Previous brief: Cyber Threat Brief — March 18 2026
1. Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access
Summary
Amazon Threat Intelligence disclosed that the Interlock ransomware group has been exploiting CVE-2026-20131, a CVSS 10.0 insecure deserialization flaw in Cisco Secure Firewall Management Center (FMC), as a zero-day since January 26, 2026 — 36 days before Cisco’s March 4 patch. The vulnerability allows unauthenticated remote attackers to execute arbitrary Java code as root. A companion authentication bypass (CVE-2026-20079, also CVSS 10.0) affects the same product. Interlock targets education, engineering, healthcare, manufacturing, and government sectors. A misconfigured Interlock server exposed the group’s full toolkit. All on-premises FMC software releases are affected; cloud-delivered FMC (cdFMC) is not impacted.
What’s New (Last 24 Hours)
- Amazon Threat Intelligence published detailed analysis via MadPot honeypot network on March 18, confirming 36-day pre-disclosure exploitation window
- Interlock deploys a fileless, memory-resident Java webshell that intercepts HTTP requests containing AES-128 encrypted commands using a hardcoded seed
- Post-exploitation toolkit includes ConnectWise ScreenConnect for persistence, Volatility for memory forensics, and Certify for Active Directory certificate abuse
- Artifacts are heavily customized per-target, making traditional hash-based detection unreliable — behavioral detection is required
- Misconfigured Interlock server exposed multi-stage attack chain: custom backdoors, reconnaissance scripts, and evasion tools
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
| Deserialized Java byte stream in FMC web interface HTTP requests | Network / Exploit | T1190 – Exploit Public-Facing Application | FMC access logs, WAF logs | Monitor FMC web interface for unusual POST requests with serialized Java objects |
| Memory-resident Java webshell with AES-128 encrypted C2 | TTP | T1505.003 – Web Shell | FMC process monitoring, memory analysis | Hunt for unexpected Java processes on FMC appliances; inspect memory for webshell artifacts |
| ConnectWise ScreenConnect installed post-compromise | Tool | T1219 – Remote Access Software | EDR Process Create, Network | Alert on unauthorized ScreenConnect installations; audit existing deployments |
| Certify.exe used for AD certificate abuse | Tool | T1649 – Steal or Forge Authentication Certificates | EDR Process Create | Alert on Certify.exe or similar ADCS exploitation tools |
| Volatility used for memory forensics on victim systems | Tool | T1003 – OS Credential Dumping | EDR Process Create | Alert on Volatility framework execution outside authorized forensic contexts |
| Customized per-target artifacts (no reliable hashes) | TTP | T1027 – Obfuscated Files or Information | EDR Behavior | Focus on behavioral detection: Java process anomalies on FMC, lateral movement patterns |
Potential Detection Coverage Based on MITRE ATT&CK Technique
MITRE ATT&CK Mapping
| Tactic | Technique |
|---|
| Initial Access | T1190 – Exploit Public-Facing Application |
| Execution | T1059.004 – Unix Shell (post-exploit on FMC) |
| Persistence | T1505.003 – Server Software Component: Web Shell, T1219 – Remote Access Software |
| Credential Access | T1649 – Steal or Forge Authentication Certificates, T1003 – OS Credential Dumping |
| Defense Evasion | T1027 – Obfuscated Files or Information, T1620 – Reflective Code Loading |
| Impact | T1486 – Data Encrypted for Impact (ransomware) |
Sources
2. Microsoft SharePoint RCE CVE-2026-20963 Added to CISA KEV — Active Exploitation Confirmed
Summary
CISA added CVE-2026-20963 to the Known Exploited Vulnerabilities catalog on March 18, 2026, confirming active exploitation of this critical insecure deserialization vulnerability in Microsoft SharePoint Server. The flaw allows an unauthorized attacker to achieve remote code execution through a low-complexity attack by sending crafted serialized .NET objects to vulnerable SharePoint endpoints. Microsoft patched this in January 2026 Patch Tuesday, but exploitation in the wild is now confirmed. Affected products include SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. End-of-support versions (2007, 2010, 2013) are also vulnerable but will not receive patches. Federal agencies must patch by March 21, 2026.
