Cisco has disclosed an ongoing cyberattack campaign in which the Interlock ransomware group is actively exploiting a critical zero-day vulnerability  in its Secure Firewall Management Center (FMC) software. The flaw enables unauthenticated remote attackers to execute arbitrary Java code with root-level privileges on affected systems. The vulnerability was officially revealed by Cisco on March 4, 2026. However, researchers from Amazon’s threat intelligence team identified that Interlock had already begun exploiting the issue as early as January 26 more than a month before public disclosure. This early access gave the attackers a significant advantage, allowing them to breach multiple organizations before security teams became aware of the threat. Amazon confirmed that neither its infrastructure nor customer environments were impacted and shared its findings with Cisco to aid the investigation.

The campaign came to light after a misconfigured server exposed a large portion of the group’s operational infrastructure. Analysis revealed that initial intrusion attempts involved specially crafted HTTP requests targeting a vulnerable application path, embedding malicious Java code. These requests included URLs that delivered configuration payloads and confirmed successful exploitation by triggering HTTP PUT actions to upload files onto compromised systems. To further study the attack, researchers simulated a victim environment, prompting the attackers to deploy a malicious Linux ELF binary. The exposed staging server showed a well-organized structure, with separate directories created for individual victims. This setup enabled efficient delivery of tools and streamlined exfiltration of stolen data.

Technical evidence strongly links the activity to the Interlock ransomware group, a financially motivated threat actor that first appeared in September 2024. Indicators such as the recovered ELF payload, ransom notes, and TOR-based negotiation portals align with known Interlock operations. The group is known for its double extortion tactics, often emphasizing potential regulatory consequences in ransom communications to pressure victims into paying. Timestamp analysis suggests the attackers operate within the UTC+3 time zone. Interlock has historically targeted industries where downtime can cause immediate operational and financial damage, including education, healthcare, manufacturing, construction, engineering, and government sectors.

Once inside a network, the attackers deploy a multi-layered toolkit to expand access and maintain persistence. A PowerShell-based reconnaissance script gathers extensive system and network information, including browser data and active connections. This data is organized into host-specific directories and compressed into archives, indicating preparation for large-scale encryption activities. The group also employs custom-built remote access tools written in both JavaScript and Java. The JavaScript variant uses Windows Management Instrumentation (WMI) for system profiling and maintains encrypted WebSocket communications using RC4. It supports command execution, file transfers, and proxy capabilities. A similar Java-based backdoor, leveraging GlassFish libraries, ensures redundancy in maintaining control over compromised systems.

To evade detection, attackers deploy additional techniques such as configuring Linux systems as reverse proxies using HAProxy, with automated log deletion occurring every few minutes. They also utilize a fileless Java webshell that operates in memory, executing AES-128 encrypted commands embedded in HTTP traffic. In addition to custom malware, Interlock leverages legitimate tools like ConnectWise ScreenConnect for remote access, Volatility for memory analysis, and Certify for Active Directory exploitation, blending malicious activity with trusted utilities to avoid detection.

Cisco has strongly urged organizations using Secure Firewall Management Center to apply the latest patches without delay. Due to the attackers’ use of highly customized payloads for each target, traditional signature-based detection methods may prove ineffective. Instead, security teams are advised to focus on behavioral indicators, unusual memory activity, and network reconnaissance patterns associated with Interlock’s advanced attack techniques.

Recommended Cyber News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com