Active Exploitation of State Government Systems: Drupal Under Attack, M365 Credentials at Risk, and VPN Infrastructure Compromised

<p> <strong> Threat Assessment Level: ELEVATED </strong> <em> (unchanged from prior cycle, trending toward HIGH) </em> </p> <p> <em> Previous assessment: ELEVATED. Maintained based on convergence of three actively exploited vectors targeting state government infrastructure with a federal remediation deadline of May 27. </em> </p> <h2> <strong> Executive Summary </strong> </h2> <p> State government IT leaders face a convergence of three actively exploited threats that demand immediate action this week. A critical Drupal vulnerability is being mass-exploited across thousands of sites, including government portals. The FBI has confirmed that a new phishing-as-a-service platform bypasses Microsoft 365 multi-factor authentication entirely. And end-of-life SonicWall VPN appliances are being exploited to achieve full domain compromise in under 40 minutes. </p> <p> These are not theoretical risks. They are happening now, against systems that state agencies operate today. </p> <h2> <strong> What Changed (Past 72 Hours) </strong> </h2> <table> <thead> <tr> <th> <p> Date </p> </th> <th> <p> Development </p> </th> <th> <p> Impact </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Apr 16 </p> </td> <td> <p> SonicWall Gen6 SSL-VPN reaches end-of-life </p> </td> <td> <p> No further security patches will be issued; CVE-2024-12802 exploitation remains unmitigated for unpatched appliances </p> </td> </tr> <tr> <td> <p> May 20 </p> </td> <td> <p> Drupal releases emergency patch for CVE-2026-9082 (CVSS 9.8) </p> </td> <td> <p> Critical SQL injection in Drupal Core affecting PostgreSQL backends </p> </td> </tr> <tr> <td> <p> May 21 </p> </td> <td> <p> CISA publishes 5 ICS advisories (ABB, Hitachi Energy, Siemens) </p> </td> <td> <p> Water/wastewater SCADA and building automation systems affected </p> </td> </tr> <tr> <td> <p> May 22 </p> </td> <td> <p> CISA adds CVE-2026-9082 to Known Exploited Vulnerabilities catalog </p> </td> <td> <p> Federal remediation deadline set for May 27 </p> </td> </tr> <tr> <td> <p> May 22&ndash;25 </p> </td> <td> <p> TrapDoor supply chain campaign expands to 34+ packages, 380+ versions </p> </td> <td> <p> npm, PyPI, and Crates.io ecosystems compromised; AI coding tools poisoned </p> </td> </tr> <tr> <td> <p> May 25 </p> </td> <td> <p> FBI issues PSA on Kali365 phishing-as-a-service platform </p> </td> <td> <p> Confirms device code authentication abuse bypasses MFA on M365 tenants </p> </td> </tr> <tr> <td> <p> May 25 </p> </td> <td> <p> Check Point publishes Nimbus Manticore (IRGC) campaign analysis </p> </td> <td> <p> AI-assisted malware, SEO poisoning via fake software download sites </p> </td> </tr> <tr> <td> <p> May 26 </p> </td> <td> <p> Microsoft dismantles Fox Tempest code-signing-as-a-service operation </p> </td> <td> <p> Temporary disruption to Rhysida ransomware and Lumma Stealer delivery </p> </td> </tr> </tbody> </table> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> Timeframe </p> </th> <th> <p> Actor/Campaign </p> </th> <th> <p> Technique </p> </th> <th> <p> Target </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Feb&ndash;Apr 2026 </p> </td> <td> <p> Nimbus Manticore (IRGC) </p> </td> <td> <p> AppDomain hijacking, trojanized Zoom, SEO poisoning </p> </td> <td> <p> Aviation, software, government (indiscriminate via SEO) </p> </td> </tr> <tr> <td> <p> Feb&ndash;Mar 2026 </p> </td> <td> <p> Unknown IABs </p> </td> <td> <p> SonicWall Gen6 MFA bypass (CVE-2024-12802) </p> </td> <td> <p> Organizations running EOL VPN appliances </p> </td> </tr> <tr> <td> <p> Apr 2026 </p> </td> <td> <p> Kali365 / ShinyHunters </p> </td> <td> <p> Device code phishing, OAuth token theft </p> </td> <td> <p> Microsoft 365 environments including GCC tenants </p> </td> </tr> <tr> <td> <p> May 20&ndash;present </p> </td> <td> <p> Unknown (mass exploitation) </p> </td> <td> <p> SQL injection (CVE-2026-9082) </p> </td> <td> <p> Drupal sites on PostgreSQL &mdash; 15,000+ attacks