Outbreak Alert: Interlock Ransomware Exploits Zero‑Day Vulnerability in Cisco FMC
- Security Team
- Mar 25
- 2 min read
The ICS Labs CTI team has identified an active campaign exploiting the critical vulnerability CVE‑2026‑20131 in the Cisco Secure Firewall Management Center (FMC), which allows unauthenticated remote code execution with root privileges. Investigations revealed that the Interlock ransomware group had been exploiting this flaw since January 26, 2026, creating a zero‑day scenario active for more than a month before the official disclosure. The discovery was made possible after analyzing honeypots (Amazon MadPot), which detected malicious activity and enabled the mapping of the entire attack chain.
Threat Overview
The Interlock campaign uses an advanced attack chain that includes:
Remote exploitation via HTTP with Java code execution
Download and execution of malicious ELF binaries
Backdoor deployment
Use of webshells for stealthy fileless execution
Full environment reconnaissance
Use of legitimate tools such as ScreenConnect for remote access, Certify for Active Directory exploitation, and Volatility for forensic analysis and RAM dumping
Encrypted communication
Proxy infrastructure
Log cleaning
TOR network domain for negotiation
Use of proxy servers for C2 and exfiltration
The attackers' ultimate goal is to extort organizations through regulatory pressure on stolen data and encrypt corporate systems.
Recommended Actions:
Apply the latest Cisco security patch immediately
Review FMC logs to identify suspicious activity
Check for anomalous HTTP requests and Java code execution
Audit remote access and unauthorized installations
Investigate connections to unusual ports
Monitor TCP requests to high‑numbered ports
Hardening and Protection Measures:
Implement defense‑in‑depth
Adopt continuous event monitoring
Centralize logs, preventing effective log cleaning at device level
Monitor script execution in PowerShell and Java
Conduct periodic incident response exercises
Maintain regular and offline backups
IOCs:
INDICATORS | TYPE |
206.251.239[.]164 | IP |
199.217.98[.]153 | IP |
89.46.237[.]33 | IP |
144.172.94[.]59 | IP |
199.217.99[.]121 | IP |
188.245.41[.]78 | IP |
144.172.110[.]106 | IP |
95.217.22[.]175 | IP |
37.27.244[.]222 | IP |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0 | User Agent |
hxxp://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid[.]onion/chat.php | Domain |
cherryberry[.]click | Domain |
ms-server-default[.]com | Domain |
initialize-configs[.]com | Domain |
ms-global.first-update-server[.]com | Domain |
ms-sql-auth[.]com | Domain |
kolonialeru[.]com | Domain |
sclair.it[.]com | Domain |
browser-updater[.]com | Domain |
browser-updater[.]live | Domain |
os-update-server[.]com | Domain |
os-update-server[.]org | Domain |
os-update-server[.]live | Domain |
os-update-server[.]top | Domain |
d1caa376cb45b6a1eb3a45c5633c5ef75f7466b8601ed72c8022a8b3f6c1f3be | Hash (Certify) |
6c8efbcef3af80a574cb2aa2224c145bb2e37c2f3d3f091571708288ceb22d5f | Hash (ScreenLocker) |
Latest Updates:
January, 2026: Fortinet reports Interlock Ransomware activity targeting organizations in the United States and the United Kingdom.
January, 2026: Start of CVE‑2026‑20131 exploitation by the Interlock group, according to Amazon threat intelligence teams.
March, 2026: Official disclosure of the vulnerability.
March, 2026: Amazon releases technical details regarding ransomware detection and vulnerability exploitation.
Comments