State Government Cyber Threat Level Raised to HIGH: iOS Exploit Leak, Supply Chain Cascade, and Ransomware Convergence Demand Immediate Action

<p><strong>Threat Assessment Level: HIGH</strong></p> <p><em>(Raised from ELEVATED &mdash; previous assessment issued 23 March 2026)</em></p> <p>The threat environment facing U.S. state and local government has materially worsened over the past 72 hours. Three developments &mdash; any one of which would warrant urgent attention on its own &mdash; have converged simultaneously:</p> <ol> <li>A sophisticated Iranian-origin iOS exploit kit is now <strong>freely available on GitHub</strong>, putting every unpatched state-managed iPhone and iPad at risk of full device takeover.</li> <li>A single threat actor has compromised <strong>five categories of developer tools</strong> in under a week, deploying a self-spreading worm with the ability to wipe Kubernetes clusters.</li> <li>A California city remains <strong>paralyzed on Day 5 of a ransomware attack</strong> that forced a declared state of emergency &mdash; a preview of what any state agency could face this quarter.</li> </ol> <p>This is not a theoretical risk briefing. These are active, confirmed campaigns with direct implications for state government IT systems, and several require action within days, not weeks.</p> <h2><strong>What Changed&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</strong></h2> <table> <thead> <tr> <th> <p><strong>Date</strong></p> </th> <th> <p><strong>Event</strong></p> </th> <th> <p><strong>Why It Matters for State Government</strong></p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>11 Mar</strong></p> </td> <td> <p>Handala (MOIS-linked) destroys ~12 petabytes of Stryker data using wiper malware</p> </td> <td> <p>Demonstrated destructive capability against U.S.-linked targets</p> </td> </tr> <tr> <td> <p><strong>19 Mar</strong></p> </td> <td> <p>TeamPCP compromises Trivy GitHub Actions security scanner</p> </td> <td> <p>Initial supply chain breach affecting CI/CD pipelines</p> </td> </tr> <tr> <td> <p><strong>20 Mar</strong></p> </td> <td> <p>FBI/CISA Joint PSA-260320: Russian intelligence compromising Signal/WhatsApp accounts of government officials</p> </td> <td> <p>Direct threat to state officials using encrypted messaging apps</p> </td> </tr> <tr> <td> <p><strong>22 Mar</strong></p> </td> <td> <p>Foster City, CA declares state of emergency after ransomware paralyzes city operations</p> </td> <td> <p>Municipal government ransomware impact escalating; no group has claimed responsibility as of 24 Mar</p> </td> </tr> <tr> <td> <p><strong>23 Mar</strong></p> </td> <td> <p>DarkSword iOS full-chain exploit kit leaked publicly on GitHub</p> </td> <td> <p>Iranian state tool now available to any threat actor; targets iOS 18.4&ndash;18.7.2</p> </td> </tr> <tr> <td> <p><strong>23 Mar</strong></p> </td> <td> <p>Tycoon 2FA phishing platform confirmed fully operational post-takedown</p> </td> <td> <p>30M+ monthly phishing emails bypassing legacy MFA; platform reconstituted in 19 days</p> </td> </tr> <tr> <td> <p><strong>23 Mar</strong></p> </td> <td> <p>FBI FLASH formally attributes Handala to Iran's MOIS; warns of Telegram-based malware delivery</p> </td> <td> <p>Nation-state actor using consumer messaging app for malware distribution</p> </td> </tr> <tr> <td> <p><strong>24 Mar</strong></p> </td> <td> <p>TeamPCP compromises Checkmarx security tools, LiteLLM AI library, 66+ npm packages; deploys self-spreading Kubernetes worm</p> </td> <td> <p>Cascading supply chain attack now affecting security scanners, AI libraries, package registries, and Docker images</p> </td> </tr> <tr> <td> <p><strong>24 Mar</strong></p> </td> <td> <p>Tax-season malvertising campaign uses Google Ads to deliver trojanized ConnectWise ScreenConnect with EDR bypass</p> </td> <td> <p>State employees searching for W-2/W-9 forms targeted; Huawei driver exploit disables endpoint