Jordan: Two hundred thousand systems wiped. Fifty terabytes exfiltrated. Class action lawsuits already stacking up in federal court. And the attackers? They're on the internet bragging about it and promising more. Welcome to Thursday.

Alex: This is Cleartext. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: It is March 19th, 2026, and if you had any doubt that geopolitical risk had become an operational security problem, today's episode should settle that. We've got the Stryker wiper attack and its legal fallout, a CVSS 10.0 Cisco zero-day actively being ransomed, Iranian threat elevation across the board, a new iPhone exploit kit in the wild, and a national cyber strategy that raises more questions than it answers. Let's get into it.

Jordan: Let's start with Stryker, because this is the story CISOs need to be briefing their boards on right now. Iranian actors — and they're not hiding it, they're claiming credit publicly — wiped two hundred thousand systems at one of the largest medtech companies in the world and walked out with fifty terabytes of data. Stryker is still in recovery. The attackers are already naming their next targets. And the plaintiff's bar is working overtime.

Alex: What's notable here beyond the scale is the nature of the attack. This wasn't ransomware in the traditional encrypt-and-extort sense. This was a wiper. The intent was destruction. That changes the calculus significantly — your incident response playbook, your insurance coverage, your recovery timeline. Wiper attacks don't leave you a negotiation option. They leave you with a restore-from-backup problem, assuming your backups survived.

Jordan: CISA moved quickly on this one. They issued guidance specifically calling out endpoint management tooling — Microsoft Intune was named directly. The attack vector appears to have run through endpoint management infrastructure, which is a recurring theme we've been tracking. If you have privileged management planes that aren't air-gapped or tightly scoped, you are exposed.

Alex: And the lawsuits. Multiple class actions already filed in federal court. This is the part that should be keeping every CISO up at night — not because Stryker necessarily did something egregious, but because the litigation machine no longer waits for the investigation to conclude. The breach happens, the lawyers file within days. That's the environment we're operating in now, and it connects directly to something we'll come back to.

Jordan: Now let's talk about why Stryker probably isn't the last. The Risky Business crew — Tom Uren and Amberleigh Jack — published analysis today making the case that Iran is about to go harder on cyber, not lighter. The argument is straightforward: conventional military capability has taken significant hits. Cyber is cheap, resilient to kinetic strikes, and delivers results quickly. For a regime that needs wins, it's the obvious play.

Alex: And critically — it's not like they're starting from zero. Iran has mature cyber operations. APT33, APT34, IRGC-affiliated actors — these are sophisticated, patient, and increasingly destructive. The pivot from espionage and financial theft toward destructive operations is already underway. Stryker is evidence of that.

Jordan: Critical infrastructure and healthcare are the highest-priority sectors for elevated posture right now. If you're a CISO in energy, water, manufacturing, or healthcare and you don't have an Iran-specific threat model, build one. Today.

Alex: The EU took a step in that direction this week — sanctioning companies in China and Iran for cyberattack involvement. These entities were already on US and UK lists, so for most multinational organizations this isn't new exposure. But the compliance angle matters. If your third-party vetting process isn't cross-referencing against all three jurisdictions' sanctions lists, you have a gap. That's not a theoretical gap — that's a regulatory examination finding waiting to happen.

Jordan: Alright, let's talk about the Cisco zero-day because this one is straightforward and the action item is immediate. CVE-2026-20131 in Cisco Secure Firewall Management Center. CVSS 10.0. Unauthenticated remote code execution via insecure Java deserialization. Interlock ransomware has been exploiting this since late January — meaning this was a zero-day in active use for nearly two months before disclosure. Amazon Threat Intelligence confirmed the active campaign. Cisco has patches out.

Alex: The management plane issue again. FMC sits at the center of your firewall infrastructure. If an attacker has unauthenticated RCE on your Firewall Management Center, they effectively have the keys to your network segmentation. That's not a vulnerability — that's a catastrophe. Patch this today. If you can't patch immediately, restrict access to FMC to management VLANs only and verify that it is not internet-reachable. That should have been true already, but verify it now.

Jordan: DarkSword. New iPhone exploit kit, found in the wild, attributed to Russian state-sponsored actors. Three chained iOS zero-days. Zero-click or near-zero-click. Targets devices running iOS 18 via malicious website visits. Google, Lookout, and iVerify did the joint disclosure.

Alex: The targeting profile so far is Ukrainian officials and executives, with commercial surveillance vendors also in the mix. That second part matters — when commercial vendors get access to this capability, the targeting scope expands rapidly. We've seen this movie with Pegasus.

Jordan: For CISOs: the practical steps are straightforward. Force iOS updates across the fleet now. For your executive and board populations, MDM-enforced Lockdown Mode is worth the friction. And if you don't have mobile threat defense deployed, your endpoint visibility has a significant blind spot.

Alex: Speaking of blind spots — the EDR killer story from ESET this week is one of those findings that should trigger a direct operational test, not just a policy review. Nearly ninety distinct EDR killer tools tracked in active use. The ransomware workflow is consistent: gain elevated privileges, kill the EDR, deploy the encryptor. In that sequence, your EDR is gone before the destructive phase even begins.

Jordan: The question to ask your team right now is: does your EDR actually survive a privileged attacker? Not "does it have tamper protection enabled in the console" — does it survive. Run a red team test against it. Deploy canary processes that alert if the EDR service goes down unexpectedly. Treat EDR bypass as an assumed attacker capability, not an edge case.

Alex: The Marquis breach is a story that's easy to overlook because the number — six hundred seventy-two thousand individuals — sounds manageable until you realize it came from one vendor serving seventy-four financial institutions. One vendor. Seventy-four banks. That's the third-party concentration risk story in its most concrete form. If a single vendor in your supply chain has this kind of reach into your customer data, what's your contractual right to audit them? What's your notification SLA? What's your fallback?

Jordan: And that connects back to the governance layer. The Trump administration released its national cyber strategy this week. The direction — deeper public-private coordination, expanded threat visibility, industry actively disrupting malicious activity — is sensible at a high level. The execution detail is not there. No frameworks for operational roles. No legal protections for companies that take active countermeasures. No defined incentive structures.

Alex: What that means practically is that the strategy creates expectations without creating guardrails. CISOs who get drawn into more active threat disruption roles without legal clarity around safe harbors are taking on personal exposure. Which brings me to the liability story.

Jordan: The fall guy piece from BankInfoSecurity today is blunt and worth reading in full. The trend is clear: regulators are pursuing individual CISO accountability post-breach. That pressure is already changing behavior — security leaders are modifying how they document and communicate risk, not to be more transparent, but to be more legally defensible. That's a security culture problem with real consequences.

Alex: If you're a CISO and you haven't had an explicit conversation with your general counsel and your board about D&O coverage, indemnification, and your reporting structure, have it this week. Not because you're planning to fail — but because the external environment has changed and your personal exposure has changed with it. Document your risk communications. Be precise about what you recommended and what was accepted or deferred.

Jordan: Alright. The week's theme is pretty clear. Geopolitical conflict is no longer something that affects the threat landscape eventually — it's affecting it now, in real time, with destructive consequences for companies that have no direct involvement in the underlying conflict. Stryker didn't pick a side. It just operated in a sector that an adversary decided to target.

Alex: And the compounding factor is that the legal and regulatory environment hasn't caught up to that reality. CISOs are being held personally accountable under frameworks designed for a different era, while being asked to partner with government on threat disruption under frameworks that don't yet exist. That tension is going to define the role for the next several years.

Jordan: What to watch: whether CISA's Stryker-related endpoint guidance gets formalized into binding requirements for critical infrastructure sectors. And whether any of the class action suits name the CISO individually. Either outcome moves the needle significantly.

Alex: That's Cleartext for Thursday, March 19th. If you found this useful, share it with a peer who needs it. We'll be back tomorrow.

Jordan: Stay sharp.