There’s a conversation that happens in most security reviews: the tools are deployed, they’re patched, they’re configured. We’re covered. It’s a reasonable checklist. It’s also becoming a liability.

The assumption underneath it is that your security infrastructure works for you. That your firewalls, your enterprise platforms, your endpoint utilities exist on your side of the equation. Attackers aren’t approaching it that way. They’re looking at the same tools and seeing targets, trust boundaries to exploit, and detection gaps to blend into.

The question this week isn’t whether your stack is deployed. It’s whether the stack itself has become the attack surface you haven’t scoped.

Interlock Ransomware Held a Cisco FMC Zero-Day for Five Weeks Before Disclosure

Source: https://aws.amazon.com/blogs/security/amazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls/

TLDR

Amazon threat intelligence identified Interlock ransomware exploiting a zero-day in Cisco’s Secure Firewall Management Center 36 days before public disclosure. A misconfigured attacker staging server exposed their full toolkit: custom RATs in JavaScript and Java, PowerShell recon scripts, HAProxy relays with five-minute log erasure, and legitimate tools including ConnectWise ScreenConnect and Certify.

Why It Matters to Enterprises

Your firewall management plane is now confirmed ransomware infrastructure. If your organization runs Cisco Secure Firewall Management Center, there was a five-week window where attackers had root-level code execution before anyone knew a vulnerability existed, and no patch cycle could have closed it. Your actual defense during that window depended entirely on everything around the management layer: network segmentation, identity controls, and monitoring coverage that treated the console itself as a potential target, not an implicitly trusted asset. Interlock demonstrated exactly what happens when that layer of scrutiny is missing.

What to Do This Week

• Apply Cisco’s patches for Secure Firewall Management Center and verify deployment across all instances.
• Review logs for Interlock indicators of compromise published in Amazon’s threat intelligence report.
• Audit administrator accounts with access to your firewall management plane and scope privileges down.
• Enable alerting on unusual outbound connections from security management infrastructure, including admin consoles and jump hosts.
• Confirm your detection coverage explicitly extends to security tool infrastructure, not just endpoints and perimeters.

Ransomware Groups Are Exfiltrating Data Using Your Approved Enterprise Tools

Source: https://blog.talosintelligence.com/everyday-tools-extraordinary-crimes-the-ransomware-exfiltration-playbook/

What Happened

Cisco Talos published its Exfiltration Framework, a systematic analysis of how ransomware operators use legitimate enterprise utilities to move stolen data out of networks. The framework covers built-in OS tools like PowerShell and robocopy, commonly deployed tools like rclone and MOVEit, and cloud CLIs including AWS CLI and AzCopy.

The core finding: modern data exfiltration increasingly relies on tools your security controls explicitly allow, and detection requires behavioral correlation across endpoint, network, and cloud telemetry rather than tool-based blocking.

Why It Matters

Your allow list is your attacker’s asset inventory. When rclone handles backup operations and AzCopy moves data between cloud tenants, blocking either on sight becomes operationally impractical, and attackers have adjusted their tooling to exploit exactly that constraint. The result is exfiltration that looks indistinguishable from authorized operations at the network level, which means detection has to shift from “what tool is running” to “what is this tool doing, at what volume, and toward what destination.” That’s a materially harder detection posture to sustain, and most enterprises haven’t built the behavioral baselines required to do it reliably.

CISA Confirms Active Exploitation of Critical SharePoint Remote Code Execution Flaw

Source: https://www.securityweek.com/cisa-warns-of-attacks-exploiting-recent-sharepoint-vulnerability/

What Happened

CISA added CVE-2026-20963 to its Known Exploited Vulnerabilities catalog on March 18, confirming active attacks against a SharePoint remote code execution vulnerability Microsoft patched in January. The flaw carries a CVSS score of 9.8 and allows an unauthenticated attacker to remotely execute arbitrary code on SharePoint Server 2016, 2019, and Subscription Edition.

Federal agencies have until March 21 to remediate; Microsoft confirmed the January patch resolves the issue but has not shared details about the attacks.

Why It Matters

SharePoint is embedded deep in enterprise collaboration workflows, which makes it an attractive target and a quietly deprioritized patching candidate at the same time. A CVSS 9.8 unauthenticated RCE that’s already being exploited in the wild is exactly the scenario that gets deferred behind change management processes, testing windows, and next-cycle decisions. The gap between a patch being available and an organization actually applying it is where most ransomware groups operate. If your SharePoint deployment isn’t confirmed patched to the January update cycle, treat it as potentially compromised until that changes.

Quick Hits

Gartner: Half of Enterprise Incident Response Will Involve AI Apps by 2028

Gartner’s prediction isn’t just a staffing problem. Most enterprises don’t have IR playbooks designed for AI system failures, prompt injection, or model data poisoning, and they lack the telemetry to detect any of it when it happens. https://www.gartner.com/en/newsroom/press-releases/2026-03-17-gartner-predicts-ai-applications-will-drive-50-percent-of-cybersecurity-incident-response-efforts-by-2028

Google’s 2025 Ransomware Report: Record Victims, Declining Profits, Shifting Targets

Record data leak site posts in 2025, but ransom payment rates hit historic lows, so groups are shifting to smaller organizations with less mature security programs; 77% of intrusions now include data theft regardless of whether ransomware actually deploys. https://cloud.google.com/blog/topics/threat-intelligence/ransomware-ttps-shifting-threat-landscape

FBI and CISA Warn Russian Intelligence Is Compromising Messaging App Accounts

The attack doesn’t bypass Signal’s encryption; it bypasses your users by posing as Signal support staff to steal account access codes. Government officials and military personnel are primary targets, but the technique works on anyone who believes the support request is real. https://cyberscoop.com/fbi-cisa-issue-psa-on-russian-intelligence-campaign-to-target-messaging-apps/

Wrapping it up

This week’s stories share a structural pattern worth naming: the attack surface has shifted into the trusted layer itself. Not through unmanaged endpoints or weak perimeters, but into the consoles, platforms, and utilities your organization explicitly authorized. The threat isn’t a gap in your controls. It’s the controls themselves becoming the terrain attackers operate on.

The governance implication is uncomfortable. Most security programs assume the tooling layer is safe and that risk lives in user behavior or the connections between systems. That assumption made sense when attackers focused on misconfigured perimeters. It holds up less well when the tools your program depends on carry the same vulnerability classes as everything else in your environment. The question isn’t whether your stack is deployed. It’s whether you’ve subjected it to the same scrutiny you apply to everything it protects.

The hardest part of this shift isn’t technical. It’s organizational. Security teams have spent years telling other departments to patch their software and trust the security tools. Turning that lens inward creates a genuinely uncomfortable loop. But that discomfort is the right signal. The blind spots attackers are looking for live exactly where your organization stopped asking questions.