protection</p> </td> </tr> <tr> <td> <p><strong>24 Mar</strong></p> </td> <td> <p>CISA issues 21-day compliance directive for three DarkSword-related iOS vulnerabilities</p> </td> <td> <p>Federal mandate; state agencies should treat with equal urgency</p> </td> </tr> <tr> <td> <p><strong>6 Mar onward</strong></p> </td> <td> <p>MuddyWater (MOIS-affiliated) goes operationally silent; no new Dindoor backdoor activity observed through 24 Mar</p> </td> <td> <p>18-day silence during heightened Iran-U.S. tensions may signal retooling; treat as precursor to new campaign</p> </td> </tr> <tr> <td> <p><strong>Ongoing</strong></p> </td> <td> <p>CISA workforce reductions and program cuts reduce federal cybersecurity support to states</p> </td> <td> <p>Growing capability gap for vulnerability scanning, incident response, and threat intelligence sharing ahead of 2026 midterm cycle</p> </td> </tr> <tr> <td> <p><strong>Ongoing</strong></p> </td> <td> <p>Lazarus Group-linked Medusa ransomware continues targeting U.S. healthcare organizations</p> </td> <td> <p>State health agencies and Medicaid systems face compounded criminal and nation-state ransomware risk</p> </td> </tr> </tbody> </table> <h2><strong>Threat Analysis&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</strong></h2> <h3><strong>1. DarkSword iOS Exploit Kit &mdash; From Nation-State Tool to Public Weapon</strong></h3> <p><strong>What happened:</strong> The DarkSword iOS exploit kit, originally developed and used by Iranian actors tracked as UNC6353, UNC6748, and PARS Defense, was publicly leaked on GitHub on March 23&ndash;24. The exploit chains six vulnerabilities (three zero-days) to achieve full device takeover on iOS versions 18.4 through 18.7.2, including complete data exfiltration. At least one developer has publicly claimed to have adapted the code for the latest iOS version. CISA responded with a 21-day patching directive for federal agencies.</p> <p><strong>Why this matters for state government:</strong> State agencies issue thousands of iPhones and iPads to employees across executive agencies, law enforcement, judiciary, and field operations. These devices access email, VPN, sensitive case management systems, and citizen data. A full device compromise means an attacker can silently exfiltrate everything on the device and use it as a pivot point into state networks.</p> <p><strong>The critical shift:</strong> This was previously a threat from a specific Iranian intelligence unit. Now that the source code is public, <strong>any</strong> threat actor &mdash; ransomware operators, hacktivists, criminal groups &mdash; can weaponize it. The window between "sophisticated nation-state tool" and "commodity exploit" has collapsed to days.</p> <p><strong>Relevant ATT&amp;CK Techniques:</strong> T1190 (Exploit Public-Facing Application), T1203 (Exploitation for Client Execution), T1005 (Data from Local System), T1041 (Exfiltration Over C2 Channel)</p> <h3><strong>2. TeamPCP Supply Chain Cascade &mdash; Five Attack Vectors in Five Days</strong></h3> <p><strong>What happened:</strong> The threat actor TeamPCP, responsible for the March 19 compromise of the Trivy security scanner's GitHub Actions, has dramatically expanded operations:</p> <ul> <li><strong>Trivy</strong> (security scanner) &mdash; compromised GitHub Actions and Docker images; 76 of 77 version tags in aquasecurity/trivy-action were poisoned</li> <li><strong>Checkmarx KICS and AST</strong> (security scanning tools) &mdash; compromised via stolen CI credentials on March 24</li> <li><strong>LiteLLM</strong> (AI/LLM library) &mdash; versions 1.82.7 and 1.82.8 backdoored with credential-stealing malware and Kubernetes persistence on March 24</li> <li><strong>npm packages</strong> &mdash; 66+ packages compromised with a self-spreading worm dubbed "CanisterWorm"</li> <li><strong>Docker images</strong> &mdash; malicious images pushed to registries via compromised Aqua Security GitHub organization</li> </ul> <p>The CanisterWorm component is particularly alarming: it is a <strong>self-propagating worm with Kubernetes wiper capabilities</strong>, meaning it can spread autonomously across container infrastructure and destroy workloads.