to victims' devices even if one of the implants is detected.

Additionally, Amazon spotted a Bash script that configures Linux servers as HTTP reverse proxies, performing system updates, wiping logs every five minutes, and ensuring persistence even when the machine reboots.

The attackers also deployed additional Java class files including memory-resident backdoor that intercepts HTTP requests in memory – it doesn't write the files to disk – to further evade antivirus scanning tools, and a tool that functions as a lightweight network beacon to verify code execution and confirm network port reachability.

But wait, there's more…

In addition to using custom malware, the ransomware slingers also deployed legitimate software to make their traffic blend in with authorized remote access. This includes ConnectWise ScreenConnect for remote desktop control; open source memory forensics tool Volatility; and Certify, another open source offensive security tool used by red teams to exploit misconfigurations in Active Directory Certificate Services (AD CS).

"When ransomware operators deploy legitimate remote access tools alongside their custom malware, they're buying insurance – if defenders find and remove one backdoor, they still have another way in," Moses wrote. "This indicates multiple redundant remote access mechanisms – a pattern consistent with ransomware operators seeking to maintain access even if individual footholds are removed."

Amazon attributed the malicious activity to Interlock based on an ELF binary, embedded ransom note, and TOR negotiation portal, among other artifacts. The ransom note, we're told, also threatened to expose victims to regulators, using the pressure of fines and compliance violations – in addition to data encryption and leaks – to solicit payment. ®