Front Page

Zero-Day Exploitation

36 Days in the Dark: Interlock Ransomware Exploited Cisco FMC Before Anyone Knew the Flaw Existed

The Interlock ransomware group exploited CVE-2026-20131, a CVSS 10.0 critical flaw in Cisco Secure Firewall Management Center, as an active zero-day for 36 days before Cisco patched it on March 4. Amazon's threat intelligence team uncovered the campaign after Interlock's own infrastructure server was misconfigured — exposing their full attack toolkit.

Interlock blended into admin activity using legitimate tools — ConnectWise ScreenConnect, Volatility, and the AD exploitation tool Certify — leaving no obvious malware signatures. Compromising the FMC grants root-level access to an entire firewall estate; FMC audit logs and connected Firepower device artifacts must now be treated as primary forensic evidence.

Supply Chain Attack

Scanner to Stealer: The Trivy Compromise Spawned a Blockchain-C2 Worm Across 141 npm Packages

On March 19, threat group TeamPCP hijacked the trivy-action GitHub repository and published a weaponized v0.69.4 that silently stole CI/CD credentials — SSH keys, cloud configs, Kubernetes secrets, and .env files — while continuing to run legitimate Trivy scans, making detection nearly impossible without artifact-level analysis.

The follow-on CanisterWorm uses an Internet Computer blockchain canister as its C2 resolver — the first documented ICP abuse for malware command-and-control — rendering DNS takedown useless. Any org that ran trivy-action between March 19–22 should treat build runners as compromised; hunt for the pgmon systemd service and ~/.config/sysmon.py.

Threat Bulletin

ACTIVE EXPLOIT
CVE-2026-20131

Cisco Secure FMC — Unauthenticated RCE via insecure Java deserialization; CVSS 10.0. Zero-day exploited by Interlock ransomware since January 26; added to CISA KEV March 20. Forensic Note: Audit FMC HTTP request logs and Firepower devices for lateral movement artifacts.

CRITICAL
CVE-2026-3564

ConnectWise ScreenConnect — ASP.NET machine key exposure allows session token forgery and support session hijacking; CVSS 9.0. Patched in v26.1 on March 18. Forensic Note: In MSP-linked intrusions, audit ScreenConnect session logs and config files for machine key extraction.

Malware Spotlight

CanisterWorm (TeamPCP)

Self-propagating npm worm — spawned by the Trivy supply chain compromise — that spreads autonomously by harvesting npm auth tokens and publishing malicious packages. Uses an ICP blockchain canister for C2, the first such documented abuse, making network-layer defenses ineffective. Forensic Note: Hunt via pgmon systemd service, ~/.config/sysmon.py, and ICP canister beacon traffic.