What’s New (Last 24 Hours)
- CISA added CVE-2026-20963 to KEV on March 18, 2026, confirming active exploitation
- Exploitation leverages .NET deserialization gadget chains via crafted HTTP requests to SharePoint web services
- Specific APT groups behind the attacks remain unidentified
- Federal remediation deadline set for March 21, 2026 (extremely tight 3-day window)
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
| Serialized .NET gadget chain payloads in SharePoint HTTP requests | Network / Exploit | T1190 – Exploit Public-Facing Application | SharePoint ULS logs, WAF, IIS logs | Monitor for unusual serialized data patterns in POST requests to SharePoint endpoints |
w3wp.exe (SharePoint app pool) spawning unexpected child processes | Process | T1059 – Command and Scripting Interpreter | EDR Process Create, Windows Event 4688 | Alert on w3wp.exe spawning cmd.exe, powershell.exe, or other shells |
| Suspicious file writes in SharePoint installation directories | File | T1505.003 – Web Shell | EDR File Create, Sysmon Event 11 | Monitor for new .aspx/.asmx files in SharePoint web directories |
| Lateral movement from compromised SharePoint server | TTP | T1021 – Remote Services | Network, EDR | Monitor SharePoint servers for outbound SMB/WinRM/RDP to internal hosts |
Potential Detection Coverage Based on MITRE ATT&CK Technique
MITRE ATT&CK Mapping
| Tactic | Technique |
|---|
| Initial Access | T1190 – Exploit Public-Facing Application |
| Execution | T1059 – Command and Scripting Interpreter |
| Persistence | T1505.003 – Server Software Component: Web Shell |
| Lateral Movement | T1021 – Remote Services |
Sources
3. APT28 Exploits Zimbra XSS CVE-2025-66376 in Operation GhostMail — CISA KEV Addition
Summary
CISA added CVE-2025-66376, a stored XSS vulnerability in the Zimbra Collaboration Suite Classic Web Client, to the KEV catalog alongside the SharePoint flaw. The vulnerability allows attackers to inject malicious scripts via crafted email messages that execute when the victim opens the email in the Zimbra web client. APT28 (Russian military intelligence, GRU Unit 26165) has been attributed to exploitation in a campaign dubbed “Operation GhostMail” targeting the Ukrainian State Hydrology Agency and other Ukrainian government entities. The injected script harvests credentials, session tokens, backup 2FA codes, browser-saved passwords, and mailbox contents. Patched in Zimbra versions 10.0.18 and 10.1.13 (November 2025). Federal remediation deadline: April 1, 2026.
What’s New (Last 24 Hours)
- CISA added CVE-2025-66376 to KEV on March 18, 2026
- Seqrite Labs published Operation GhostMail report attributing exploitation to APT28
- Attack vector uses CSS
@import directives embedded in HTML email content to bypass input filtering
- Payload silently harvests: credentials, session tokens, 2FA backup codes, browser-saved passwords, and full mailbox contents
- Confirmed targeting of Ukrainian government agencies
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
CSS @import directive in inbound HTML email body | Email / Exploit | T1189 – Drive-by Compromise (email variant) | Email gateway logs, Zimbra audit logs | Filter/alert on HTML emails containing CSS @import directives pointing to external URLs |
| JavaScript execution within Zimbra Classic Web Client session | TTP | T1059.007 – JavaScript | Web proxy, browser telemetry | Monitor for unusual outbound requests from Zimbra web client sessions |
| Session token exfiltration to attacker-controlled infrastructure | Network | T1539 – Steal Web Session Cookie | Web proxy, network DLP | Alert on Zimbra session cookies/tokens in outbound HTTP requests to non-Zimbra domains |
| Credential harvesting from browser storage via injected script | TTP | T1555.003 – Credentials from Web Browsers | EDR, browser telemetry | Monitor for bulk credential access patterns from browser processes during Zimbra sessions |
Potential Detection Coverage Based on MITRE ATT&CK Technique
MITRE ATT&CK Mapping
| Tactic | Technique |
|---|
| Initial Access | T1566.001 – Phishing: Spearphishing Attachment (email-borne XSS) |
| Execution | T1059.007 – Command and Scripting Interpreter: JavaScript |
| Credential Access | T1539 – Steal Web Session Cookie, T1555.003 – Credentials from Web Browsers |
| Collection | T1114.002 – Email Collection: Remote Email Collection |
| Exfiltration | T1041 – Exfiltration Over C2 Channel |
Sources
Summary
Google Threat Intelligence Group (GTIG), iVerify, and Lookout jointly disclosed DarkSword, a sophisticated iOS exploit kit leveraging six vulnerabilities (three zero-days) for full device takeover. The kit has been used by multiple commercial surveillance vendors and state-sponsored actors — including UNC6353, a suspected Russian espionage group — against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine since at least November 2025. DarkSword deploys three malware families: GHOSTBLADE (JS dataminer), GHOSTKNIFE (data exfiltration backdoor), and GHOSTSABER (JS device enumeration backdoor). Apple patched all six flaws in iOS 26.3.1. Enterprise detection is limited to MDM and network-level indicators; this is primarily a mobile threat but has implications for BYOD environments and executive protection programs.
