CISCO’s Secure FMC Being Exploited in 0-Day Attack, Targeting Firewalls
Zero day attack attributed to Interlock ransomware group, discovered by Amazon threat intelligence has identified exploiting CVE-2026-20131,
The ransomware group has been exploiting a remote code execution (RCE) flaw in Cisco’s Secure Firewall Management Center (FMC) software in zero-day attacks ,earlier pointed by CISCO. Cisco fixed the security issue (CVE-2026-20131) on March 4 and warned about the flaw leading attackers run any Java code as root on devices that have not been updated. Interlock ransomware group had been using the Secure FMC problem to target company firewalls earlier before it was fixed.
Details of Vulnerability & Threat Intelligence Report
The research team using Amazon MadPot’s global sensor network—a system of honeypot servers that attract and monitor cybercriminal activity found the vulnerability details.
Interlock was exploiting this vulnerability 36 days before its public disclosure, beginning January 26, 2026. Attackers were a week ahead as they started to compromise organizations before defenders even knew to look.
The research was shared with Cisco to help support their investigation and protect customers.
The Amazon threat intelligence team reported on Wednesday that the Interlock ransomware operation had been exploiting the Secure FMC flaw in attacks targeting enterprise firewalls for more than a month before it was patched.
The researchers observed an activity involved HTTP requests to a specific path in the affected software. Request bodies contained Java code execution attempts and two embedded URLs: one used to deliver configuration data supporting the exploit, and another designed to confirm successful exploitation by causing a vulnerable target to perform an HTTP PUT request and upload a generated file.
Multiple variations of these URLs were observed across different exploit attempts.
The AWS research team performed the expected HTTP PUT request with the anticipated file content—essentially, we pretended to be a successfully compromised system. This successfully prompted Interlock to proceed to the next stage, issuing commands to fetch and execute a malicious ELF binary (a Linux executable file) from a remote server.
Last month, Cisco fixed a serious flaw that was used as a zero-day to get around Catalyst SD-WAN login. This let attackers take control of controllers and add harmful rogue peers to specific networks.
Amazon threat intelligence teams also recovered Volatility, an open-source memory forensics framework typically used by incident responders. The tool’s focus on parsing memory dumps provides access to sensitive data such as credentials stored in RAM, which can enable lateral movement (spreading through the network) and deeper environment compromise in support of ransom operations or espionage objectives.
Module of attack – Technical analysis
Once Interlock gains initial access, they use a variety of priority tools to complete their attack as discovered by Amazon threat intelligence teams. Further PowerShell script designed for systematic Windows environment enumeration were also recovered.
The script collects operating system and hardware details, running services, installed software, storage configuration, Hyper-V virtual machine inventory, user file listings across Desktop, Documents, and Downloads directories, browser artifacts from Chrome, Edge, Firefox, Internet Explorer and more event log’s.
Indicators of compromise (IoCs)
The following indicators support defensive measures by organizations that may be affected. Due to Interlock’s use of content variation techniques, most file hashes are not included as reliable indicators.
| 206.251.239[.]164 | Exploit source IP | Active Jan 2026 |
| 199.217.98[.]153 | Exploit source IP | Active Mar 2026 |
| 89.46.237[.]33 | Exploit source IP | Active Mar 2026 |
| Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0 | Exploit HTTP User-Agent | Observed Jan 2026 and Mar 2026 |
| b885946e72ad51dca6c70abc2f773506 | Exploit TLS JA3 | Observed Jan 2026 and Mar 2026 |
| f80d3d09f61892c5846c854dd84ac403 | Exploit TLS JA3 | Observed Mar 2026 |
| t13i1811h1_85036bcba153_b26ce05bbdd6 | Exploit TLS JA4 | Observed Jan 2026 and Mar 2026 |
| t13i4311h1_c7886603b240_b26ce05bbdd6 | Exploit TLS JA4 | Observed Mar 2026 |
| 144.172.94[.]59 | C2 Fallback IP | Active Mar 2026 |
| 199.217.99[.]121 | C2 Fallback IP | Active Mar 2026 |
| 188.245.41[.]78 | C2 Fallback IP | Active Mar 2026 |
| 144.172.110[.]106 | Backend C2 IP | Active Mar 2026 |
| 95.217.22[.]175 | Backend C2 IP | Active Mar 2026 |
| 37.27.244[.]222 | Staging host IP | Active Mar 2026 |
| hxxp://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid[.]onion/chat.php | Ransom negotiation portal | Active Mar 2026 |
| cherryberry[.]click | Exploit Support Domain | Active Jan 2026 |
| ms-server-default[.]com | Exploit Support Domain | Active Mar 2026 |
| initialize-configs[.]com | Exploit Support Domain | Active Mar 2026 |
| ms-global.first-update-server[.]com | Exploit Support Domain | Active Mar 2026 |
| ms-sql-auth[.]com | Exploit Support Domain | Active Mar 2026 |
| kolonialeru[.]com | Exploit Support Domain | Active Mar 2026 |
| sclair.it[.]com | Exploit Support Domain | Active Mar 2026 |
| browser-updater[.]com | C2 domain | Active Mar 2026 |
| browser-updater[.]live | C2 domain | Active Mar 2026 |
| os-update-server[.]com | C2 domain | Active Mar 2026 |
| os-update-server[.]org | C2 domain | Active Mar 2026 |
| os-update-server[.]live | C2 domain | Active Mar 2026 |
| os-update-server[.]top | C2 domain | Active Mar 2026 |
| d1caa376cb45b6a1eb3a45c5633c5ef75f7466b8601ed72c8022a8b3f6c1f3be | Offensive security tool (Certify) | Observed Mar 2026 |
| 6c8efbcef3af80a574cb2aa2224c145bb2e37c2f3d3f091571708288ceb22d5f | Screen locker | Observed Mar 2026 |
Organizations should take the following actions to protect against Interlock ransomware operations.
Immediate actions:
- Apply Cisco’s security patches for Cisco Secure Firewall Management Center
- Review logs for the indicators of compromise listed above
- Conduct security assessments to identify potential compromise
- Review ScreenConnect deployments for unauthorized installations
Detection opportunities:
- Monitor for PowerShell scripts staging data to network shares with hostname-based directory structures
- Detect Java ServletRequestListener registrations in web application contexts (unusual modifications to Java web applications)
- Identify HAProxy installations with aggressive log deletion cron jobs (proxy servers that erase their own logs every five minutes)
- Watch for TCP connections to unusual high-numbered ports (e.g., 45588)
Long-term measures:
- Implement defense-in-depth strategies with multiple layers of security controls
- Maintain continuous threat monitoring and hunting capabilities
- Ensure comprehensive logging with secure, centralized log storage (stored separately from systems that could be compromised)
- Regularly test incident response procedures for ransomware scenarios
- Educate security teams on Interlock’s tactics, techniques, and procedures
Source: Ransomware gang exploits Cisco flaw in zero-day attacks since January
Recent Comments