</p> <p><strong>Why this matters for state government:</strong> State agencies increasingly use CI/CD pipelines, containerized applications, and cloud-native infrastructure. If any state DevOps team uses Trivy for vulnerability scanning, Checkmarx for code analysis, LiteLLM for AI integration, or pulls from affected npm packages, <strong>CI/CD secrets and credentials may already be exposed</strong>. The wiper capability means this isn't just espionage &mdash; it's potentially destructive.</p> <p><strong>Relevant ATT&amp;CK Techniques:</strong> T1195.002 (Supply Chain Compromise), T1552.001 (Unsecured Credentials: Credentials in Files), T1525 (Implant Internal Image), T1485 (Data Destruction)</p> <h3><strong>3. Municipal Ransomware: Foster City State of Emergency &mdash; Day 5</strong></h3> <p>Foster City, California remains paralyzed by a ransomware attack that began around March 19&ndash;20, with city operations still disrupted as of March 24. The city declared a formal state of emergency on March 22. No ransomware group has publicly claimed responsibility, which may indicate active ransom negotiations or ongoing data exfiltration.</p> <p>This incident is occurring against a backdrop of surging ransomware activity targeting government: <strong>Qilin</strong> ransomware has claimed 55+ victims in early 2026, and <strong>Akira</strong> and <strong>Interlock</strong> continue to actively target public sector organizations. Interlock has been exploiting <strong>CVE-2026-20131</strong> (Cisco Secure Firewall Management Center, CVSS 10.0) since January.</p> <p>The tax-season malvertising campaign discovered March 24 adds another vector: state employees searching Google for W-2 or W-9 tax forms are being redirected to sites that install <strong>trojanized ConnectWise ScreenConnect</strong> &mdash; a legitimate remote access tool widely used by state IT managed service providers. The attack chain then uses a <strong>Huawei driver vulnerability to disable endpoint detection and response (EDR)</strong> tools before stealing credentials. This Bring Your Own Vulnerable Driver (BYOVD) technique was previously seen only in sophisticated targeted attacks; its appearance in commodity malvertising signals a dangerous democratization of EDR bypass capabilities.</p> <p><strong>Relevant ATT&amp;CK Techniques:</strong> T1583.008 (Malvertising), T1219 (Remote Access Software), T1562.001 (Impair Defenses: Disable or Modify Tools), T1003 (OS Credential Dumping)</p> <h3><strong>4. Nation-State Activity: Iran, Russia, and Notable Silences</strong></h3> <p><strong>Iran &mdash; Handala / Void Manticore (MOIS):</strong> The FBI released a FLASH alert on March 23&ndash;24 formally attributing the Handala hacker group to Iran's Ministry of Intelligence and Security (MOIS). The alert warns that Handala is <strong>using Telegram to deliver malware</strong> targeting journalists, dissidents, and opposition groups. This follows the FBI's March 19 seizure of Handala's data leak sites after the group's March 11 wiper attack that destroyed approximately 80,000 devices. Handala responded defiantly on Telegram, vowing continued operations. State government employees who interact with journalists, advocacy groups, or international contacts should be aware of this vector.</p> <p><strong>Iran &mdash; MuddyWater (MOIS):</strong> Notably, MuddyWater (MOIS-affiliated) has gone quiet since March 6, with no new reporting on its Dindoor backdoor operations. This 18-day silence during a period of heightened Iran-U.S. tensions is analytically significant &mdash; it may indicate a shift to new tooling following exposure of the Dindoor infrastructure.