<table>
<tbody>
<tr>
<td>
<p><strong>Threat Assessment Level: ELEVATED</strong></p>
<p>Previous cycle (2026-03-18): CRITICAL → Current assessment: ELEVATED. The downgrade from CRITICAL reflects the availability of patches for the Cisco FMC zero-day (CVE-2026-20131) and CISA's issuance of Intune hardening guidance, which provide defenders actionable mitigation paths. However, the threat level remains ELEVATED — not GUARDED — because: (1) the Iran-linked Handala wiper campaign demonstrated a paradigm-shifting attack technique with no available signature-based defense; (2) Interlock ransomware exploited CVE-2026-20131 as a zero-day for 36 days before a patch existed and continues to actively target public-sector organizations; (3) SharePoint RCE CVE-2026-20963 is now confirmed exploited in the wild; and (4) CISA's institutional capacity to support state governments continues to erode. All threat actors and campaigns from the prior cycle — Handala/UNC5203, MuddyWater, APT28/Fancy Bear, Interlock, LeakNet, Termite/Velvet Tempest, and the ClickFix social engineering ecosystem — remain active and relevant.</p>
</td>
</tr>
</tbody>
</table>
<h2><strong>Introduction </strong></h2>
<p>State CIOs and CISOs face a threat environment this week that is qualitatively different from anything in recent memory — not because of a single catastrophic event, but because three simultaneous, high-severity attack campaigns are converging on technology that virtually every state agency deploys: <strong>Cisco firewall management, Microsoft Intune endpoint management, and SharePoint collaboration.</strong></p>
<p>The most alarming development is not a new piece of malware. It is the demonstrated weaponization of <strong>Microsoft Intune</strong> — a legitimate endpoint management platform — to wipe 200,000 devices at a major U.S. corporation without deploying a single malicious file. No hash to block. No C2 domain to sinkhole. No signature to detect. The weapon was the management console itself.</p>
<p>For state IT leaders managing tens of thousands of endpoints across dozens of agencies, this is not a theoretical risk. It is a proven attack path, executed by a nation-state actor, against a U.S. target, in March 2026.</p>
<p>This post synthesizes the intelligence from the past 72 hours into actionable guidance for state government IT leadership. Every finding maps to technology you likely operate and threats you can mitigate — starting today.</p>
<h2><strong>What Changed </strong></h2>
<ul>
<li><strong>March 19</strong> — CISA added <strong>CVE-2026-20131</strong> (Cisco Secure Firewall Management Center, CVSS 10.0) to the Known Exploited Vulnerabilities (KEV) catalog, confirming that the <strong>Interlock</strong> ransomware group has been exploiting it as a zero-day since <strong>January 26, 2026</strong> — a 36-day window before Cisco's March 4 patch.</li>
<li><strong>March 19</strong> — CISA and Microsoft jointly issued an <strong>Intune hardening advisory</strong> following the Iran-linked <strong>Handala</strong> (also tracked as UNC5203/Void Manticore, MOIS-directed) wiper attack on Stryker Corporation, which destroyed approximately 200,000 devices using only legitimate Intune management commands.</li>
<li><strong>March 19</strong> — CISA added <strong>CVE-2026-20963</strong> (Microsoft SharePoint RCE, CVSS 8.8) to KEV, confirming active exploitation in the wild. The vulnerability was patched in January 2026 but many organizations remain unpatched.</li>
<li><strong>March 19</strong> — Multiple outlets reported that <strong>Iran pre-positioned cyber strike infrastructure months before Operation Epic Fury</strong> (the U.S./Israel military operation launched February 28), indicating the current Iranian cyber campaign is pre-planned and sustained — not reactive.</li>
<li><strong>March 18–19</strong> — <strong>ConnectWise ScreenConnect CVE-2026-3564</strong> disclosed — a cryptographic signature verification flaw allowing session hijacking. This is the second critical ScreenConnect vulnerability in under a year, compounding MSP supply chain risk.</li>
<li><strong>March 19</strong> — CISA published <strong>eight ICS advisories</strong> affecting Schneider Electric Modicon controllers, Automated Logic WebCTRL building management systems, and other OT/ICS products commonly deployed in state government facilities.</li>
<li><strong>March 17–19</strong> — <strong>ClickFix</strong> social engineering techniques continued to evolve and proliferate across multiple unrelated threat groups, with new reporting confirming adoption by at least four actor clusters and an updated variant targeting Windows Terminal rather than the Run dialog.</li>
<li><strong>March 17</strong> — Reporting confirmed that <strong>CISA election security programs have been "hollowed out"</strong> and that the 2015 Cybersecurity Information Sharing Act framework faces expiration in September 2026 without congressional action, signaling a structural reduction in federal cyber support to state and local governments.</li>