across 6,000 sites </p> </td> </tr> <tr> <td> <p> May 22&ndash;25 </p> </td> <td> <p> TrapDoor campaign </p> </td> <td> <p> Malicious packages, AI assistant poisoning </p> </td> <td> <p> Developer environments, cloud credentials </p> </td> </tr> <tr> <td> <p> Ongoing </p> </td> <td> <p> Play, SafePay, LockBit5, VICE SPIDER </p> </td> <td> <p> Ransomware, initial access brokering </p> </td> <td> <p> Government, public services, critical infrastructure </p> </td> </tr> <tr> <td> <p> Ongoing </p> </td> <td> <p> Volt Typhoon / Salt Typhoon (China) </p> </td> <td> <p> Pre-positioning in critical infrastructure </p> </td> <td> <p> U.S. government and critical infrastructure (no new indicators &mdash; assessed as collection gap) </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. CVE-2026-9082: Drupal Core SQL Injection &mdash; Mass Exploitation Underway </strong> </h3> <p> This is the most urgent threat facing state agencies this week. CVE-2026-9082 is a critical (CVSS 9.8) unauthenticated SQL injection vulnerability in Drupal Core affecting PostgreSQL-backed installations. Within 48 hours of the patch release on May 20, security firms observed over 15,000 exploitation attempts across 6,000 sites in 65 countries. </p> <p> <strong> Why this matters for state government: </strong> Many state agencies operate citizen-facing portals (licensing, benefits, tax services) built on Drupal with PostgreSQL backends. Successful exploitation grants attackers unauthenticated access to backend databases containing citizen PII. </p> <p> <strong> The federal deadline is May 27 </strong> &mdash; CISA's Binding Operational Directive 22-01 requires remediation by tomorrow. While BOD 22-01 applies directly to federal agencies, state agencies connected to federal systems or following CISA guidance should treat this as equally binding. </p> <p> <strong> ATT&amp;CK Techniques: </strong> <strong> T1190 </strong> (Exploit Public-Facing Application), <strong> T1078 </strong> (Valid Accounts &mdash; post-exploitation) </p> <h3> <strong> 2. Kali365: MFA Is No Longer Sufficient for Microsoft 365 </strong> </h3> <p> The FBI's May 25 Public Service Announcement confirms what security researchers have been warning about since April: the Kali365 phishing-as-a-service platform exploits the OAuth device code authentication flow to steal M365 session tokens, completely bypassing multi-factor authentication. </p> <p> <strong> How it works: </strong> Attackers send victims a legitimate Microsoft device code login prompt. When the victim authenticates (including completing MFA), the attacker captures the resulting OAuth token. This grants full mailbox access, SharePoint access, and the ability to register persistent applications &mdash; all without triggering traditional MFA failure alerts. </p> <p> <strong> Key details: </strong> </p> <ul> <li> Distributed via Telegram with subscription pricing </li> <li> Includes AI-generated phishing lures customized per target </li> <li> Real-time victim tracking dashboard </li> <li> "Cookie Link" adversary-in-the-middle mode for additional credential capture </li> <li> ShinyHunters group confirmed as active users </li> <li> Targets include government GCC (Government Community Cloud) tenants </li> </ul> <p> <strong> ATT&amp;CK Techniques: </strong> <strong> T1566.002 </strong> (Spearphishing Link), <strong> T1528 </strong> (Steal Application Access Token), <strong> T1539 </strong> (Steal Web Session Cookie), <strong> T1078.004 </strong> (Cloud Accounts) </p> <p> <strong> The critical gap: </strong> Device code authentication is enabled by default in Microsoft Entra ID (Azure AD). Most organizations have never restricted it because it was designed for IoT and conference room devices. This is not a vulnerability to patch &mdash; it is a configuration that must be explicitly restricted via Conditional Access policy. </p> <h3> <strong> 3. SonicWall Gen6 VPN: 40 Minutes to Domain Compromise </strong> </h3> <p> CVE-2024-12802 allows attackers to bypass MFA on SonicWall Gen6 SSL-VPN appliances. Active exploitation was