Jordan: A China-linked threat actor just collapsed your dwell-time assumptions. Nation-state speed, ransomware payload, zero-day entry point — and they're done in under 24 hours. If your detection and response model is still built around days or weeks, today's show is for you.

Alex: This is Cleartext, Tuesday April 7th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. Today we're covering the Storm-1175 escalation and what it means for every CISO who thought nation-state and ransomware were separate threat models. We've also got a critical Fortinet zero-day with a CISA Friday deadline, a leaked Windows exploit that's now public, the FBI's annual cyber fraud report with a number your board will want to see, and a proposed $707 million cut to CISA that, frankly, has worse timing than almost anything I can remember. Let's get into it.

Alex: Start with Storm-1175, Jordan, because this one reframes a fundamental assumption.

Jordan: It does. Microsoft's attribution here is significant — this is a China-nexus group operationally linked to Medusa ransomware deployment. And the detail that matters most isn't the zero-days, it's the clock. Initial access to ransomware detonation in under 24 hours. That is not a criminal gang with limited resources fumbling through a network. That is disciplined, pre-planned execution with nation-state tradecraft behind it.

Alex: And this is the blending problem we've been watching develop for a couple of years, but this is a step-change. Historically, you could draw a rough line — espionage actors move slow, stay quiet, prioritize persistence. Ransomware actors move fast and loud. Storm-1175 is doing both. They're using zero-days and N-days against internet-facing perimeter systems, which tells you they have a solid vulnerability research or acquisition pipeline, and then they're pivoting immediately to financial disruption.

Jordan: The geopolitical read here is that this gives China deniability on the financial motivation side while still degrading targets. It's coercive without being overtly attributable as state action. Whether the ransomware proceeds are funding operations or just muddying attribution — maybe both — the net effect for a CISO is the same. You have an adversary with nation-state capabilities operating at ransomware group speed.

Alex: So the board question becomes: what is your mean time to detect on your internet-facing assets, and is it measured in hours or days? Because if your SOC is tuned to catch something over a 72-hour window, Storm-1175 is already gone. This is the argument for continuous exposure management, for zero-trust segmentation that limits blast radius even when they're already in, and for automated detection that doesn't wait for a human analyst to connect the dots at 2 a.m.

Jordan: And frankly, this is also why the Censys raise we'll mention later is not just a funding story. Attack surface visibility on internet-facing systems isn't optional anymore. If Storm-1175 can find your exposed assets faster than your team can, that's the gap.

Alex: Speaking of infrastructure — Fortinet. CVE-2026-35616. Jordan, walk us through it.

Jordan: FortiClient EMS, authentication bypass, unauthenticated remote code execution. It's in CISA's Known Exploited Vulnerabilities catalog as of this week, and federal agencies have a patch deadline of Friday. The problem is there's no full patch yet — only an emergency hotfix from Fortinet. So you're being asked to deploy a hotfix on a product that's already being actively exploited, while the real fix is still in the oven.

Alex: If you run FortiClient EMS — and a significant percentage of this audience does — this is a P1 this week. Apply the hotfix now, accept the risk of an interim fix rather than the risk of unmitigated RCE. Review your network segmentation around EMS infrastructure, and flag this for your board if it's in scope for your critical systems. Don't wait for Friday if you haven't started already.

Jordan: And pair that with the other story from this week — BlueHammer. A disgruntled researcher privately reported a Windows privilege escalation zero-day to Microsoft, didn't get the response they wanted, and published the exploit code publicly. Now anyone can grab it. It grants SYSTEM-level access.

Alex: The researcher's grievance is almost irrelevant at this point — the code is out. What matters is that you now have an unpatched Windows privilege escalation with public exploit code circulating. Compensating controls while you wait for Microsoft: enforce least privilege rigorously, monitor for anomalous privilege escalation events, prioritize EDR coverage on endpoints where this would cause the most damage. It's a nuisance if you're hardened. It's catastrophic if you're not.