</ul>
<h2><strong>Threat Timeline </strong></h2>
<table>
<thead>
<tr>
<th>
<p><strong>Date</strong></p>
</th>
<th>
<p><strong>Event</strong></p>
</th>
<th>
<p><strong>Severity</strong></p>
</th>
<th>
<p><strong>State Gov Relevance</strong></p>
</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<p>2026-01-26</p>
</td>
<td>
<p>Interlock begins exploiting Cisco FMC CVE-2026-20131 as zero-day</p>
</td>
<td>
<p>CRITICAL</p>
</td>
<td>
<p>Cisco FMC widely deployed in state WANs</p>
</td>
</tr>
<tr>
<td>
<p>2026-01 (est.)</p>
</td>
<td>
<p>Iran pre-positions cyber strike infrastructure ahead of Epic Fury</p>
</td>
<td>
<p>HIGH</p>
</td>
<td>
<p>State OT/BMS systems are potential targets</p>
</td>
</tr>
<tr>
<td>
<p>2026-01-14</p>
</td>
<td>
<p>Microsoft patches SharePoint CVE-2026-20963</p>
</td>
<td>
<p>MEDIUM</p>
</td>
<td>
<p>Patch window opens; unpatched orgs accumulate risk</p>
</td>
</tr>
<tr>
<td>
<p>2026-02-28</p>
</td>
<td>
<p>Operation Epic Fury launched (U.S./Israel military operation)</p>
</td>
<td>
<p>HIGH</p>
</td>
<td>
<p>Triggers Iranian cyber retaliation campaign</p>
</td>
</tr>
<tr>
<td>
<p>2026-03-04</p>
</td>
<td>
<p>Cisco patches CVE-2026-20131 in FMC</p>
</td>
<td>
<p>HIGH</p>
</td>
<td>
<p>Patch available but exploitation ongoing</p>
</td>
</tr>
<tr>
<td>
<p>2026-03-11–13</p>
</td>
<td>
<p>Handala/UNC5203 executes Stryker wiper attack via Intune (200K devices)</p>
</td>
<td>
<p>CRITICAL</p>
</td>
<td>
<p>Proves Intune weaponization is viable</p>
</td>
</tr>
<tr>
<td>
<p>2026-03-17</p>
</td>
<td>
<p>Reporting confirms CISA election security programs “hollowed out”; cyber intelligence-sharing framework faces Sept 2026 expiration</p>
</td>
<td>
<p>HIGH</p>
</td>
<td>
<p>Reduces federal support to states</p>
</td>
</tr>
<tr>
<td>
<p>2026-03-18</p>
</td>
<td>
<p>ConnectWise ScreenConnect CVE-2026-3564 disclosed; patch released (v26.1)</p>
</td>
<td>
<p>HIGH</p>
</td>
<td>
<p>MSP/vendor remote access tool</p>
</td>
</tr>
<tr>
<td>
<p>2026-03-19</p>
</td>
<td>
<p>CISA adds CVE-2026-20131 to KEV; issues Intune hardening advisory; adds CVE-2026-20963 to KEV; publishes 8 ICS advisories</p>
</td>
<td>
<p>CRITICAL</p>
</td>
<td>
<p>Triple KEV day + ICS advisories for state-deployed products</p>
</td>
</tr>
</tbody>
</table>
<h2><strong>Key Threat Analysis </strong></h2>
<h3><strong>1. Interlock Ransomware and the Cisco FMC Zero-Day</strong></h3>
<p><strong>Interlock</strong> is a ransomware operation linked to the <strong>VICE SPIDER</strong> ecosystem (which includes Vice Society, Rhysida, and aliases DEV-0832/Vanilla Tempest). Threat intelligence data shows Interlock has claimed <strong>99 victims</strong> since December 2023, with <strong>67% based in the United States</strong> and <strong>9% in the public sector</strong> — including the city of Saint Paul, Minnesota.</p>
<p>The group exploited <strong>CVE-2026-20131</strong> — an unauthenticated remote code execution vulnerability in Cisco Secure Firewall Management Center's web interface, caused by insecure deserialization of Java byte streams — for <strong>36 days</strong> before a patch was available. The vulnerability carries a <strong>CVSS score of 10.0</strong> (maximum severity) and grants attackers root-level access to the FMC appliance.</p>
<p>What makes this particularly concerning for state government: Interlock's toolset includes <strong>Cobalt Strike, Mimikatz, PsExec, AnyDesk, ScreenConnect, MeshAgent, RustDesk, and SharpHound</strong> — a full-spectrum post-exploitation kit. Once inside via FMC, they have the tools to map your Active Directory, escalate privileges, move laterally, and deploy ransomware across the enterprise.</p>
<p><strong>ATT&CK Techniques:</strong> T1190 (Exploit Public-Facing Application), T1068 (Exploitation for Privilege Escalation), T1486 (Data Encrypted for Impact), T1021.001 (Remote Services: RDP)</p>
<h3><strong>2. Handala/Void Manticore: Intune as a Wiper Delivery Platform</strong></h3>
<p>The Iran-linked <strong>Handala</strong> group (also tracked as <strong>UNC5203</strong>, <strong>Void Manticore</strong>, directed by Iran's MOIS per DOJ/FBI attribution) executed what may be the most consequential attack technique of 2026: using <strong>Microsoft Intune</strong> — a legitimate, trusted endpoint management platform — to wipe 200,000 devices at Stryker Corporation. No malware was deployed. The attackers compromised Intune administrator credentials and used the platform's native device management capabilities to push destructive commands.</p>
<p>This is a paradigm shift. Every previous major wiper attack — NotPetya, WhisperGate, BiBi-Linux — deployed malicious binaries that could theoretically be detected by EDR, antivirus, or network monitoring. The Intune wiper attack bypasses <strong>all</strong> of these controls because the "weapon" is a legitimate management command from a trusted platform.</p>