confirmed in February&ndash;March 2026, with attackers achieving full domain compromise within 40 minutes of initial VPN authentication. </p> <p> <strong> Critical complication: </strong> The firmware patch alone is insufficient. Six manual LDAP reconfiguration steps are required to fully remediate. And SonicWall Gen6 reached end-of-life on April 16, 2026 &mdash; no further security updates will be issued. </p> <p> <strong> For state agencies: </strong> This is no longer a patching decision. It is a procurement and migration decision. Every day a Gen6 appliance remains in production is a day of unmitigated risk with no vendor support path. </p> <p> <strong> ATT&amp;CK Techniques: </strong> <strong> T1133 </strong> (External Remote Services), <strong> T1556.006 </strong> (Modify Authentication Process), <strong> T1078 </strong> (Valid Accounts) </p> <h3> <strong> 4. Nimbus Manticore (IRGC): AI-Assisted Malware and SEO Poisoning </strong> </h3> <p> Iran's IRGC-affiliated Nimbus Manticore (also tracked as UNC1549) conducted three campaign waves between February and April 2026 as part of Operation Epic Fury: </p> <ul> <li> <strong> Wave 1: </strong> Fake career offers delivering the MiniJunk backdoor via AppDomain hijacking </li> <li> <strong> Wave 2: </strong> Trojanized Zoom installers delivering the MiniFast RAT </li> <li> <strong> Wave 3: </strong> SEO poisoning via the domain getsqldeveloper[.]com delivering MiniFast </li> </ul> <p> <strong> The SEO poisoning vector is indiscriminate. </strong> Any state employee searching for legitimate software downloads (SQL Developer, development tools) could encounter poisoned search results. The AI-assisted development of MiniFast indicates Iranian cyber capabilities are accelerating. </p> <p> <strong> ATT&amp;CK Techniques: </strong> <strong> T1608.006 </strong> (SEO Poisoning), <strong> T1574.014 </strong> (AppDomainManager Injection), <strong> T1059.001 </strong> (PowerShell), <strong> T1071.001 </strong> (Web Protocols) </p> <h3> <strong> 5. TrapDoor: Supply Chain Compromise Targeting Developer Credentials </strong> </h3> <p> The TrapDoor campaign has expanded to 34+ malicious packages across 380+ versions on npm, PyPI, and Crates.io. Beyond traditional credential theft, this campaign introduces a novel technique: poisoning AI coding assistant configuration files (.cursorrules, CLAUDE.md) to influence AI tools into exfiltrating secrets. </p> <p> <strong> Persistence mechanisms include: </strong> git hooks, systemd services, cron jobs, and SSH authorized key injection. </p> <p> <strong> State government relevance: </strong> Application modernization projects that consume open-source packages are at risk. Developer workstations with access to state cloud infrastructure (Azure Government, AWS GovCloud) represent high-value targets for credential theft that could cascade into broader compromise. </p> <p> <strong> ATT&amp;CK Techniques: </strong> <strong> T1195.001 </strong> (Supply Chain Compromise &mdash; Software Dependencies), <strong> T1552.001 </strong> (Credentials in Files), <strong> T1098.004 </strong> (SSH Authorized Keys), <strong> T1053.003 </strong> (Cron) </p> <h3> <strong> 6. Ransomware Landscape: Disruption and Adaptation </strong> </h3> <p> <strong> Positive development: </strong> Microsoft's takedown of Fox Tempest disrupts a major malware-signing-as-a-service operation that enabled Rhysida ransomware, Oyster backdoor, Lumma Stealer, and Vidar infostealer distribution. This will temporarily reduce the volume of signed malware evading endpoint detection. </p> <p> <strong> However: </strong> Expect ransomware operators to migrate to alternative code-signing services within 2&ndash;4 weeks. Active ransomware groups targeting government and public services include Play, SafePay, LockBit5, and VICE SPIDER (distributing BubbleLoader and SocksShell). Fresh indicators of compromise for VICE SPIDER were collected this cycle. </p> <h3> <strong> 7. ICS/OT Advisories: Water, Building Automation, and Industrial Networks </strong> </h3> <p> CISA published five ICS advisories