Rewterz Annual Threat Intelligence Report 2025 - Download Now

Request a Demo
AI SOC vs Traditional SOC Architectural Differences in Modern Security Operation
AI SOC vs Traditional SOC: Architectural Differences in Modern Security Operations
March 19, 2026
Rewterz
Iran-Linked Botnet Exposed via Open Directory Leak – Active IOCs
March 20, 2026

Cisco Firewall 0-Day Powers Interlock Ransomware Attack – Active IOCs

Severity

High

Analysis Summary

The Interlock ransomware group is actively exploiting a critical zero-day vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center (FMC), enabling unauthenticated remote attackers to execute arbitrary Java code with root privileges. A researcher discovered that Interlock began exploiting this flaw on January 26, 2026 36 days before Cisco publicly disclosed it on March 4, 2026 giving the group a significant advantage to compromise organizations undetected. Initial attack activity included HTTP requests targeting vulnerable software paths, delivering Java code execution attempts and configuration data, confirmed by HTTP PUT requests uploading generated files. Researchers were able to simulate compromised systems, prompting the deployment of a malicious Linux ELF binary.

Exposed infrastructure revealed Interlock’s operational methodology, including the organization of artifacts into dedicated paths for individual targets, streamlining both tool deployment and data exfiltration. Technical indicators confirm the activity aligns with Interlock’s ransomware family, which emerged in September 2024. The recovered ELF binaries, embedded ransom notes, and TOR negotiation portals match the group’s established double-extortion model, leveraging regulatory exposure language to pressure victims. Temporal analysis suggests the actors operate in the UTC+3 timezone, with historical targeting focused on sectors like education, healthcare, construction, manufacturing, engineering, and government, where disruption creates urgency for ransom payment.

Once inside a network, Interlock employs a multi-layered toolkit to escalate privileges and maintain persistence. A recovered PowerShell script performs extensive Windows environment enumeration, collects system information, browser artifacts, and network connections, and organizes results into host-specific directories for eventual compression into ZIP archives, signaling preparation for organization-wide encryption. The group uses custom remote access trojans in JavaScript and Java, with the former leveraging Windows Management Instrumentation and persistent RC4-encrypted WebSocket connections, and the latter built on GlassFish libraries for redundant access. Linux servers are configured via Bash scripts as HTTP reverse proxies using HAProxy, with aggressive log deletion every five minutes to obscure attacker activity.

Interlock further employs a fileless, memory-resident Java webshell for command execution, AES-128 encrypted communications, and abuses legitimate tools such as ConnectWise ScreenConnect, Volatility, and Certify alongside custom malware. Due to heavy customization of artifacts per target, traditional signature-based detection using file hashes is largely ineffective. Organizations operating Cisco Secure Firewall Management Center must urgently apply the latest patches. Defenders should focus on behavioral analysis, identifying memory-resident anomalies, and monitoring network reconnaissance and operational patterns unique to Interlock’s multi-stage attack chain.

Impact

  • Sensitive Data Theft
  • Code Execution
  • Gain Access
  • Double Extortion

Indicators of Compromise

CVE

  • CVE-2026-20131

Domain Name

  • os-update-server.org
  • ms-server-default.com
  • kolonialeru.com

IP

  • 206.251.239.164
  • 199.217.98.153
  • 89.46.237.33
  • 144.172.94.59
  • 144.172.110.106
  • 37.27.244.222

MD5

  • abe1d920b98240580563f750c1c1e4db
  • 12d399e6966db58f6d189d606ac34cc8

SHA-256

  • d1caa376cb45b6a1eb3a45c5633c5ef75f7466b8601ed72c8022a8b3f6c1f3be

  • 6c8efbcef3af80a574cb2aa2224c145bb2e37c2f3d3f091571708288ceb22d5f

SHA1

  • df5ddf117b0e19e797c7628ba1faabb95d8efd04
  • 17986b6595fe960fe8e9757d3069d5daabd628ef

URL

  • http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/chat.php

Remediation

  • Apply the latest security updates for Cisco Secure Firewall Management Center (FMC) to address CVE-2026-20131.
  • Look for unusual HTTP requests to FMC paths, unexpected file uploads (HTTP PUT requests), and memory-resident anomalies.
  • Since Interlock customizes malware per target, rely on behavioral analysis, not file hashes, for detection.
  • Identify patterns of scanning, host enumeration, and unusual WebSocket or HTTP traffic that may indicate ongoing attacks.
  • Monitor for unexpected PowerShell activity, Active Directory exploitation attempts, and abnormal system configuration changes.
  • Enable endpoint detection and response (EDR) tools to detect in-memory webshells, Java/JavaScript implants, and unauthorized reverse proxy configurations.
  • Ensure regular backups of critical data are isolated, tested, and resistant to ransomware encryption.
  • Monitor and restrict legitimate administrative tools (e.g., ConnectWise ScreenConnect) to prevent abuse by attackers.
  • Prepare an incident response plan focused on ransomware, including rapid isolation of compromised systems and secure evidence collection.
  • Ensure logs are centralized and immutable to prevent attackers from erasing traces; consider monitoring for frequent HAProxy log deletions.