<p>For state government, the implications are stark: if an attacker compromises a single Intune Global Administrator account — potentially via an adversary-in-the-middle (AiTM) phishing attack that steals a session token — they could push a device wipe to <strong>every state-managed endpoint simultaneously</strong>. Laptops, desktops, and mobile devices across every agency.</p>
<p><strong>ATT&CK Techniques:</strong> T1072 (Software Deployment Tools), T1485 (Data Destruction), T1078 (Valid Accounts), T1078.004 (Cloud Accounts), T1538 (Cloud Service Dashboard)</p>
<h3><strong>3. Iran's Sustained Cyber Retaliation Posture</strong></h3>
<p>The Handala/Stryker attack does not exist in isolation. Intelligence reporting from the week of March 17–19 confirms that <strong>Iranian cyber operators pre-positioned strike infrastructure months before Operation Epic Fury</strong> was launched on February 28. Iran is combining missile strikes, disinformation campaigns, and cyberattacks in a coordinated retaliatory campaign and has publicly named major U.S. technology firms as targets.</p>
<p>This is not a short-duration spike. The pre-positioning timeline indicates a <strong>sustained campaign</strong> that will likely continue for months. <strong>MuddyWater</strong> (MOIS-affiliated, also tracked as TEMP.Zagros) remains active with its Dindoor backdoor operations. <strong>APT28/Fancy Bear</strong> (Russian GRU) continues leveraging ClickFix social engineering. The broader threat actor landscape remains fully active.</p>
<p>Iran has previously demonstrated willingness to target U.S. critical infrastructure — including water treatment systems in 2023–2024. State government OT and building management systems represent opportunistic targets for actors seeking high-visibility disruption.</p>
<h3><strong>4. SharePoint RCE in the Wild (CVE-2026-20963)</strong></h3>
<p><strong>CVE-2026-20963</strong> is a deserialization-of-untrusted-data vulnerability in Microsoft SharePoint (CVSS 8.8) that allows an <strong>authorized attacker</strong> to execute arbitrary code. The "authorized attacker" requirement is key: this is not an unauthenticated exploit. An attacker needs a valid SharePoint account — which is exactly what AiTM phishing campaigns deliver.</p>
<p>The attack chain is clear: <strong>tax-season phishing email → AiTM credential theft → compromised M365 account → SharePoint RCE</strong>. Microsoft patched this in January 2026, but CISA's March 19 KEV addition confirms organizations remain unpatched and exploitation is active.</p>
<h3><strong>5. The ClickFix Social Engineering Ecosystem</strong></h3>
<p><strong>ClickFix</strong> — a social engineering technique that tricks users into executing malicious commands — continues to evolve and proliferate. It has now been adopted by <strong>at least four unrelated threat groups</strong>, including operators linked to Interlock. Recent reporting indicates ClickFix has evolved to target <strong>Windows Terminal</strong> instead of the Run dialog, and a <strong>MacSync</strong> infostealer variant is being distributed via fake AI tools.</p>
<p>The proliferation of ClickFix across multiple actor groups — from ransomware operators to nation-state actors including APT28 — suggests it has become a shared commodity technique, much like phishing kits were a decade ago.</p>
<h3><strong>6. CISA Institutional Erosion</strong></h3>
<p>A structural factor compounding all of the above: <strong>CISA's capacity to support state and local governments is degrading.</strong> Reporting from March 17 confirmed that election security programs have been "hollowed out," and the 2015 Cybersecurity Information Sharing Act framework faces expiration in <strong>September 2026</strong> without congressional action. The irony is acute: CISA issued three KEV additions and an Intune hardening advisory in a single day (March 19) while simultaneously losing the staff and budget to help states implement the guidance.</p>
<h2><strong>Predictive Analysis </strong></h2>
<table>
<thead>
<tr>
<th>
<p><strong>Scenario</strong></p>
</th>
<th>
<p><strong>Probability</strong></p>
</th>
<th>
<p><strong>Timeframe</strong></p>
</th>
<th>
<p><strong>Basis</strong></p>
</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<p>Additional Iranian wiper or disruptive attacks against U.S. organizations</p>
</td>
<td>
<p>HIGH (75–85%)</p>
</td>
<td>
<p>7–30 days</p>
</td>
<td>
<p>Pre-positioned infrastructure, public targeting statements, Stryker precedent, sustained Epic Fury escalation</p>
</td>
</tr>
<tr>
<td>
<p>Interlock ransomware targets additional state/local government entities via Cisco FMC or other vectors</p>
</td>
<td>
<p>MODERATE-HIGH (55–65%)</p>
</td>
<td>