Jordan: Shifting gears — FBI IC3 annual report. $17.6 billion in cyber fraud losses in 2025. That's the headline number.

Alex: And it's the number you bring to your next board meeting. Crypto scams account for over $7 billion of that. AI-enabled fraud is flagged as a rising threat category. The 85% stat is the one I'd highlight for board conversations — 85% of all fraud losses tracked by IC3 are now cyber-enabled. That's not a niche problem anymore, that's the dominant fraud vector across the economy.

Jordan: The BEC line items are still significant. And the AI angle matters because we're starting to see fraud that defeats voice verification and identity confirmation workflows that were considered solid two years ago. If your financial controls or vendor payment processes rely on voice confirmation or email approval chains, those need a second look.

Alex: Now to the story that has the biggest long-term structural implications for this community: the proposed $707 million cut to CISA in the FY2027 budget.

Jordan: I'll be direct. The timing is extraordinary. We're covering a China-nexus ransomware group using zero-days at nation-state speed in the same episode where we're discussing gutting the federal agency responsible for critical infrastructure cyber defense and threat intelligence sharing. CISA's budget proposal would reduce staffing, cut contractor support, and narrow the agency's mission to federal networks and critical infrastructure — which means the coordination, threat intel sharing, and incident response support that enterprise security teams have relied on starts to go away.

Alex: Here's what this means practically. The information sharing pipelines — the sector-specific advisories, the joint advisories with NSA and FBI, the JCDC coordination — all of that depends on CISA's capacity. If that capacity shrinks significantly, the private sector absorbs the intelligence gap. Either you're funding your own threat intelligence at a higher level, leaning harder on commercial vendors, or you're operating with less context about the threat environment.

Jordan: For CISOs with critical infrastructure responsibilities — energy, finance, healthcare, water — this is a direct operational risk. The sector-specific CISA coordination programs are some of the most practically useful government-industry touchpoints that exist. Losing them is not a symbolic concern, it's a capability gap.

Alex: And if you're going to your board or CFO to justify threat intelligence spending, the IC3 report and this CISA development are your one-two punch. The threat environment is escalating and the federal backstop is contracting. That's a gap your budget needs to close.

Jordan: Briefly on Censys — $70 million raise to expand AI-driven attack surface management and internet infrastructure intelligence. The CEO's framing was direct: faster attacks require automated defenses built on high-quality, real-time global data. That's a legitimate thesis right now.

Alex: If you're using Censys, it's a validation that the platform's getting more investment. If you're not, given what we discussed with Storm-1175 and the speed of perimeter exploitation, external attack surface management is a conversation worth having this quarter.

Alex: On the law enforcement side — quick note on the German BKA identifying two REvil and GandCrab leaders, including UNKN. Both Russian nationals. This matters less as a deterrence win and more as a signal of how good international law enforcement attribution has gotten. For incident response and insurance negotiations, attribution is increasingly something you can reference with specificity.

Jordan: Let's close with the week's theme. What we're watching is a compression of assumptions — about dwell time, about the nation-state versus criminal divide, about the federal support structure we've built policy around for a decade. Storm-1175 compresses your detection window. The CISA cuts compress the federal safety net. Public zero-days compress your patch window. Everything that used to give defenders breathing room is getting shorter.

Alex: The strategic implication is that resilience architecture — not just detection — has to carry more weight. Your ability to contain, isolate, and recover fast matters more when the attacker is faster and the support structure is thinner. That's the planning conversation to have in the next 90 days.

Jordan: And practically, before you close this episode: FortiClient EMS hotfix, BlueHammer compensating controls, CISA funding impact assessment on your intel sourcing, and a dwell-time review on your internet-facing detection coverage.

Alex: That's Cleartext for Tuesday, April 7th. If this was useful, share it with a peer who needs the context. We'll be back tomorrow. Stay sharp.