Interlock Ransomware Targets Cisco Firewalls via CVE-2024-20481

Overview of the Interlock Ransomware Campaign

A sophisticated Ransomware operation known as Interlock has been identified targeting enterprise-grade network infrastructure. According to Dark Reading, this threat actor gained access to a vulnerability in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software weeks before the CVE was publicly disclosed. This early access suggests a high level of technical proficiency and potential involvement in Zero-Day acquisition or independent discovery.

Interlock utilizes a double-extortion model, a common TTP where attackers not only encrypt sensitive data but also exfiltrate it to pressure victims into paying a ransom. By targeting the perimeter—specifically Cisco firewalls—the group bypasses traditional Phishing lures in favor of direct infrastructure exploitation. Once inside, they conduct Lateral Movement to identify high-value assets and C2 infrastructure for command and control.

Technical Analysis: Exploiting Cisco ASA and FTD

The primary vector for this campaign involves CVE-2024-20481, a vulnerability residing in the Remote Access VPN (RAVPN) service of Cisco ASA and FTD. While the official CVSS score categorizes this as a Denial of Service (DoS) issue, threat actors like Interlock use such vulnerabilities to disrupt security operations or as a component of a larger exploit chain to facilitate unauthorized access.

How to detect CVE-2024-20481 exploit attempts

Security operations centers (SOC) should focus on identifying anomalies in VPN concentrator behavior. Detecting the exploitation of this vulnerability involves monitoring for resource exhaustion in the lina process, which handles traffic on Cisco ASA devices. Defenders should look for high CPU utilization or unexpected reboots of the VPN service that do not correlate with scheduled maintenance.

Furthermore, searching for spikes in failed authentication attempts from unusual geographic locations can indicate brute-force or spraying attacks that often accompany the use of infrastructure vulnerabilities. Integrating these logs into a SIEM is essential for correlating perimeter alerts with internal EDR telemetry to spot early signs of a compromise.

Interlock Ransomware TTPs and Post-Exploitation

Upon successful breach of the firewall, the Interlock group follows a structured MITRE ATT&CK framework to achieve their objectives. They have been observed using living-off-the-land binaries (LotL) to avoid detection by security software. Their Privilege Escalation techniques often involve credential harvesting from memory or exploiting misconfigured active directory services.

Key characteristics of an Interlock intrusion include:

• Initial Access: Exploitation of edge devices, specifically Cisco VPN services.
• Data Exfiltration: Prioritizing intellectual property and financial records before deploying the encryption payload.
• Persistence: Establishing multiple backdoors to maintain access even if the original entry point is patched.

Mitigation and Defense Strategies

To protect against these threats, organizations must move beyond reactive patching and adopt a Zero Trust architecture that minimizes the impact of a perimeter breach. Implementing Interlock ransomware mitigation steps requires a combination of rapid patching and enhanced visibility.

1. Apply Updates: Following Cisco Firepower Threat Defense patch guidance is the most effective way to close the specific gap presented by CVE-2024-20481. Administrators should verify their current software versions and apply the recommended fixes provided by Cisco.
2. Enforce Multi-Factor Authentication (MFA): Ensure that all VPN access points require robust MFA. This mitigates the risk of stolen credentials being used after an initial exploit provides the attacker with a foothold.
3. Network Segmentation: Limit the ability of the VPN gateway to communicate with the entire internal network. By restricting access to only necessary resources, organizations can hinder Lateral Movement.
4. Log Auditing: Regularly audit VPN logs for evidence of the vulnerability being triggered. Knowing how to detect CVE-2024-20481 exploit activity allows for faster incident response, potentially stopping the Ransomware deployment before encryption begins.