<p>30–60 days</p>
</td>
<td>
<p>9% public-sector victim rate, 67% U.S. focus, CVSS 10.0 zero-day in toolkit, ClickFix as alternative access vector</p>
</td>
</tr>
<tr>
<td>
<p>AiTM phishing campaigns leveraging tax-season lures compromise state employee M365 accounts</p>
</td>
<td>
<p>HIGH (70–80%)</p>
</td>
<td>
<p>Now through April 15</p>
</td>
<td>
<p>Seasonal pattern, successor PhaaS platforms (Starkiller) filling Tycoon2FA gap, MFA bypass techniques maturing</p>
</td>
</tr>
<tr>
<td>
<p>Compromised M365 account chains into SharePoint RCE (CVE-2026-20963) or Intune abuse</p>
</td>
<td>
<p>MODERATE (40–50%)</p>
</td>
<td>
<p>30–60 days</p>
</td>
<td>
<p>Attack chain is proven; depends on patch status and Intune hardening</p>
</td>
</tr>
<tr>
<td>
<p>Chinese APT activity (Salt Typhoon, Volt Typhoon) resurfaces against government networks</p>
</td>
<td>
<p>MODERATE (45–55%)</p>
</td>
<td>
<p>30–90 days</p>
</td>
<td>
<p>Absence of reporting during Iran crisis is notable; historical pattern of sustained pre-positioning in U.S. infrastructure</p>
</td>
</tr>
<tr>
<td>
<p>Exploitation of ConnectWise ScreenConnect CVE-2026-3564 in MSP supply chain attacks</p>
</td>
<td>
<p>MODERATE (40–50%)</p>
</td>
<td>
<p>14–30 days</p>
</td>
<td>
<p>Second critical vuln in <1 year; MSPs are proven high-value targets</p>
</td>
</tr>
</tbody>
</table>
<h2><strong>SOC Operational Guidance </strong></h2>
<h3><strong>Priority Detection Use Cases</strong></h3>
<h4><strong>1. Cisco FMC Compromise Indicators</strong></h4>
<p><strong>Hunt Hypothesis:</strong> If Interlock exploited CVE-2026-20131 in our environment, we would see unexpected Java processes on FMC hosts, new administrative accounts created on FMC, or lateral movement (RDP, PsExec, WMI) originating from FMC management IP addresses.</p>
<p><strong>ATT&CK:</strong> T1190, T1068, T1021.001, T1136 (Create Account)</p>
<p><strong>Actions:</strong> Query FMC audit logs for new account creation since January 26, 2026. Review network flow data for outbound connections from FMC management interfaces to unexpected destinations. Check for Cobalt Strike beacon patterns (default ports 443, 8443, or malleable C2 profiles) originating from FMC subnets. If FMC management interface was internet-exposed at any point since January 26, <strong>treat as presumed compromised</strong> and initiate incident response.</p>
<h4><strong>2. Intune Management Platform Abuse</strong></h4>
<p><strong>Hunt Hypothesis:</strong> If an attacker compromised an Intune administrator account, we would see bulk device management commands (wipe, retire, reset) issued outside of normal change windows, or Intune admin sign-ins from anomalous locations/devices.</p>
<p><strong>ATT&CK:</strong> T1072, T1485, T1078.004, T1538</p>
<p><strong>Actions:</strong> Enable and monitor Intune audit logs in Microsoft Purview/Sentinel. Create alerts for: (a) any device wipe command affecting >10 devices in a 1-hour window; (b) Intune admin sign-ins from non-corporate IP ranges; (c) new Intune admin role assignments; (d) Conditional Access policy modifications. Baseline normal Intune admin activity patterns to detect anomalies.</p>
<h4><strong>3. SharePoint Post-Exploitation Activity</strong></h4>
<p><strong>Hunt Hypothesis:</strong> If an attacker exploited CVE-2026-20963 after compromising an employee account, we would see unusual SharePoint API calls, file uploads of web shells or scripts, or process execution on SharePoint servers.</p>
<p><strong>ATT&CK:</strong> T1190, T1059, T1078</p>
<p><strong>Actions:</strong> Review SharePoint Unified Audit Logs for unusual file operations (aspx/asmx uploads, large data exports). Monitor SharePoint server processes for unexpected child processes (cmd.exe, powershell.exe, certutil.exe spawned by w3wp.exe). Verify January 2026 cumulative update is applied.</p>
<h4><strong>4. AiTM Phishing / Session Token Theft</strong></h4>
<p><strong>Hunt Hypothesis:</strong> If state employees are targeted by AiTM phishing during tax season, we would see M365 sign-ins with stolen session tokens — characterized by sign-ins that bypass MFA, originate from proxy infrastructure, and are followed by mailbox rule creation or data exfiltration.</p>
<p><strong>ATT&CK:</strong> T1566.002, T1539, T1078.004</p>
<p><strong>Actions:</strong> Monitor Azure AD sign-in logs for: (a) sign-ins marked "MFA satisfied by session token" from new IP addresses; (b) impossible travel detections; (c) inbox rule creation (forwarding, deletion) immediately after sign-in. Deploy Microsoft's token theft detection playbook. Alert on any new mail forwarding rules to external addresses.</p>
<h4><strong>5. ClickFix / Windows Terminal Abuse</strong></h4>
<p><strong>Hunt Hypothesis:</strong> If ClickFix social engineering succeeds against a state employee, we would see Windows Terminal (wt.exe) or PowerShell launched with encoded commands, followed by download and execution of second-stage payloads.</p>
<p><strong>ATT&CK:</strong> T1204.002 (User Execution: Malicious File), T1059.001 (PowerShell)</p>
<p><strong>Actions:</strong> Monitor endpoint telemetry for wt.exe or powershell.exe launched with Base64-encoded command-line arguments. Alert on mshta.exe, certutil.exe, or bitsadmin.exe downloading executables. Review proxy logs for connections to known ClickFix staging domains.</p>
<h4><strong>6. OT/BMS Anomaly Monitoring</strong></h4>
<p><strong>Hunt Hypothesis:</strong> If Iranian or other actors target state building management or water/wastewater systems, we would see unauthorized access to WebCTRL or Modicon PLC management interfaces, firmware modifications, or setpoint changes outside maintenance windows.</p>
<p><strong>ATT&CK:</strong> T1583 (Acquire Infrastructure), T1485 (Data Destruction — OT context)</p>
<p><strong>Actions:</strong> Verify Automated Logic WebCTRL and Schneider Electric Modicon management interfaces are not internet-accessible. Monitor OT network segments for unauthorized connections. Review access logs for WebCTRL admin portals.</p>
<h3><strong>IOC Blocking Guidance </strong></h3>
<p>The following IOCs have been verified through intelligence collection. Apply to perimeter controls, SIEM correlation rules, and threat hunting queries as appropriate.</p>
<h4><strong>Network Indicators</strong></h4>
<table>
<thead>
<tr>
<th>
<p><strong>Type</strong></p>
</th>
<th>
<p><strong>Value</strong></p>
</th>
<th>
<p><strong>Context</strong></p>
</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<p>IPv4</p>
</td>
<td>
<p>176.113.115[.]97</p>
</td>
<td>
<p>Malicious infrastructure</p>
</td>
</tr>
<tr>
<td>
<p>IPv4</p>
</td>
<td>
<p>176.113.115[.]209</p>
</td>
<td>
<p>Malicious infrastructure</p>
</td>
</tr>
<tr>
<td>
<p>IPv4</p>
</td>
<td>
<p>85.209.11[.]49</p>
</td>
<td>
<p>Malicious infrastructure</p>
</td>
</tr>
<tr>
<td>
<p>IPv4</p>
</td>
<td>
<p>31.41.244[.]100</p>
</td>
<td>
<p>Malicious infrastructure</p>
</td>
</tr>
<tr>
<td>
<p>IPv4</p>
</td>
<td>
<p>188.119.66[.]189</p>
</td>
<td>
<p>Malicious infrastructure</p>
</td>
</tr>
</tbody>
</table>
<p><strong>Note on IP `1.1.3[.]0`:</strong> This China Telecom (Fujian) IP is tagged in threat intelligence platforms to 20+ actor groups including Interlock, Scattered Spider, LockBit, Play, and Qilin. It is useful for <strong>correlation and hunting</strong> but should <strong>not</strong> be used as a standalone blocking indicator due to high shared-infrastructure risk.</p>
<h4><strong>File Hashes (select high-confidence indicators)</strong></h4>
<table>
<thead>
<tr>
<th>
<p><strong>Type</strong></p>
</th>
<th>
<p><strong>Value</strong></p>
</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<p>SHA-256</p>
</td>
<td>
<p>7def662b245e995377ac5f83a969085846de3b654308d8deeb48555ffc78c988</p>
</td>
</tr>
<tr>
<td>
<p>SHA-256</p>
</td>
<td>
<p>b7c96d19845837cdc25da4fd545ede0743668b70db6d1d22f0e657c27a8cd713</p>
</td>
</tr>
<tr>
<td>
<p>SHA-256</p>
</td>
<td>
<p>c4b2e134279ec2f484a4f1505914c68d20c20596ec544b2b2b48151df2a93327</p>
</td>
</tr>
<tr>
<td>
<p>SHA-256</p>
</td>
<td>
<p>f7b89d35d9a54d9a9a419ff83d6c7598eddfca9737f959c67cc19eb5ba489bab</p>
</td>
</tr>
<tr>
<td>
<p>SHA-256</p>
</td>
<td>
<p>f84b3439ac34616573d5e579b1d26211098168825719aeef3137a4d03392625a</p>
</td>
</tr>
<tr>
<td>
<p>SHA-256</p>
</td>
<td>
<p>a0a049feafb6843d05e741055d693d4acced2a3942cf5f122cb1d3b281ee8490</p>
</td>
</tr>
<tr>
<td>
<p>SHA-256</p>
</td>
<td>
<p>90a89ad6e8c4271c52bc8e83eb687837dc781d3a01c04e2ca62974a9aecc9f80</p>
</td>
</tr>
<tr>
<td>
<p>SHA-256</p>
</td>
<td>
<p>d2ed3a442faf5e1a83101bf6951212a04d3d0e1896c5f208726fb9dd2bf601f7</p>
</td>
</tr>
<tr>
<td>
<p>SHA-256</p>
</td>
<td>
<p>458ced67f6762226b7ad22044f382d89e4979a57647139553927fa60cc529451</p>
</td>
</tr>
<tr>
<td>
<p>SHA-256</p>
</td>
<td>
<p>8e53d239691d7e66dc4686d751912af7adeb2aff0e5c6218a14780ba0818fed0</p>
</td>
</tr>
<tr>
<td>
<p>MD5</p>
</td>
<td>
<p>d6e7547ad7dfd1fbc62e8282aebcc391</p>
</td>
</tr>
<tr>
<td>
<p>MD5</p>
</td>
<td>
<p>f588802958c35fe18eb87bc36651a3d1</p>
</td>
</tr>
<tr>
<td>
<p>MD5</p>
</td>
<td>
<p>2bb209ccfc5103eccab523c875050cfa</p>
</td>
</tr>
<tr>
<td>
<p>MD5</p>
</td>
<td>
<p>a7e7d00d531cb7ca27d0f3bee448573f</p>
</td>
</tr>
<tr>
<td>
<p>MD5</p>
</td>
<td>
<p>964c13b68dc6b6b918b66a9a10469d2a</p>
</td>
</tr>
</tbody>
</table>
<p>Additional IOCs are available through Anomali ThreatStream and partner feeds. </p>
<h2><strong>Sector-Specific Defensive Priorities</strong></h2>
<h3><strong>Financial Services (State Treasury, Revenue, Tax Systems)</strong></h3>
<p>Tax-season phishing campaigns are <strong>directly targeting</strong> financial transaction workflows. State tax filing portals, revenue management systems, and treasury payment platforms face elevated risk from AiTM phishing that steals employee session tokens, potentially enabling unauthorized access to financial systems.</p>
<ul>
<li>Priority: Deploy phishing-resistant MFA (FIDO2) on all accounts with access to financial systems — treasury, tax processing, benefits disbursement</li>
<li>Priority: Implement anomaly detection on tax filing portals for credential stuffing and automated submission patterns</li>
<li>Priority: Review SharePoint sites containing financial data; verify CVE-2026-20963 patch status on any SharePoint instance hosting tax or revenue documents</li>
<li>Monitor for: Fake state tax portal domains (typosquats), fraudulent refund processing, and business email compromise targeting treasury wire transfers</li>
</ul>
<h3><strong>Energy (State-Managed Power, Utilities Oversight)</strong></h3>
<p>CISA's March 19 ICS advisories for <strong>Schneider Electric EcoStruxure PME/EPO</strong> (power monitoring) and <strong>Schneider Electric Modicon controllers</strong> directly affect energy infrastructure. Iran's demonstrated willingness to target U.S. critical infrastructure — combined with pre-positioned cyber capabilities — elevates the risk to state-regulated or state-operated power systems.</p>
<ul>
<li>Priority: Apply patches per CISA advisories ICSA-26-078-01, ICSA-26-078-02, and ICSA-26-078-04 for Schneider Electric products</li>
<li>Priority: Verify network segmentation between IT and OT environments; ensure Modicon PLC management interfaces are not reachable from corporate networks</li>
<li>Priority: Establish or verify out-of-band communication plans for OT environments in case of IT network compromise</li>
<li>Monitor for: Unauthorized access to SCADA/HMI systems, firmware modification attempts on PLCs, anomalous setpoint changes</li>
</ul>
<h3><strong>Healthcare (State Health Agencies, Medicaid Systems)</strong></h3>
<p>Interlock ransomware has claimed <strong>10 healthcare victims</strong> (10% of its total), making healthcare its third most-targeted sector. State health agencies managing Medicaid enrollment, public health data, and hospital licensing systems are within the target profile. The combination of sensitive PII (health records, SSNs) and operational urgency (patient safety) makes healthcare a high-value ransomware target.</p>
<ul>
<li>Priority: Verify Cisco FMC patch status for any FMC instances managing healthcare network firewalls</li>
<li>Priority: Ensure healthcare data repositories on SharePoint are patched against CVE-2026-20963</li>
<li>Priority: Review and test backup/recovery procedures for Medicaid and public health systems — ransomware recovery time directly impacts resident services</li>
<li>Monitor for: Cobalt Strike beacons, SharpHound/BloodHound Active Directory enumeration, and lateral movement tools (PsExec, WMI) in healthcare network segments</li>
</ul>
<h3><strong>Government (Executive Branch Agencies, Courts, Elections)</strong></h3>
<p>State government agencies are the primary audience for this entire report, but several sub-sectors warrant specific callouts:</p>
<ul>
<li>Elections: CISA election security programs have been “hollowed out” per March 17 reporting. States must assume reduced federal support for election infrastructure security through the 2026 cycle. Engage the EI-ISAC and MS-ISAC directly for compensating support.</li>
<li>Courts: Court case management systems often run on legacy infrastructure with extended patching cycles. Verify SharePoint and Cisco FMC patch status in judicial branch networks.</li>
<li>DMV/Benefits: High-volume citizen-facing portals are prime targets for credential harvesting and data theft. Tax-season phishing techniques will be repurposed for DMV and benefits fraud.</li>
<li>Priority: Conduct an emergency inventory of all Intune Global Administrator accounts across all agencies; enforce FIDO2 MFA and Privileged Identity Management (PIM) with just-in-time access</li>
<li>Priority: Assess the state's dependency on CISA services and develop contingency plans for reduced federal cyber support</li>
<li>Priority: Ensure the September 2026 Cybersecurity Information Sharing Act expiration is on the state CISO's legislative tracking radar</li>
</ul>
<h3><strong>Aviation / Logistics (State DOT, Airports, Port Authorities)</strong></h3>
<p>State departments of transportation, airport authorities, and port facilities operate OT systems (traffic management, baggage handling, cargo tracking) that share vulnerability profiles with the ICS products covered in this week's CISA advisories. Supply chain disruption is a stated objective of Iranian retaliatory operations.</p>
<ul>
<li>Priority: Review Automated Logic WebCTRL deployments in airport terminals and transportation facilities; apply patches per CISA ICSA-26-078-08</li>
<li>Priority: Audit ConnectWise ScreenConnect instances used by transportation system vendors; upgrade to version 26.1</li>
<li>Priority: Verify network segmentation between transportation OT systems (traffic signals, tunnel ventilation, bridge controls) and corporate IT networks</li>
<li>Monitor for: Unauthorized remote access sessions to transportation control systems, anomalous ScreenConnect connections from vendor accounts</li>
</ul>
<h2><strong>Prioritized Defense Recommendations</strong></h2>
<h3><strong>Immediate (24–48 Hours)</strong></h3>
<table>
<thead>
<tr>
<th>
<p><strong>#</strong></p>
</th>
<th>
<p><strong>Action</strong></p>
</th>
<th>
<p><strong>Owner</strong></p>
</th>
<th>
<p><strong>Justification</strong></p>
</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<p>1</p>
</td>
<td>
<p>Patch all Cisco FMC instances for CVE-2026-20131. If the FMC management interface was internet-exposed at any point since January 26, 2026, initiate compromise assessment — hunt for unexpected admin accounts, anomalous Java processes, and lateral movement from FMC hosts.</p>
</td>
<td>
<p>Network Security / IR</p>
</td>
<td>
<p>CVSS 10.0, CISA KEV, 36-day zero-day exploitation by Interlock ransomware</p>
</td>
</tr>
<tr>
<td>
<p>2</p>
</td>
<td>
<p>Harden Microsoft Intune immediately. Enforce phishing-resistant MFA (FIDO2) on all Intune admin accounts. Restrict device wipe permissions to break-glass accounts only. Enable Intune audit logging. Implement Conditional Access policies requiring compliant devices and trusted locations for admin access.</p>
</td>
<td>
<p>Identity & Cloud Security</p>
</td>
<td>
<p>Proven wiper attack path; 200K devices destroyed at Stryker</p>
</td>
</tr>
<tr>
<td>
<p>3</p>
</td>
<td>
<p>Patch SharePoint for CVE-2026-20963. Verify the January 2026 cumulative update is applied to all SharePoint instances — on-premises and hybrid. If unpatched, treat as emergency.</p>
</td>
<td>
<p>Applications / SharePoint Admin</p>
</td>
<td>
<p>CISA KEV, active exploitation confirmed, chains with AiTM credential theft</p>
</td>
</tr>
<tr>
<td>
<p>4</p>
</td>
<td>
<p>Issue a tax-season phishing alert to all state employees. Specifically warn about fake refund notices, payroll forms, and IRS impersonation. Instruct employees to deny and report any MFA prompts they did not initiate.</p>
</td>
<td>
<p>Security Awareness / SOC</p>
</td>
<td>
<p>Peak phishing season; AiTM attacks bypass traditional MFA</p>
</td>
</tr>
</tbody>
</table>
<h3><strong>7-Day Actions</strong></h3>
<table>
<thead>
<tr>
<th>
<p><strong>#</strong></p>
</th>
<th>
<p><strong>Action</strong></p>
</th>
<th>
<p><strong>Owner</strong></p>
</th>
<th>
<p><strong>Justification</strong></p>
</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<p>5</p>
</td>
<td>
<p>Upgrade ConnectWise ScreenConnect to version 26.1 across all instances. Audit which vendors and MSPs have ScreenConnect access to state systems; revoke unnecessary access.</p>
</td>
<td>
<p>Vendor Management / Endpoint</p>
</td>
<td>
<p>CVE-2026-3564; second critical vuln in <1 year</p>
</td>
</tr>
<tr>
<td>
<p>6</p>
</td>
<td>
<p>Patch Automated Logic WebCTRL in state buildings per CISA ICSA-26-078-08. Verify management interfaces are not internet-accessible.</p>
</td>
<td>
<p>Facilities / OT Security</p>
</td>
<td>
<p>Active ICS advisory; building management systems in state facilities</p>
</td>
</tr>
<tr>
<td>
<p>7</p>
</td>
<td>
<p>Patch Schneider Electric Modicon controllers at water/wastewater and power monitoring facilities per CISA ICSA-26-078-01 and -02.</p>
</td>
<td>
<p>OT Security / Utilities</p>
</td>
<td>
<p>Active ICS advisories; Iran targeting critical infrastructure</p>
</td>
</tr>
<tr>
<td>
<p>8</p>
</td>
<td>
<p>Conduct Intune admin account inventory across all agencies. Remove stale accounts, enforce least privilege, enable Privileged Identity Management (PIM) for just-in-time admin access.</p>
</td>
<td>
<p>Identity & Cloud Security</p>
</td>
<td>
<p>Reduces blast radius of credential compromise</p>
</td>
</tr>
<tr>
<td>
<p>9</p>
</td>
<td>
<p>Deploy token theft detection in Azure AD/Entra ID. Implement Microsoft's recommended playbook for detecting session token replay attacks.</p>
</td>
<td>
<p>SOC / Identity</p>
</td>
<td>
<p>AiTM phishing bypasses MFA; token theft is the primary post-phishing technique</p>
</td>
</tr>
</tbody>
</table>
<h3><strong>30-Day Actions</strong></h3>
<table>
<thead>
<tr>
<th>
<p><strong>#</strong></p>
</th>
<th>
<p><strong>Action</strong></p>
</th>
<th>
<p><strong>Owner</strong></p>
</th>
<th>
<p><strong>Justification</strong></p>
</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<p>10</p>
</td>
<td>
<p>Conduct a tabletop exercise: “Intune Wiper Scenario.” Simulate an attacker compromising an Intune admin account and pushing a mass device wipe across all agencies. Test detection capabilities, response procedures, communication plans, and recovery timelines.</p>
</td>
<td>
<p>IR / CISO Office</p>
</td>
<td>
<p>Proven attack technique; tests organizational resilience to a novel threat</p>