</p> <p><strong>Russia &mdash; Signal/WhatsApp Targeting:</strong> The FBI/CISA Joint PSA-260320 (March 20) warning that Russian intelligence services have compromised thousands of government officials' Signal and WhatsApp accounts remains an active concern. State officials using these platforms for any government-related communications should assume they are targets.</p> <p><strong>China &mdash; Volt Typhoon:</strong> There has been no new public reporting on Volt Typhoon activity this cycle. Given Volt Typhoon's documented strategy of pre-positioning in U.S. critical infrastructure using living-off-the-land techniques, this silence should not be interpreted as safety. It may reflect improved operational security by the actor. State agencies that interface with water, transportation, or energy infrastructure should maintain heightened monitoring for anomalous use of legitimate administrative tools.</p> <p><strong>North Korea &mdash; Lazarus Group:</strong> Lazarus Group remains linked to Medusa ransomware operations targeting U.S. healthcare, with potential spillover risk to state health and human services agencies.</p> <p><strong>Relevant ATT&amp;CK Techniques:</strong> T1566.003 (Spearphishing via Service &mdash; Telegram), T1561.002 (Disk Wipe), T1557 (Adversary-in-the-Middle &mdash; Tycoon 2FA), T1078.004 (Valid Accounts: Cloud Accounts)</p> <h3><strong>5. Tycoon 2FA: The Takedown That Didn't Stick</strong></h3> <p>The Tycoon 2FA phishing-as-a-service platform is <strong>fully operational</strong> just 19 days after the March 4&ndash;5 coordinated takedown by Europol, Microsoft, Trend Micro, and Cloudflare. At its peak, Tycoon 2FA accounted for 62% of phishing attempts blocked by Microsoft and generated over <strong>30 million malicious emails per month</strong>. The platform uses adversary-in-the-middle (AiTM) techniques to intercept session tokens in real time, completely bypassing standard multi-factor authentication (SMS codes, authenticator app push notifications, TOTP codes).</p> <p><strong>The implication is stark:</strong> If your state's Microsoft 365 environment relies on anything other than phishing-resistant MFA (FIDO2 security keys or passkeys), Tycoon 2FA can compromise your accounts despite MFA being enabled. This is not a hypothetical &mdash; it is the dominant phishing platform operating today.</p> <h3><strong>6. CISA Structural Changes and the State Government Gap</strong></h3> <p>Reporting from the New York Times and other outlets continues to document workforce reductions and program cuts at CISA. For state governments that have relied on CISA for vulnerability scanning services, election security support, incident response assistance, and threat intelligence sharing, these changes create a growing capability gap. With the 2026 midterm election cycle approaching, state CISOs should assess which CISA services they currently depend on and begin developing contingency plans &mdash; whether through increased internal capacity, interstate compacts, or commercial partnerships.</p> <h2><strong>Predictive Analysis: What to Expect in the Next 7&ndash;14 Days</strong></h2> <table> <thead> <tr> <th> <p><strong>Scenario</strong></p> </th> <th> <p><strong>Probability</strong></p> </th> <th> <p><strong>Basis</strong></p> </th> </tr> </thead> <tbody> <tr> <td> <p>TeamPCP compromises additional CI/CD tools and package registries</p> </td> <td> <p><strong>HIGH (&gt;75%)</strong></p> </td> <td> <p>Attack pattern is systematic and accelerating; actor has demonstrated ability to pivot across tool categories</p> </td> </tr> <tr> <td> <p>DarkSword iOS exploit weaponized by actors beyond original Iranian operators</p> </td> <td> <p><strong>HIGH (&gt;75%)</strong></p> </td> <td> <p>Source code is public on GitHub; adaptation already claimed by at least one developer</p> </td> </tr> <tr> <td> <p>Foster City ransomware attack claimed by a known group (likely Qilin or Akira)</p> </td> <td> <p><strong>MODERATE (50&ndash;75%)</strong></p> </td> <td> <p>Delayed claims often indicate negotiation; targeting pattern consistent with these groups</p> </td> </tr> <tr> <td> <p>Tycoon 2FA launches new AiTM phishing wave targeting government M365 tenants</p> </td> <td> <p><strong>MODERATE (50&ndash;75%)</strong></p> </td> <td> <p>Platform fully reconstituted; government is a high-value target for credential theft</p> </td> </tr> <tr> <td> <p>Handala/Void Manticore attempts another destructive operation against a U.S. target</p> </td> <td> <p><strong>LOW-MODERATE (25&ndash;50%)</strong></p> </td> <td> <p>Defiant posture post-FBI seizure; MOIS attribution may embolden or constrain</p> </td> </tr> <tr> <td> <p>Volt Typhoon activity surfaces in state critical infrastructure networks</p> </td> <td> <p><strong>LOW-MODERATE (25&ndash;50%)</strong></p> </td> <td> <p>Prolonged silence from a known pre-positioning actor; absence is not evidence of absence</p> </td> </tr> </tbody> </table> <h2><strong>SOC Operational Guidance</strong></h2> <h3><strong>Priority Detection Rules</strong></h3> <table> <thead> <tr> <th> <p><strong>Detection Target</strong></p> </th> <th> <p><strong>ATT&amp;CK ID</strong></p> </th> <th> <p><strong>What to Look For</strong></p> </th> <th> <p><strong>Action</strong></p> </th> </tr> </thead> <tbody> <tr> <td> <p>Trojanized ScreenConnect installations</p> </td> <td> <p>T1219</p> </td> <td> <p>ScreenConnect binaries not originating from official ConnectWise distribution; ScreenConnect installed via browser download from ad-redirect chains</p> </td> <td> <p>Alert + isolate endpoint</p> </td> </tr> <tr> <td> <p>Huawei driver loading (BYOVD)</p> </td> <td> <p>T1562.001</p> </td> <td> <p>Any loading of Huawei-signed drivers, especially HwOs2Ec10x64.sys or similar; EDR service stops coinciding with driver load events</p> </td> <td> <p>Alert + investigate + block driver hash</p> </td> </tr> <tr> <td> <p>Telegram file transfers</p> </td> <td> <p>T1566.003</p> </td> <td> <p>Telegram Desktop or Web file download events on government endpoints; .exe, .scr, .lnk files received via Telegram</p> </td> <td> <p>Alert + block unauthorized Telegram use</p> </td> </tr> <tr> <td> <p>AiTM session token theft</p> </td> <td> <p>T1539, T1557</p> </td> <td> <p>M365 sign-ins from anomalous locations immediately following legitimate sign-ins; impossible travel alerts; new inbox rules created post-authentication</p> </td> <td> <p>Investigate + revoke sessions</p> </td> </tr> <tr> <td> <p>GitHub Actions tampering</p> </td> <td> <p>T1195.002</p> </td> <td> <p>Changes to .github/workflows/ files referencing aquasecurity/trivy-action, checkmarx/kics-github-action, checkmarx/ast-github-action; Actions not pinned to commit SHAs</p> </td> <td> <p>Alert + audit pipeline</p> </td> </tr> <tr> <td> <p>Kubernetes anomalies</p> </td> <td> <p>T1525, T1485</p> </td> <td> <p>Unauthorized pod creation; unexpected container images; mass pod deletion events; anomalous API server calls</p> </td> <td> <p>Alert + investigate + isolate namespace</p> </td> </tr> <tr> <td> <p>iOS exploitation indicators</p> </td> <td> <p>T1203</p> </td> <td> <p>Unexpected Safari/WebKit crashes followed by new profiles or certificates installed; unusual data upload volumes from mobile devices</p> </td> <td> <p>Investigate + wipe if confirmed</p> </td> </tr> </tbody> </table> <h3><strong>Hunting Hypotheses</strong></h3> <ol> <li><strong>Hypothesis: State CI/CD pipelines may already contain TeamPCP-compromised dependencies.</strong> Hunt for: any reference to Trivy Action, Checkmarx KICS/AST Actions, LiteLLM versions 1.82.7&ndash;1.82.8 in build configurations. Check npm lock files for unexpected package additions in the last 7 days.</li> <li><strong>Hypothesis: Tycoon 2FA has already compromised state M365 accounts.</strong> Hunt for: M365 sign-in logs showing successful authentication from residential proxy IPs or VPN exit nodes not associated with state infrastructure, particularly where the authentication was preceded by a legitimate sign-in within minutes. Look for new inbox forwarding rules or OAuth app consents created in the last 30 days.