on May 21 affecting systems commonly deployed in state government facilities: </p> <ul> <li> <strong> ABB B&amp;R Automation Studio </strong> and B&amp;R PCs (building automation) </li> <li> <strong> ABB Terra AC Wallbox </strong> (EV charging infrastructure) </li> <li> <strong> Hitachi Energy GMS600 </strong> (CVE-2022-4304 &mdash; OpenSSL timing side-channel) </li> <li> <strong> Siemens RUGGEDCOM APE1808 </strong> (PAN-OS buffer overflow in Captive Portal) </li> </ul> <p> State agencies operating water/wastewater SCADA systems, building automation, or industrial network equipment should review these advisories immediately. </p> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> Scenario </p> </th> <th> <p> Probability </p> </th> <th> <p> Timeframe </p> </th> <th> <p> Basis </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Automated Drupal CVE-2026-9082 exploitation hits state government portals </p> </td> <td> <p> <strong> HIGH (85%) </strong> </p> </td> <td> <p> 24&ndash;72 hours </p> </td> <td> <p> 15,000+ attacks already observed; state Drupal instances are discoverable via Shodan </p> </td> </tr> <tr> <td> <p> Kali365 campaigns specifically target state government M365 tenants </p> </td> <td> <p> <strong> HIGH (75%) </strong> </p> </td> <td> <p> 1&ndash;2 weeks </p> </td> <td> <p> Platform is maturing rapidly; government email addresses are high-value targets for espionage and BEC </p> </td> </tr> <tr> <td> <p> Ransomware actors migrate to new signing services post-Fox Tempest takedown </p> </td> <td> <p> <strong> HIGH (80%) </strong> </p> </td> <td> <p> 2&ndash;4 weeks </p> </td> <td> <p> Historical pattern: infrastructure disruption causes temporary pause, not permanent cessation </p> </td> </tr> <tr> <td> <p> Volt Typhoon/Salt Typhoon activity resurfaces with new indicators </p> </td> <td> <p> <strong> HIGH (70%) </strong> </p> </td> <td> <p> 1&ndash;4 weeks </p> </td> <td> <p> Current absence likely reflects collection gap, not reduced operations </p> </td> </tr> <tr> <td> <p> Ransomware group exploits SonicWall Gen6 MFA bypass as initial access to state network </p> </td> <td> <p> <strong> MODERATE-HIGH (65%) </strong> </p> </td> <td> <p> 2&ndash;4 weeks </p> </td> <td> <p> IAB activity confirmed; ransomware groups routinely purchase VPN access from brokers </p> </td> </tr> <tr> <td> <p> TrapDoor-compromised developer credentials used to access state cloud infrastructure </p> </td> <td> <p> <strong> MODERATE (50%) </strong> </p> </td> <td> <p> 2&ndash;6 weeks </p> </td> <td> <p> Depends on whether state dev teams consumed affected packages </p> </td> </tr> <tr> <td> <p> Nimbus Manticore SEO poisoning delivers malware to state employee workstation </p> </td> <td> <p> <strong> MODERATE (45%) </strong> </p> </td> <td> <p> Ongoing </p> </td> <td> <p> Indiscriminate vector; probability increases with time exposed </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Detection Priorities </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> What to Monitor </p> </th> <th> <p> ATT&amp;CK ID </p> </th> <th> <p> Detection Logic </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> P1 </strong> </p> </td> <td> <p> Device code authentication attempts in Entra ID sign-in logs </p> </td> <td> <p> <strong> T1528 </strong> </p> </td> <td> <p> Alert on authenticationProtocol == "deviceCode" for any user not on an approved IoT/conference device list </p> </td> </tr> <tr> <td> <p> <strong> P1 </strong> </p> </td> <td> <p> Drupal web application logs for SQL injection patterns </p> </td> <td> <p> <strong> T1190 </strong> </p> </td> <td> <p> WAF rules for UNION-based and blind SQLi against Drupal endpoints; monitor for unexpected database queries </p> </td> </tr> <tr> <td> <p> <strong> P1 </strong> </p> </td> <td> <p> SonicWall VPN authentication anomalies </p> </td> <td> <p> <strong> T1133 </strong> , <strong> T1556.006 </strong> </p> </td> <td> <p> Alert on successful VPN auth from Gen6 appliances followed by rapid lateral movement (&lt; 60 min to DC) </p> </td> </tr> <tr> <td> <p> <strong> P2 </strong> </p> </td> <td> <p> AppDomainManager injection (.NET config hijacking) </p> </td> <td> <p> <strong> T1574.014 </strong> </p> </td> <td> <p> Monitor for unexpected modifications to web.config or application .config files loading unsigned assemblies </p> </td> </tr> <tr> <td> <p> <strong> P2 </strong> </p> </td> <td> <p> SEO poisoning delivery &mdash; getsqldeveloper[.]com </p> </td> <td> <p> <strong> T1608.006 </strong> </p> </td> <td> <p> DNS/proxy block; alert on any resolution attempt; hunt for recent downloads of SQL Developer from non-Oracle sources </p> </td> </tr> <tr> <td> <p> <strong> P2 </strong> </p> </td> <td> <p> Supply chain indicators &mdash; unexpected files in dev environments </p> </td> <td> <p> <strong> T1195.001 </strong> </p> </td> <td> <p> Scan for .cursorrules and CLAUDE.md files in repositories; audit npm/pip install logs for packages added May 22&ndash;25 </p> </td> </tr> <tr> <td> <p> <strong> P3 </strong> </p> </td> <td> <p> PowerShell execution with encoded commands post-initial access </p> </td> <td> <p> <strong> T1059.001 </strong> </p> </td> <td> <p> Behavioral detection for encoded PowerShell spawned by w3wp.exe or after VPN authentication </p> </td> </tr> <tr> <td> <p> <strong> P3 </strong> </p> </td> <td> <p> Scheduled task/cron creation for persistence </p> </td> <td> <p> <strong> T1053.003 </strong> </p> </td> <td> <p> Alert on new cron jobs or systemd services created by non-administrative processes </p> </td> </tr> </tbody> </table> <h3> <strong> Hunting Hypotheses </strong> </h3> <ul> <li> <strong> <strong> "Has device code phishing already succeeded?" </strong> &mdash; Query Entra ID sign-in logs for the past 30 days for authenticationProtocol == "deviceCode" events. Correlate with user reports of unexpected MFA prompts. Any successful device code auth from a non-approved device is a potential compromise. </strong> </li> </ul> <ul> <li> <strong> "Are our Drupal instances already compromised?" </strong> &mdash; Review web server access logs for POST requests to Drupal form endpoints with SQL metacharacters. Check for new database users or unexpected privilege escalations in PostgreSQL audit logs. </li> </ul> <ul> <li> <strong> "Did any developer install a TrapDoor package?" </strong> &mdash; Search package manager lock files (package-lock.json, Pipfile.lock, Cargo.lock) for packages updated between May 22&ndash;25. Search file systems for trap-core.js, unexpected .cursorrules, or CLAUDE.md files outside of known AI tool configurations. </li> </ul> <ul> <li> <strong> "Is a SonicWall Gen6 appliance being used as an entry point?" </strong> &mdash; Correlate VPN authentication logs from Gen6 devices with subsequent Active Directory authentication events. A pattern of VPN login &rarr; multiple LDAP queries &rarr; service account usage within 60 minutes indicates active exploitation. </li> </ul> <h3> <strong> IOC Blocking Guidance </strong> </h3> <table> <thead> <tr> <th> <p> Type </p> </th> <th> <p> Value </p> </th> <th> <p> Context </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Domain </p> </td> <td> <p> getsqldeveloper[.]com </p> </td> <td> <p> Nimbus Manticore SEO poisoning &mdash; MiniFast RAT delivery </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> calendly[.]live </p> </td> <td> <p> Suspicious infrastructure (typosquat) </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> picktime[.]live </p> </td> <td> <p> Suspicious infrastructure (typosquat) </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> aes-secure[.]net </p> </td> <td> <p> Suspicious infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> azureglobalaccelerator[.]com </p> </td> <td> <p> Suspicious infrastructure (typosquat of Azure service) </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> dd70e40a0525db5c516d77a381e10280a9a9eb8b8028a57282e4525c3bf9d407 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> aa2badddd074bbdcd5ebcd301da2a7927b4dc20095cd8049a0778f263b0abae5 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> 4d4bdb02b1e1d98fdd6cacecf91392be589e3792d0b64251351591dc0b578736 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> d1595f3761fb61ba20d8c5af0557239e9ce6eaab214c044c39af1de44c50dc42 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> 3c4c099745bf77a57446e3b4da24d971ceac98176d3105021ef08a8dd475471f </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> 086030087bd7298ad29bd0bb90ffecbafa142ba50b130692866f07611480d8eb </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> eb1405dcd5f4c194781e0757918985f42644afecfaeceb3470b81b43bcc52b78 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> 0e7f7dd1f1d9e6cc26a759f339d226f9fd637d03f4077d767b35605bc9ef14a0 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> 0a76a0e53e8a07d857210a26f6b4de3e169aaf68e7a45409eec436fcd25ade0e </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> cc78dc022a4d994f5afbdf9a08411ff88a67a8618d36dc02fdc00b151ec2c46d </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> b913d78eb460f17ba53f49c892bd763abb1a95cdfe32e5f5567650f45bf2ff18 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> 0e3a876a0d48006516e546a25044a44f22707b686a5374bc8e6906b1fb3ba2ec </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> bddca906b83ce0aa8838466e44450d3aa8f91774fc9982cc20cc922ea64fb7ea </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> 094a5b7d261eea0c7f0a6e23f67cf24e51cc5bc4d8e1654f76a0423769654d6f </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> MD5 </p> </td> <td> <p> 5ebf47b4320129a0a1653e73ace57f6d </p> </td> <td> <p> VICE SPIDER / BubbleLoader indicator </p> </td> </tr> <tr> <td> <p> MD5 </p> </td> <td> <p> a7022795ecb72c7516e3ae9bd75cd837 </p> </td> <td> <p> VICE SPIDER / SocksShell indicator </p> </td> </tr> <tr> <td> <p> SHA-1 </p> </td> <td> <p> 3b2fe4e535f5e2380b1c2101ee3146b804e5790b </p> </td> <td> <p> Malware sample </p> </td> </tr> </tbody> </table> <p> <em> Additional IOCs available via Anomali ThreatStream Next-Gen. </em> </p> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (State Treasury, Revenue, Benefits Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> CVE-2026-9082 exploitation of Drupal-based tax and benefits portals containing citizen financial data </li> <li> <strong> Secondary threat: </strong> Kali365 credential theft targeting finance staff with access to payment systems </li> <li> <strong> Action: </strong> Immediately verify Drupal patch status on all revenue-facing applications. Implement transaction monitoring for anomalous database queries. Enforce Conditional Access restrictions on finance department M365 accounts as priority cohort. </li> </ul> <h3> <strong> Energy (State-Regulated Utilities, Grid Operations) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> ICS advisories affecting ABB B&amp;R (building automation, substation control) and Siemens RUGGEDCOM (utility network switches) </li> <li> <strong> Secondary threat: </strong> Volt Typhoon pre-positioning &mdash; absence of new indicators does NOT indicate reduced risk </li> <li> <strong> Action: </strong> Conduct asset inventory of ABB and Siemens equipment in state-regulated facilities. Verify network segmentation between IT and OT environments. Ensure ICS advisory patches (icsa-26-141-01 through -05) are evaluated for applicability within 7 days. </li> </ul> <h3> <strong> Healthcare (State Health Agencies, Medicaid Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Ransomware groups (Play, SafePay, LockBit5) actively targeting public services sector &mdash; healthcare data is highest-value extortion target </li> <li> <strong> Secondary threat: </strong> Drupal exploitation of health portal systems containing PHI </li> <li> <strong> Action: </strong> Validate offline backup integrity for Medicaid and health information exchange systems. Ensure ransomware playbook includes HIPAA breach notification timelines. Prioritize Drupal patching on any system handling protected health information. </li> </ul> <h3> <strong> Government (Executive Branch Agencies, Legislature, Courts) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Kali365 device code phishing targeting M365 GCC tenants &mdash; government email compromise enables espionage and lateral movement </li> <li> <strong> Secondary threat: </strong> SonicWall Gen6 exploitation providing initial access to agency networks </li> <li> <strong> Action: </strong> Deploy Conditional Access policy blocking device code auth TODAY. Inventory all SonicWall Gen6 appliances across agencies and establish emergency migration timeline. Brief agency heads on the FBI Kali365 warning with specific guidance on recognizing device code phishing attempts. </li> </ul> <h3> <strong> Aviation / Logistics (State DOT, Airport Authorities, Port Operations) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Nimbus Manticore (IRGC) &mdash; Operation Epic Fury specifically targeted aviation sector with fake career offers and trojanized tools </li> <li> <strong> Secondary threat: </strong> Supply chain compromise via TrapDoor affecting logistics software development </li> <li> <strong> Action: </strong> Alert aviation and transportation IT staff to the SEO poisoning vector &mdash; block getsqldeveloper[.]com and brief staff on verifying software download sources. Review any recent hiring-related file attachments for AppDomain hijacking indicators. Audit development dependencies in transportation management systems. </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> Owner </p> </th> <th> <p> Action </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Patch all Drupal instances </strong> for CVE-2026-9082 before the May 27 CISA BOD deadline. Prioritize PostgreSQL-backed citizen portals. Verify patch via version check AND SQLi response testing. </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> Identity/IAM Team </p> </td> <td> <p> <strong> Block device code authentication </strong> in Microsoft Entra ID via Conditional Access policy. Exempt only explicitly approved IoT/conference devices. Monitor Entra sign-in logs for DeviceCodeFlow events. </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> Network Operations </p> </td> <td> <p> <strong> Identify all SonicWall Gen6 SSL-VPN appliances </strong> in production. Verify the 6 LDAP reconfiguration steps are completed (firmware patch alone is insufficient). Initiate emergency change request for migration to supported platforms. </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Block domains </strong> getsqldeveloper[.]com, calendly[.]live, picktime[.]live, aes-secure[.]net, azureglobalaccelerator[.]com at DNS and web proxy layers. </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY Actions </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> Owner </p> </th> <th> <p> Action </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 5 </p> </td> <td> <p> DevOps / AppDev </p> </td> <td> <p> <strong> Audit all npm, PyPI, and Cargo dependencies </strong> in state projects for packages added/updated May 22&ndash;25. Search for .cursorrules and CLAUDE.md files. Rotate credentials (GitHub tokens, cloud keys, SSH keys) on any affected machine. </p> </td> </tr> <tr> <td> <p> 6 </p> </td> <td> <p> SOC / Threat Hunt </p> </td> <td> <p> <strong> Deploy detection for MiniFast/MiniJunk </strong> &mdash; EDR behavioral rules for AppDomainManager injection, YARA signatures for known samples. Hunt for PowerShell execution spawned by w3wp.exe. </p> </td> </tr> <tr> <td> <p> 7 </p> </td> <td> <p> OT/ICS Team </p> </td> <td> <p> <strong> Review ICS asset inventory </strong> for ABB B&amp;R, Hitachi Energy GMS600, and Siemens RUGGEDCOM deployments. Evaluate CISA ICS advisories for applicability and schedule maintenance windows. </p> </td> </tr> <tr> <td> <p> 8 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Retroactive hunt for device code phishing </strong> &mdash; query 30 days of Entra sign-in logs for device code authentication events. Investigate any from non-approved devices. </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY Actions </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> Owner </p> </th> <th> <p> Action </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 9 </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Develop AI coding assistant security policy </strong> &mdash; TrapDoor's poisoning of .cursorrules/CLAUDE.md files demonstrates that AI tool configurations are now an attack surface. Require integrity monitoring and approval workflows for AI tool config changes. </p> </td> </tr> <tr> <td> <p> 10 </p> </td> <td> <p> CISO / Procurement </p> </td> <td> <p> <strong> Resolve intelligence collection gap </strong> &mdash; issue RFP for replacement open-source intelligence feed. 100 days of single-source dependency on commercial feeds creates a corroboration blind spot that degrades threat assessment confidence. </p> </td> </tr> <tr> <td> <p> 11 </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Complete SonicWall Gen6 migration </strong> &mdash; these devices are end-of-life with no future patches. Every day in production is unmitigated risk. Budget and procure Gen7/Gen8 or alternative VPN solution. </p> </td> </tr> <tr> <td> <p> 12 </p> </td> <td> <p> CISO / IR Team </p> </td> <td> <p> <strong> Update incident response playbooks </strong> to address device code phishing (token revocation procedures), supply chain compromise (dependency audit runbooks), and Drupal exploitation (database forensics for PostgreSQL). </p> </td> </tr> <tr> <td> <p> 13 </p> </td> <td> <p> Executive Leadership </p> </td> <td> <p> <strong> Brief agency CIOs </strong> on the convergence of identity infrastructure attacks (Kali365 + SonicWall + supply chain credentials). Request emergency budget authority for VPN migration and enhanced identity monitoring tooling. </p> </td> </tr> </tbody> </table> <h2> <strong> Continuity Note: Persistent Threats </strong> </h2> <p> The following threats from prior cycles remain active and should not be deprioritized despite no new indicators this cycle: </p> <ul> <li> <strong> Volt Typhoon / Salt Typhoon (China-nexus): </strong> Silent pre-positioning in U.S. critical infrastructure continues. Absence of new indicators is assessed as a collection gap, not reduced threat. </li> <li> <strong> APT28 (GRU Unit 26165): </strong> WhatsApp phishing of government officials remains active. </li> <li> <strong> APT29 / Midnight Blizzard (SVR): </strong> Potential linkage to Lithuania breach (600,000+ records); investigation ongoing. </li> <li> <strong> Ransomware ecosystem: </strong> Fox Tempest takedown provides temporary relief but expect actor migration to new signing infrastructure within 2&ndash;4 weeks. </li> </ul> <h2> <strong> Bottom Line </strong> </h2> <p> The threat environment facing state government IT systems is defined by a single theme this week: <strong> the erosion of trust boundaries. </strong> Your Drupal portals are being probed by automated scanners right now. Your MFA protections can be bypassed by a $200/month Telegram subscription. Your VPN appliances &mdash; the very devices meant to secure remote access &mdash; are being used as entry points for domain compromise. </p> <p> The federal remediation deadline for CVE-2026-9082 is <strong> tomorrow, May 27. </strong> If your agencies run Drupal on PostgreSQL and have not yet patched, the window for proactive defense is measured in hours, not days. </p> <p> Three decisions require senior leadership action today: </p> <ul> <li> <strong> <strong> Confirm Drupal patch status </strong> across all agencies before the May 27 deadline. </strong> </li> </ul> <ul> <li> <strong> Approve the Conditional Access policy change </strong> to block device code authentication in M365. </li> </ul> <ul> <li> <strong> Authorize emergency SonicWall Gen6 migration </strong> &mdash; these devices cannot be secured. </li> </ul> <p> The positive news: Microsoft's disruption of Fox Tempest removes a key enabler from the ransomware supply chain. But this is a temporary reprieve. Use it to harden your defenses before the ecosystem adapts. </p> <p> <em> Published 2026-05-26 by Anomali CTI Desk </em> </p> <p> <em> For questions or additional IOC feeds, contact your Anomali representative or access indicators directly via Anomali ThreatStream Next-Gen. </em> </p>