</td>
</tr>
<tr>
<td>
<p>11</p>
</td>
<td>
<p>Evaluate phishing-resistant MFA rollout for all state employees — not just administrators. FIDO2 security keys or Windows Hello for Business. AiTM attacks render SMS and TOTP MFA ineffective for any account.</p>
</td>
<td>
<p>Identity / CIO Office</p>
</td>
<td>
<p>Strategic investment; single highest-leverage control against credential theft</p>
</td>
</tr>
<tr>
<td>
<p>12</p>
</td>
<td>
<p>Assess CISA dependency and develop contingency plans. With CISA budget cuts reducing federal support and the Cybersecurity Information Sharing Act facing September 2026 expiration, evaluate whether the state needs to increase internal threat hunting capacity, engage MS-ISAC/EI-ISAC more deeply, or procure commercial threat intelligence services.</p>
</td>
<td>
<p>CISO Office / Policy</p>
</td>
<td>
<p>Structural reduction in federal cyber support to states</p>
</td>
</tr>
<tr>
<td>
<p>13</p>
</td>
<td>
<p>Establish behavioral analytics for legitimate tool abuse. Create detection rules for anomalous use of management platforms (Intune bulk commands, unusual ScreenConnect sessions, off-hours SharePoint API activity, unexpected SCCM deployments). Traditional signature-based detection will not catch these attacks.</p>
</td>
<td>
<p>SOC / Detection Engineering</p>
</td>
<td>
<p>The Intune wiper used no malware; ClickFix uses the victim's own terminal; Interlock uses legitimate RMM tools for persistence</p>
</td>
</tr>
</tbody>
</table>
<h3><strong>Executive / IR Preparedness</strong></h3>
<ul>
<li><strong>CISO:</strong> Brief the Governor's office or state CIO on the Intune wiper precedent and its implications for state endpoint management. This is a board-level risk that may require emergency budget authorization for FIDO2 key procurement and Intune hardening.</li>
<li><strong>General Counsel:</strong> Monitor class action litigation against Stryker — outcomes will establish precedent for organizational liability when legitimate management platforms are weaponized.</li>
<li><strong>IR Team:</strong> Update incident response playbooks to include “management platform compromise” as a scenario. Current playbooks likely assume malware-based attacks; the Intune wiper requires a fundamentally different response (credential revocation, Conditional Access lockdown, platform isolation — not malware containment).</li>
<li><strong>Communications:</strong> Prepare holding statements for a scenario in which state employee devices are mass-wiped. Citizen-facing services would be disrupted; proactive communication planning reduces reputational damage.</li>
</ul>
<h2><strong>The Bottom Line </strong></h2>
<p><strong>First, identity is now the primary perimeter.</strong> Three of this week's five major threats — Intune weaponization, SharePoint RCE, and tax-season AiTM phishing — require compromised credentials as a prerequisite. The attacker who steals a session token from a single state employee can chain that access into remote code execution on SharePoint, or — if they reach an admin account — a mass device wipe via Intune. Phishing-resistant MFA (FIDO2) for privileged accounts is no longer a roadmap item. It is the single control that would have mitigated all three attack paths.</p>
<p><strong>Second, your management tools are now in the threat model.</strong> The Stryker attack proved that an endpoint management platform can be turned into a weapon of mass destruction without a single line of malicious code. Every state CISO should be asking: <em>If our Intune admin credentials were compromised tonight, what would happen?</em> If the answer is “an attacker could wipe every device we manage,” then hardening those controls is not a 30-day project — it is a this-week project.</p>
<p><strong>Third, federal support is diminishing at the worst possible time.</strong> CISA issued three KEV additions and a major hardening advisory in a single day while simultaneously losing the capacity to help states implement the guidance. States that have relied on federal assistance for threat hunting, vulnerability management, and incident response need to build internal capacity or find alternative partners — now, not after the next incident.</p>
<p>The threat actors are not waiting. Interlock exploited a zero-day for 36 days before anyone noticed. Handala pre-positioned infrastructure months before striking. The window between vulnerability disclosure and exploitation is collapsing. The window between exploitation and catastrophic impact is measured in hours.</p>
<table>
<tbody>
<tr>
<td>
<p><strong>Patch the Cisco FMC. Harden Intune. Patch SharePoint. Deploy FIDO2. Do it this week.</strong></p>
</td>
</tr>
</tbody>
</table>
FEATURED RESOURCES
Anomali Cyber Watch
Iran's Cyber War Machine Is Damaged — But Still Firing. Here's What CISOs Need to Know Now.
Public Sector
Anomali Cyber Watch
