Interlock Had a Zero-Day for 36 Days. We Had Their IOCs.

36 Days of Free Reign

On January 26, 2026, the Interlock ransomware group started exploiting CVE-2026-20131 — a CVSS 10.0 insecure deserialization vulnerability in Cisco Secure Firewall Management Center. Unauthenticated. Remote. Root access. Java code execution on the box that manages your entire firewall fleet.

Cisco disclosed it on March 4. That's 36 days of zero-day exploitation. Amazon's threat intelligence team caught it using MadPot — their global honeypot sensor network — and published the details this week.

Here's what that means in plain English: for over a month, if you ran Cisco FMC, Interlock could walk through your firewall management plane like it wasn't there. No credentials needed. Root on arrival.

What Amazon Found

The attack chain, per Amazon's MadPot sensors:

1. HTTP requests to a specific FMC path containing Java code execution payloads

2. Two embedded URLs — one delivers exploit configuration, one confirms successful compromise by triggering the target to upload a generated file via HTTP PUT

3. ELF binary fetch — once in, they pull a Linux executable from a remote staging server

4. Lateral movement — standard ransomware playbook from there

The sophistication isn't in the malware. It's in the access. When your firewall management console is the entry point, you're already inside the perimeter before the perimeter knows you exist.

We Have 30 IOCs. Here's What's In Them.

We ingested the full Amazon/MadPot indicator set the day it published. Here's what's in our STIX feed right now:

• 3 exploit source IPs (the machines doing the shooting)

• 4 C2 fallback IPs (where the ransomware phones home)

• 1 backend C2 IP

• 1 staging host

• cherryberry.click — primary exploit support domain

• ms-server-default.com, initialize-configs.com — exploit infrastructure disguised as Microsoft services

• browser-updater.com/.live — C2 masquerading as browser updates

• os-update-server.com/.org/.live/.top — C2 masquerading as OS updates

• 1 .onion ransom negotiation portal

• Certify offensive security tool (credential theft)

• Screen locker component

• 2 JA3 hashes (TLS client fingerprints)

• 2 JA4 hashes (next-gen TLS fingerprints)

The JA3/JA4 fingerprints are the most operationally useful. Your firewall can't block what it can't identify, but TLS fingerprinting catches the exploit traffic pattern regardless of IP rotation. If Interlock moves to new infrastructure — and they will — the JA3/JA4 signatures follow them.

The Iran Connection Nobody's Saying Out Loud

Interlock has historically targeted manufacturing and healthcare. They hit a FreeBSD vulnerability last year. Now they're burning a Cisco FMC zero-day — that's a significant capability escalation.

Here's what's happening in the background: Russia-linked hackers are surging in support of Tehran since the war began. CrowdStrike is tracking it. CISA just published a CVIE mapping 136 CVEs that Iranian state actors have shown interest in. Cisco firewalls protect a significant portion of US critical infrastructure.

Nobody's attributing Interlock to Iran directly. But a ransomware group that suddenly acquires a CVSS 10.0 zero-day in the firewall management platform used by US enterprises, right when Iran's cyber operations are escalating with Russian support? That's not a coincidence you ignore. That's a coincidence you instrument.

Three weeks ago, Iran's Handala group wiped 200,000 Stryker devices using Microsoft Intune. Today, Interlock is exploiting the console that manages Cisco firewalls. The pattern isn't ransomware for profit. The pattern is endpoint management tools being weaponized for destruction.

What You Should Do Right Now

1. Patch Cisco FMC immediately. CVE-2026-20131 has a fix from Cisco. This is a CVSS 10.0 with confirmed zero-day exploitation since January 26. If you haven't patched by now, assume compromise.

2. Hunt for these IOCs. All 30 are in our STIX 2.1 feed. Free tier. Search interlock at analytics.dugganusa.com or pull the full feed.

• JA3: b885946e72ad51dca6c70abc2f773506

• JA3: f80d3d09f61892c5846c854dd84ac403

• JA4: t13i1811h1_85036bcba153_b26ce05bbdd6

• JA4: t13i4311h1_c7886603b240_b26ce05bbdd6

4. Block the domains at DNS. The C2 infrastructure uses plausible names — browser-updater, os-update-server — that look like legitimate update traffic. Your users won't notice the block. Interlock will.

5. Audit your firewall management plane. If FMC is reachable from the internet, you've been in the blast radius since January 26. Check your FMC logs for HTTP requests with Java code in the body. If you find them, call your IR team.

The Timeline That Should Scare You

36 days between first exploitation and disclosure. 17 days more before Amazon published the IOCs. Every day in that gap was a day Interlock had root on unpatched Cisco FMC instances worldwide, and nobody was blocking the traffic.

We indexed the IOCs the day Amazon published. They're in our feed now. 1,026,000+ indicators. Because the gap between "threat intelligence exists" and "your firewall blocks it" shouldn't be measured in weeks.

Patrick Duggan builds threat intelligence infrastructure in Minneapolis. His platform has 30 Interlock IOCs indexed, including the JA3/JA4 fingerprints your IDS needs. They're free.

Search them yourself: [analytics.dugganusa.com](https://analytics.dugganusa.com)

• Amazon AWS: Interlock Ransomware Campaign Targeting Enterprise Firewalls

• The Hacker News: Interlock Exploits Cisco FMC Zero-Day

• BleepingComputer: Interlock Exploited Cisco FMC Since January

• SecurityWeek: Cisco Firewall Vulnerability Exploited as Zero-Day

• Security Affairs: Interlock Exploiting FMC 36 Days Before Disclosure

• Help Net Security: Cisco FMC Flaw Exploited Before Patch

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →