The "Sovereign Stack" faces its toughest test this month. A maximum-severity vulnerability in Cisco Secure Firewall Management Center (FMC), tracked as CVE-2026-20131, has been actively exploited in the wild. What was initially thought to be a standard patch cycle has turned into a forensic emergency.

1. The "MadPot" Discovery: A 36-Day Head Start

Amazon’s global sensor network, MadPot, identified exploitation of this flaw beginning on January 26, 2026. This means the Interlock gang had 36 days of silent access to high-value networks before Cisco’s public disclosure on March 4.

  • The Exploit (CVSS 10.0): This is an insecure Java deserialization flaw in the FMC web interface.
  • The Payload: Unauthenticated remote attackers send a crafted serialized Java object to the management interface.
  • The Result: Immediate root-level code execution on the underlying operating system.

2. Interlock’s Toolkit: Redundancy & Evasion

The Interlock group (a suspected offshoot of the Rhysida RaaS family) didn't just breach systems—they moved in. Amazon’s analysis of a misconfigured attacker server revealed a sophisticated multi-stage kill chain:

  • Dual-Language RATs: To ensure persistence, Interlock deployed two identical Remote Access Trojans (RATs) one written in Java and one in JavaScript. If a defender detects and removes the Java version, the JavaScript implant keeps the door open.
  • Fileless Webshells: The group used memory-resident webshells that decrypt and execute code without ever touching the disk, effectively bypassing traditional signature-based antivirus.
  • Aggressive Log Erasure: A custom script was found running as a cron job every five minutes, purging all *.log files under /var/log and unsetting the HISTFILE variable to wipe shell history.

3. Targets & Tactics

Interlock continues to target "disruption-sensitive" sectors where downtime is not an option. Current confirmed targets include Healthcare (DaVita, Kettering Health), Education (Texas Tech University), and several Government agencies.

The group also leveraged legitimate administrative tools for stealth, including ConnectWise ScreenConnect, Volatility, and Certify (to exploit Active Directory Certificate Services).


Hacklido Technical Takeaway: Forensic Checklist

For our sysadmins and SOC analysts, "patching" is only Step 1. You must assume compromise if your FMC was internet-facing between January and March.

  1. Check for "Phone Home" Beacons: Monitor for outbound TCP connections to unusual high-numbered ports (e.g., 45588) or HTTP PUT requests to external IPs following an FMC management path access.
  2. Audit ScreenConnect: Review all ScreenConnect deployments for unauthorized instances or unusual active sessions.
  3. Log Hunt: Search for HTTP requests to /management/ paths containing serialized Java objects in the request body. If your logs are missing or truncated every five minutes, you likely have an active infection.

Update Now: Ensure you are on the "First Fixed" versions: 7.0.9, 7.2.11, 7.4.6, 7.6.5, or 10.0.1 (for SCC).