</li> <li><strong>Hypothesis: Tax-season malvertising has reached state employee endpoints.</strong> Hunt for: DNS queries or web proxy logs showing visits to domains mimicking IRS, TurboTax, FreeTaxUSA, or TaxAct during work hours. Look for ScreenConnect installations not deployed by the state IT help desk.</li> <li><strong>Hypothesis: Russian intelligence has compromised state officials' Signal or WhatsApp accounts.</strong> Hunt for: reports from officials of unexpected Signal/WhatsApp "linked device" notifications. Coordinate with executive protection teams to audit linked devices on senior leadership accounts.</li> </ol> <h2><strong>Sector-Specific Defensive Priorities</strong></h2> <h3><strong>Government (State and Local Agencies)</strong></h3> <ul> <li><strong>Top threat:</strong> Ransomware (Qilin, Akira, Interlock) targeting municipal and state systems, as demonstrated by the Foster City emergency</li> <li><strong>Priority action:</strong> Validate offline backup integrity for all critical citizen-facing services (DMV, tax, benefits, courts). Ensure incident response retainers are current and tested. Review cyber insurance policy exclusions for nation-state attacks.</li> <li><strong>Key vulnerability:</strong> CVE-2026-20131 (Cisco FMC, CVSS 10.0) &mdash; Interlock ransomware has exploited this since January. Verify all FMC instances are patched.</li> <li><strong>Identity threat:</strong> Tycoon 2FA and Storm-2561 fake VPN campaigns both target government M365 credentials. Migrate to FIDO2/passkey MFA for all privileged accounts.</li> </ul> <h3><strong>Financial Services (State Treasury, Revenue, Pension Systems)</strong></h3> <ul> <li><strong>Top threat:</strong> Tax-season credential theft campaigns using malvertising and trojanized ScreenConnect</li> <li><strong>Priority action:</strong> Issue employee advisories about tax-related phishing. Block known malvertising redirect patterns at the web proxy. Ensure financial transaction systems require out-of-band approval for changes to payment routing.</li> <li><strong>Key vulnerability:</strong> SharePoint CVE-2026-20963 (critical deserialization RCE, unauthenticated) &mdash; state revenue and treasury portals running on-premises SharePoint are at risk.</li> </ul> <h3><strong>Energy (State Energy Offices, Utility Coordination)</strong></h3> <ul> <li><strong>Top threat:</strong> ICS/SCADA vulnerabilities in Schneider Electric systems; Volt Typhoon pre-positioning in energy infrastructure</li> <li><strong>Priority action:</strong> Apply Schneider Electric advisories for EcoStruxure Foxboro DCS, Plant iT, and Modicon controllers. Segment OT networks from IT networks. Monitor for living-off-the-land techniques (PowerShell, WMI, PsExec) in OT-adjacent network segments.</li> <li><strong>Absence signal:</strong> Volt Typhoon silence is not reassurance &mdash; their documented playbook is long-dwell pre-positioning. Assume they may already be present and hunt accordingly.</li> </ul> <h3><strong>Healthcare (State Health Agencies, Medicaid Systems)</strong></h3> <ul> <li><strong>Top threat:</strong> Lazarus Group-linked Medusa ransomware targeting healthcare; Handala/MOIS destructive operations</li> <li><strong>Priority action:</strong> Verify that state health information exchanges and Medicaid management systems have tested disaster recovery procedures. Ensure medical device networks are segmented. Review GDCM medical device advisories from CISA ICS alerts this cycle.</li> <li><strong>Key risk:</strong> Healthcare data is both a ransomware extortion target and an espionage target. State health agencies holding millions of citizen health records are high-value targets for both criminal and nation-state actors.