← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Amazon threat intelligence teams identify Interlock ransomware campaign targeting enterprise firewalls
WHITE PetrP.73 2026-03-20 Modified: 2026-04-19
21
IOCs
MEDIUM VOLUME
Amazon threat intelligence has uncovered an ongoing Interlock ransomware campaign that exploits a critical vulnerability, CVE-2026-20131, in Cisco's Secure Firewall Management Center Software. Disclosed publicly by Cisco on March 4, 2026, this vulnerability allows unauthenticated remote attackers to execute arbitrary Java code with root privileges. Notably, Interlock began exploiting this zero-day vulnerability on January 26, 2026, 36 days prior to its public announcement, facilitating their ability to compromise organizations unnoticed.
ransomewarethreat intelligenceinterlockamazon threatciscocisco securecve202620131centerjava codejanuaryhttphttp putpowershelldesktopratswin64
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Interlock
Indicators of Compromise (21)
All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2026-20131 2026-03-20
FileHash-MD5 abe1d920b98240580563f750c1c1e4db MD5 of d1caa376cb45b6a1eb3a45c5633c5ef75f7466b8601ed72c8022a8b3f6c1f3be 2026-03-20
FileHash-MD5 b885946e72ad51dca6c70abc2f773506 2026-03-20
FileHash-MD5 f80d3d09f61892c5846c854dd84ac403 2026-03-20
FileHash-SHA1 df5ddf117b0e19e797c7628ba1faabb95d8efd04 SHA1 of d1caa376cb45b6a1eb3a45c5633c5ef75f7466b8601ed72c8022a8b3f6c1f3be 2026-03-20
FileHash-SHA256 6c8efbcef3af80a574cb2aa2224c145bb2e37c2f3d3f091571708288ceb22d5f 2026-03-20
FileHash-SHA256 d1caa376cb45b6a1eb3a45c5633c5ef75f7466b8601ed72c8022a8b3f6c1f3be 2026-03-20
URL http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/chat.php 2026-03-20
domain browser-updater.com 2026-03-20
domain browser-updater.live 2026-03-20
domain cherryberry.click 2026-03-20
domain ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion 2026-03-20
domain initialize-configs.com 2026-03-20
domain kolonialeru.com 2026-03-20
domain ms-server-default.com 2026-03-20
domain ms-sql-auth.com 2026-03-20
domain os-update-server.com 2026-03-20
domain os-update-server.live 2026-03-20
domain os-update-server.org 2026-03-20
domain os-update-server.top 2026-03-20
hostname ms-global.first-update-server.com 2026-03-20
References (1)
↗ https://aws.amazon.com/ru/blogs/security/amazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls/