Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access
Amazon Threat Intelligence has disclosed that the Interlock ransomware group was exploiting a maximum-severity flaw in Cisco Secure Firewall Management Center — CVE-2026-20131 (CVSS 10.0), an insecure deserialization vulnerability allowing an unauthenticated remote attacker to bypass authentication and execute arbitrary Java code as root — as a zero-day since January 26, 2026, a full month before Cisco publicly disclosed and patched the bug, giving Interlock a head start to compromise organizations in education, engineering, healthcare, government, and manufacturing before defenders had any patch to apply. The attack chain involves crafted HTTP requests to a specific path in the FMC software that trigger remote code execution, followed by an HTTP PUT request to an attacker-controlled server confirming successful exploitation, after which an ELF binary and additional Interlock-linked tooling is fetched and deployed — with indicators including the group’s signature ransom note and TOR negotiation portal used to confirm attribution. Interlock’s demonstrated ability to source and weaponize a CVSS 10.0 Cisco zero-day for over a month underscores why defense-in-depth is not optional: even mature patching programs cannot protect organizations during the window between initial zero-day exploitation and eventual patch availability, and network segmentation, behavioral detection, and anomaly monitoring on edge devices are essential compensating controls.
Apple Pushes First Background Security Improvements Update to Fix WebKit Flaw
Apple has deployed the inaugural use of its new Background Security Improvements system — a lightweight, out-of-band patching mechanism designed to deliver targeted security fixes for browser engines, WebKit framework components, and other system libraries without requiring a full OS update or device restart — to address CVE-2026-20643, a cross-origin issue in the WebKit Navigation API that allows malicious web content to bypass the browser’s Same Origin Policy, a foundational security boundary that prevents web pages from accessing resources outside their own domain. The fix shipped silently to iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2, with Apple describing the Background Security Improvements feature as enabling “smaller, ongoing security patches” that can be delivered continuously between major release cycles. The new delivery mechanism reflects Apple’s ongoing effort to compress the time between vulnerability discovery and widespread user protection — a gap that has historically been exploited by commercial spyware vendors targeting high-value individuals on versions of iOS that lagged behind the current patched release. (Note: BleepingComputer blocks automated fetches but is fully accessible in-browser.)
Bank Software Vendor Marquis Says More Than 670,000 Impacted by August Breach
Marquis, a software vendor that provides core banking and loan origination systems to community banks and credit unions across the United States, has disclosed that a ransomware attack it suffered in August 2025 ultimately compromised the personal and financial data of more than 670,000 individuals — a figure that has grown considerably as downstream customer banks filed their own breach notifications in Maine over the past several months, with the most recent filings pushing the total count past the 670,000 threshold. The stolen data includes names, Social Security numbers, account numbers, loan details, and other sensitive financial records — a high-value combination that positions affected individuals for financial fraud, account takeover, and identity theft for years after the incident. The breach is the latest in a sustained wave of ransomware attacks against financial technology vendors, where a single successful intrusion can cascade into breach notifications from dozens of downstream institutions and expose hundreds of thousands of customers who had no direct relationship with the compromised vendor and no visibility into how their data was being held.
FCA Updates Cyber Incident and Third-Party Reporting Rules
The UK Financial Conduct Authority issued updated cyber incident and third-party reporting rules on March 19, giving regulated financial firms clearer guidance on what constitutes a reportable incident, what information must be included, and when it must be submitted — addressing longstanding industry feedback that organizations were uncertain about their obligations and frequently either over-reported minor operational issues or under-reported significant cyber events out of confusion rather than intent. The new rules take effect March 18, 2027, giving firms 12 months to adapt, and were partly shaped by a striking statistic: 40% of all incidents reported to the FCA in 2025 involved a third-party provider, a figure the regulator cited as evidence that third-party risk management has become inseparable from operational resilience — a theme echoed by the EU’s Digital Operational Resilience Act and the UK’s own Cyber Security and Resilience Bill currently moving through Parliament. FCA Director of Specialists and Wholesale Sell-Side Mark Francis said the update is designed to give firms clarity while simultaneously giving the regulator better data to identify sector-wide risks and share threat intelligence across the financial services industry.
FBI: Threats from Salt Typhoon Are ‘Still Very Much Ongoing’
FBI Deputy Assistant Director for Cyber Intelligence Michael Machtinger told attendees at CyberScoop’s CyberTalks conference in Washington on Thursday that Salt Typhoon — the Chinese espionage group behind the sweeping 2024 compromise of U.S. telecommunications infrastructure that affected at least nine major carriers and gave Chinese intelligence officials access to lawful intercept systems — remains an active and broad threat to both the private and public sectors with no end in sight. Machtinger highlighted that telecommunications companies which engaged early with the FBI and CISA after Salt Typhoon became public had been “without a doubt the most successful in mitigating the impact,” and drew a lesson that will likely frustrate cybersecurity vendors: despite all advances in tooling and strategy, “it is still the most basic vulnerabilities that provide entry points,” with phishing and legacy system exploitation remaining the dominant initial access vectors the FBI sees across all adversary categories. The candid acknowledgment that Salt Typhoon intrusions are ongoing — more than a year after the campaign was first publicly disclosed — underscores the depth of persistence Chinese threat actors have achieved inside critical U.S. infrastructure and the difficulty of fully evicting a sophisticated nation-state actor that has had extended undetected dwell time inside core telecommunications networks.