</li> </ul> <h3><strong>Aviation and Logistics (State DOT, Port Authorities, Airport Operations)</strong></h3> <ul> <li><strong>Top threat:</strong> Supply chain compromise via CI/CD tools (TeamPCP); Cisco SD-WAN exploitation</li> <li><strong>Priority action:</strong> Audit any containerized applications used in logistics management, fleet tracking, or airport operations for TeamPCP-compromised dependencies. Verify Cisco SD-WAN Manager compliance with CISA Emergency Directive 26-03. Review access controls on transportation management systems.</li> <li><strong>Key vulnerability:</strong> CVE-2026-20131 (Cisco FMC) and Cisco SD-WAN flaws &mdash; transportation agencies heavily dependent on Cisco networking infrastructure are particularly exposed.</li> </ul> <h2><strong>Prioritized Defense Recommendations</strong></h2> <h3><strong>IMMEDIATE (Within 24&ndash;48 Hours)</strong></h3> <table> <thead> <tr> <th> <p><strong>Priority</strong></p> </th> <th> <p><strong>Responsible Team</strong></p> </th> <th> <p><strong>Action</strong></p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>1</strong></p> </td> <td> <p>IT Operations</p> </td> <td> <p><strong>Push iOS updates</strong> to all state-managed iPhones and iPads to the latest available version. DarkSword exploit kit is public; any device on iOS 18.4&ndash;18.7.2 is vulnerable to full device takeover. Treat CISA's 21-day directive as a 48-hour directive for state devices.</p> </td> </tr> <tr> <td> <p><strong>2</strong></p> </td> <td> <p>DevOps / Application Teams</p> </td> <td> <p><strong>Audit all GitHub Actions workflows</strong> for references to aquasecurity/trivy-action, checkmarx/kics-github-action, checkmarx/ast-github-action. Pin ALL GitHub Actions to commit SHAs. Verify LiteLLM is not version 1.82.7 or 1.82.8. Scan npm dependency lock files for unexpected changes in the last 7 days.</p> </td> </tr> <tr> <td> <p><strong>3</strong></p> </td> <td> <p>SOC</p> </td> <td> <p><strong>Deploy detection rules</strong> for trojanized ScreenConnect installations delivered via browser downloads, and for Huawei driver loading events (BYOVD EDR bypass indicator). Tax-season malvertising campaign is active and targeting government employees.</p> </td> </tr> <tr> <td> <p><strong>4</strong></p> </td> <td> <p>SOC / Network Security</p> </td> <td> <p><strong>Block or restrict Telegram file transfers</strong> at the network perimeter and endpoint level. FBI FLASH confirms Handala/MOIS is using Telegram for malware delivery.</p> </td> </tr> </tbody> </table> <h3><strong>7-DAY</strong></h3> <table> <thead> <tr> <th> <p><strong>Priority</strong></p> </th> <th> <p><strong>Responsible Team</strong></p> </th> <th> <p><strong>Action</strong></p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>5</strong></p> </td> <td> <p>IT Operations</p> </td> <td> <p><strong>Patch Cisco Secure Firewall Management Center</strong> for CVE-2026-20131 (CVSS 10.0). Interlock ransomware has actively exploited this vulnerability since January. Verify Cisco SD-WAN Manager compliance with CISA ED 26-03.</p> </td> </tr> <tr> <td> <p><strong>6</strong></p> </td> <td> <p>Identity / IT Operations</p> </td> <td> <p><strong>Implement phishing-resistant MFA</strong> (FIDO2 security keys or passkeys) for all M365 administrator and privileged accounts. Enable token binding and continuous access evaluation. Tycoon 2FA bypasses all other MFA methods.</p> </td> </tr> <tr> <td> <p><strong>7</strong></p> </td> <td> <p>IT Operations</p> </td> <td> <p><strong>Patch on-premises SharePoint servers</strong> for CVE-2026-20963 (critical unauthenticated deserialization RCE). This is in CISA's Known Exploited Vulnerabilities catalog.</p> </td> </tr> <tr> <td> <p><strong>8</strong></p> </td> <td> <p>Communications / HR</p> </td> <td> <p><strong>Issue employee advisory</strong> warning about tax-season phishing: do not search for W-2/W-9 forms via Google; use only official IRS.gov. Warn about fake VPN download sites impersonating Fortinet, Ivanti, and Cisco products.