A sophisticated ransomware operation has been linked to the exploitation of a critical vulnerability in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, weeks before the vendor's official advisory was published. The threat actor, tracked as Interlock (also known as UNC5325), a financially motivated group associated with the larger LockBit ransomware cartel, utilized this early access to breach enterprise networks. This incident highlights a dangerous trend where advanced cybercriminal syndicates gain access to critical vulnerability information ahead of public patches, providing them with a significant head start to orchestrate attacks against unpatched and exposed systems.
The vulnerability in question, CVE-2024-20353, is a denial-of-service (DoS) and remote code execution (RCE) flaw with a maximum CVSS score of 10.0. It resides in the hardware-based SSL/TLS cryptography functionality of certain Cisco ASA and FTD firewalls. Cisco released patches and a security advisory on June 26, 2024. However, according to investigations by cybersecurity firms, Interlock was actively weaponizing this flaw in attacks as early as late May 2024. The group employed custom-built Python scripts to exploit the vulnerability, enabling them to execute arbitrary code, establish persistence, and deploy additional payloads, including the Interlock ransomware, on compromised firewall devices.
The operational pattern of Interlock in these attacks reveals a highly targeted and deliberate approach. The group did not deploy ransomware immediately upon initial access. Instead, they conducted extensive network reconnaissance, moved laterally to domain controllers, and harvested credentials. This patient, multi-stage process aimed to maximize impact and extortion leverage. The ultimate deployment of the Interlock ransomware, coupled with the theft of sensitive data, exemplifies the double-extortion tactic—demanding a ransom both to decrypt files and to prevent the public release of stolen information. Compromising a network's primary security appliance, like a firewall, provides an exceptionally powerful foothold, allowing attackers to disable security controls and monitor or redirect traffic.
This pre-disclosure exploitation campaign carries severe implications for enterprise security postures. It underscores the critical importance of proactive threat hunting and the assumption that sophisticated adversaries may have access to zero-day or n-day vulnerabilities before the broader public. Defenders must prioritize the rapid deployment of patches for critical perimeter devices, especially firewalls and VPN gateways. Furthermore, organizations should implement robust network segmentation, monitor for anomalous outbound connections from security appliances, and maintain rigorous backup and recovery protocols that are isolated from the primary network. The Interlock campaign serves as a stark reminder that the security of the very tools designed to protect the network can be turned against it, necessitating a layered and vigilant defense strategy.