What’s New (Last 24 Hours)
- GTIG, iVerify, and Lookout published coordinated disclosure on March 19, 2026
- Six CVEs exploited: CVE-2025-31277, CVE-2025-43529, CVE-2026-20700, CVE-2025-14174, CVE-2025-43510, CVE-2025-43520
- Three of six (CVE-2026-20700, CVE-2025-43529, CVE-2025-14174) were zero-days at time of exploitation
- UNC6353 (suspected Russian) used DarkSword against Ukrainian targets via watering hole attacks since December 2025
- Three distinct malware families deployed post-exploitation: GHOSTBLADE, GHOSTKNIFE, GHOSTSABER
- Apple patched all six in iOS 26.3.1
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|
| iOS devices running versions below 26.3.1 | Vulnerability | T1190 – Exploit Public-Facing Application | MDM inventory | Audit and enforce iOS 26.3.1 minimum via MDM policy |
| Watering hole sites delivering DarkSword exploit chain | Network | T1189 – Drive-by Compromise | Web proxy, DNS logs | Monitor for known compromised domains (check GTIG report for IOCs) |
| GHOSTBLADE JS dataminer activity | Malware | T1005 – Data from Local System | Mobile threat defense, network DLP | Deploy mobile threat defense solutions; monitor for unusual data exfiltration from iOS devices |
| GHOSTKNIFE data exfiltration backdoor | Malware | T1041 – Exfiltration Over C2 Channel | Network monitoring, mobile threat defense | Monitor for anomalous outbound connections from iOS devices to unknown infrastructure |
| GHOSTSABER device/account enumeration | Malware | T1087 – Account Discovery | Mobile threat defense | Alert on bulk account/device enumeration activity from mobile endpoints |
| Targeting pattern: Saudi Arabia, Turkey, Malaysia, Ukraine | Context | — | Threat intelligence | Prioritize patching for executives and personnel with travel to or connections in targeted regions |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|
| Splunk | No native iOS exploit detection in ESCU | Detection gap: Entirely mobile-focused threat. Network-level detection possible via proxy/DNS anomaly rules if iOS traffic traverses enterprise network |
| Elastic | No native iOS exploit detection | Same gap — network-level indicators are the primary enterprise detection path |
| Sigma | No mobile-specific Sigma rules | Same gap |
| Mobile Threat Defense | Lookout, iVerify, and similar MTD solutions provide coverage | Primary detection vector for this threat. Deploy MTD on corporate-managed iOS devices |
MITRE ATT&CK Mapping
| Tactic | Technique |
|---|
| Initial Access | T1189 – Drive-by Compromise |
| Execution | T1203 – Exploitation for Client Execution |
| Persistence | T1398 – Boot or Logon Initialization Scripts (mobile) |
| Collection | T1005 – Data from Local System, T1087 – Account Discovery |
| Exfiltration | T1041 – Exfiltration Over C2 Channel |
Sources
Summary of Previously Covered Threats (No Significant Updates)
The following threats from prior briefs had no new actionable artifacts or significant developments in the last 24 hours:
- CVE-2026-3909 / CVE-2026-3910 (Chrome Skia/V8) — Covered March 18. Federal deadline March 27. No new TTPs or IOCs.
- CVE-2026-32746 (GNU InetUtils telnetd) — Covered March 18. No patch available until April 1. No new exploitation reports.
- CVE-2025-47813 / CVE-2025-47812 (Wing FTP Server) — Covered March 17-18. No new artifacts.
- LeakNet ClickFix + Deno BYOR Campaign — Covered March 18. No new IOCs.
- Claude Fraud AI Dev Tool Campaign — Covered March 18. No new C2 infrastructure or variants.
- Payload Ransomware (Babuk derivative) — Covered March 18. No new victims or TTPs.
- ACRStealer / HijackLoader — Covered March 18. No new IOCs.
- Konni APT EndRAT via KakaoTalk — Covered March 18. No new C2 or targeting changes.