</p> </td> </tr> </tbody> </table> <h3><strong>30-DAY</strong></h3> <table> <thead> <tr> <th> <p><strong>Priority</strong></p> </th> <th> <p><strong>Responsible Team</strong></p> </th> <th> <p><strong>Action</strong></p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>9</strong></p> </td> <td> <p>CISO / CIO</p> </td> <td> <p><strong>Assess CISA service dependency gaps.</strong> Identify which CISA services the state currently relies on (vulnerability scanning, election security support, incident response, threat intelligence sharing) and develop contingency plans &mdash; internal capacity, interstate partnerships, or commercial alternatives &mdash; ahead of the 2026 midterm election cycle.</p> </td> </tr> <tr> <td> <p><strong>10</strong></p> </td> <td> <p>IT Operations / Endpoint Security</p> </td> <td> <p><strong>Implement WDAC driver block lists</strong> (or equivalent) to prevent Bring Your Own Vulnerable Driver attacks. Include known vulnerable Huawei drivers. Review and deploy Microsoft's recommended driver blocklist.</p> </td> </tr> <tr> <td> <p><strong>11</strong></p> </td> <td> <p>CISO / IR Team</p> </td> <td> <p><strong>Conduct a ransomware tabletop exercise</strong> using the Foster City scenario as the basis. Test: Can your state restore citizen-facing services from offline backups within 72 hours? Are incident response retainer agreements current? Does your cyber insurance cover nation-state-attributed ransomware?</p> </td> </tr> </tbody> </table> <h2><strong>IOC Blocking Guidance&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</strong></h2> <p>IOCs for the campaigns discussed in this report are available through Anomali ThreatStream and partner feeds. The following indicator was identified during this collection cycle:</p> <table> <thead> <tr> <th> <p><strong>Type</strong></p> </th> <th> <p><strong>Value</strong></p> </th> <th> <p><strong>Context</strong></p> </th> </tr> </thead> <tbody> <tr> <td> <p>MD5</p> </td> <td> <p>18b5b152e3306c9a23cca674e2b06dc6</p> </td> <td> <p>Associated with current threat activity; validate against your environment before blocking</p> </td> </tr> </tbody> </table> <p><strong>Software version indicators to audit (not network IOCs):</strong></p> <ul> <li>Trivy Action: malicious release v0.69.4; 76 of 77 version tags in aquasecurity/trivy-action compromised</li> <li>LiteLLM: versions 1.82.7 and 1.82.8 contain credential-stealing backdoor</li> </ul> <p>Additional IOCs &mdash; including network indicators for Tycoon 2FA infrastructure, Handala C2 domains, and Storm-2561 fake VPN sites &mdash; are available via Anomali ThreatStream. Contact your threat intelligence team for the latest indicator feeds.</p> <h2><strong>The Bottom Line&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</strong></h2> <p>The threat level for U.S. state government has been raised to <strong>HIGH</strong>. This is not driven by a single event but by the <strong>convergence</strong> of three simultaneous escalations: a nation-state iOS exploit going public, a cascading supply chain compromise that is still expanding, and ransomware operators demonstrating they can paralyze municipal government for days with no resolution in sight.</p> <p>Each of these threats has a specific, concrete defensive action associated with it. The iOS patching and CI/CD audit cannot wait for the next patch cycle &mdash; they need to begin today. The identity hardening (phishing-resistant MFA) should have been done already, but the full reconstitution of Tycoon 2FA makes it urgent rather than important.</p> <p>State CISOs should also be having a candid conversation with their CIOs and governors' offices about the CISA capability gap. The federal cybersecurity safety net that state governments have relied on for the past several years is thinning. States that build internal capacity and regional partnerships now will be better positioned than those that wait.</p> <p>The threat actors are not waiting. Neither should we.</p>