Interlock Ransomware Confirms It: Your Cisco FMC Was a Zero-Day Since January

We Published the Fix Monday. They Named the Attacker Wednesday.

On March 17, we published "Your Cisco ASA Is Getting Popped Right Now" — a step-by-step guide to blocking known attacker infrastructure across OPNsense, Zscaler, Splunk ES, Palo Alto, and Cisco ISE.

Today, Amazon Threat Intelligence confirmed who's been doing the popping: Interlock, a ransomware operation that's been exploiting CVE-2026-20131 as a zero-day since January 26, 2026. Six weeks before Cisco disclosed it.

Your Cisco Firewall Management Center — the thing that manages your firewall rules — has had a CVSS 10.0 unauthenticated root access vulnerability exploited by ransomware operators for almost two months. If you haven't patched, you should assume compromise.

What Interlock Did

The Amazon Threat Intelligence report, detected through their MadPot global sensor network, lays out a clean kill chain:

1. Initial Access: Exploit CVE-2026-20131 — insecure deserialization of Java byte streams. Unauthenticated. Remote. Root.

1. Persistence: Deploy custom RATs — JavaScript and Java-based, with command execution, bidirectional file transfer, SOCKS5 proxy, and self-update capabilities. Also drop ConnectWise ScreenConnect for persistent remote access.

1. Infrastructure: Configure compromised Linux servers as HTTP reverse proxies using HAProxy. Hard-coded target IPs. Fail2ban deployed to protect their infrastructure from other attackers.

1. Reconnaissance: PowerShell scripts enumerate everything — OS, hardware, services, software, Hyper-V inventory, browser artifacts, network connections, RDP logs. They know your environment better than you do.

1. Defense Evasion: Memory-resident web shells. Log erasure via cron jobs. Encrypted command payloads.

1. Exfiltration: Data out over C2 channels before encryption.

UTC+3 operational patterns suggest Eastern European or Middle Eastern origin.

The Timeline That Should Scare You

Six weeks of exploitation before disclosure. Two weeks of disclosure before naming. The gap between "vulnerable" and "protected" is measured in the speed of your threat intelligence — not the speed of your vendor's advisory.

What We Already Had

When the Interlock attribution dropped this morning, our STIX feed already contained:

• CVE-2026-20131 indicators — indexed since March 4

• Fake POC warnings — p3Nt3st3r-sTAr's trojanized GitHub repos flagged March 15

• ASA scanning infrastructure — 25,000+ IPs from GreyNoise

• Legitimate exploit code tracking — Sushilsin/CVE-2026-20131 and sak110 fork identified

• UAT4356/ArcaneDoor infrastructure — the state-sponsored group exploiting overlapping ASA vulnerabilities

The blocking guide we published yesterday works against Interlock. The feed updates we pushed yesterday include the infrastructure Interlock uses. The protection was live before the attribution was public.

That's what continuous threat intelligence does. You don't wait for the name. You block the behavior.

What You Should Do Right Now

If you're running Cisco FMC unpatched:

Assume compromise. Not "check for indicators." Assume compromise. Then validate.

1. Patch — Cisco released fixes March 4. If you haven't applied them in two weeks, that's a conversation for your board.

1. Hunt for ScreenConnect — Interlock deploys ConnectWise ScreenConnect for persistence. Search your environment for unauthorized installations. If you find one you didn't put there, you have an active intrusion.

1. Check your proxies — Compromised Linux servers reconfigured as HAProxy reverse proxies on port 80. Look for unexpected HAProxy processes and fail2ban configurations you didn't deploy.

1. Block known infrastructure — Our STIX feed. Five minutes. We wrote the configuration guide for your exact stack yesterday.

The Guide (Published March 17)

OPNsense/pfSense → URL Table alias, WAN block rule Zscaler ZIA → Custom threat intelligence feed Splunk ES → Threat Intelligence data input + adaptive response Palo Alto NGFW → External Dynamic List + deny rule Cisco ISE → pxGrid + TAXII 2.1 ingestion

Full configuration steps: dugganusa.com — search "Cisco ASA Getting Popped"

The Uncomfortable Math

CVE-2026-20131 was a zero-day for 37 days before disclosure. It's been public for 14 days. Interlock has been exploiting it for 51 days total.

If your mean time to patch is measured in weeks, Interlock had your FMC before you knew the vulnerability existed. If your threat intelligence updates daily instead of continuously, they had a head start even after disclosure.

We updated our feed within hours of the Cisco advisory. Our subscribers were blocking scanning infrastructure on March 4 — six weeks after Interlock started, but the same day the world found out. That's the best anyone could do without the zero-day itself.

The question isn't whether Interlock targeted your FMC. The question is whether you were blocking their infrastructure when they tried.

Pricing

analytics.dugganusa.com/stix/pricing

1,014,994+ indicators. Splunk ES native. Palo Alto EDL. TAXII 2.1. Five minutes.

Code NOTAFAKE for 20% off.

[email protected] — tell us your stack, we'll configure it.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →