All Posts
Anomali Cyber Watch
Public Sector
1
min read

Actively Exploited SharePoint Flaw, Help Desk Vishing Surge, and ICS Advisories Demand Immediate State Government Action

Published on
July 2, 2026
Table of Contents
<p> <strong> Threat Assessment Level: ELEVATED </strong> </p> <p> <em> (Unchanged from prior cycle. Escalation to HIGH remains possible within 72 hours if SharePoint exploitation expands to government targets or a new state-sector ransomware incident materializes.) </em> </p> <h2> <strong> Introduction </strong> </h2> <p> State government IT leaders face a convergence of threats this week that demand immediate operational response. A newly exploited Microsoft SharePoint vulnerability is now on CISA's Known Exploited Vulnerabilities catalog, a prolific cybercriminal group is using social engineering tactics perfectly suited to compromise state identity systems, and CISA published seven ICS advisories in a single day &mdash; several affecting equipment commonly deployed in state water and facilities infrastructure. </p> <p> This is not a theoretical risk landscape. The SharePoint vulnerability is being exploited <em> today </em> . The vishing playbook targeting help desks mirrors exactly how state agencies manage identity resets. And the ICS vulnerabilities describe remote command execution on PLCs and RTUs that may sit in your water treatment plants. </p> <p> Below is what changed, what it means for your organization, and what to do about it &mdash; prioritized by urgency. </p> <h2> <strong> What Changed </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Development </strong> </p> </th> <th> <p> <strong> Why It Matters for State Government </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> CVE-2026-45659 </strong> (SharePoint deserialization RCE) added to CISA KEV &mdash; actively exploited </p> </td> <td> <p> State agencies run SharePoint extensively (on-prem and hybrid). This is the <em> second </em> SharePoint deserialization KEV in recent weeks, confirming sustained adversary interest. </p> </td> </tr> <tr> <td> <p> <strong> SCATTERED SPIDER </strong> vishing campaign documented targeting Entra ID/SSO/VDI via help desk manipulation </p> </td> <td> <p> State IT help desks use identical architecture. A single successful vishing call can yield full domain compromise. </p> </td> </tr> <tr> <td> <p> <strong> CVE-2026-50242 </strong> (JetBrains Hub authentication bypass, CVSS 10.0) disclosed </p> </td> <td> <p> Any state DevOps team running JetBrains Hub faces unauthenticated administrative takeover &mdash; with downstream access to CI/CD pipelines. </p> </td> </tr> <tr> <td> <p> <strong> 7 ICS/SCADA advisories </strong> published simultaneously (Delta Electronics PLC, Schneider Electric RTU, StoneFly, FUXA HMI, others) </p> </td> <td> <p> Delta DVP12SE PLCs and Schneider Saitel DP RTUs are deployed in state water/wastewater and facilities management. Remote command execution is possible. </p> </td> </tr> <tr> <td> <p> <strong> Hunters International </strong> ransomware group shut down, released decryption keys, rebranded to "World Leaks" (data extortion only) </p> </td> <td> <p> Affiliates will migrate to other ransomware-as-a-service platforms (Akira, DragonForce, Qilin). Expect a short-term spike in recruitment and new campaigns. </p> </td> </tr> <tr> <td> <p> <strong> U.S. Treasury sanctioned Aeza Group </strong> (Russia-based bulletproof hosting) supporting BianLian, Lumma, Meduza, and RedLine </p> </td> <td> <p> Disrupts infrastructure used by ransomware and infostealer operations targeting U.S. organizations, but displaced actors will seek new hosting. </p> </td> </tr> <tr> <td> <p> <strong> APT29/SVR credential harvesting </strong> via messaging apps (Signal, WhatsApp, Telegram) remains active per prior CISA/FBI advisory </p> </td> <td> <p> Senior state officials using personal messaging apps for government business remain at risk of credential theft. </p> </td> </tr> </tbody> </table> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Event </strong> </p> </th> <th> <p> <strong> Relevance </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 12 June 2026 </p> </td> <td> <p> California water utility breach attributed to VOID MANTICORE (Iran/IRGC) </p> </td> <td> <p> Demonstrates active nation-state targeting of U.S. state water infrastructure </p> </td> </tr> <tr> <td> <p> 19 June 2026 </p> </td> <td> <p> JetBrains Hub CVE-2026-50242 (CVSS 10.0) published </p> </td> <td> <p> Unauthenticated admin takeover; weaponization window open </p> </td> </tr> <tr> <td> <p> 26 June 2026 </p> </td> <td> <p> CISA/FBI updated advisory: APT29/SVR credential harvesting via messaging apps </p> </td> <td> <p> Direct threat to senior state officials </p> </td> </tr> <tr> <td> <p> 29 June 2026 </p> </td> <td> <p> CVE-2026-48558 (SimpleHelp, CVSS 10.0) added to CISA KEV </p> </td> <td> <p> Unauthenticated system compromise via forged OIDC tokens; MSP-dependent environments at risk </p> </td> </tr> <tr> <td> <p> 30 June 2026 </p> </td> <td> <p> CISA publishes 7 ICS advisories + 1 medical device advisory in single batch </p> </td> <td> <p> Delta PLC, Schneider RTU, StoneFly, FUXA HMI &mdash; state OT infrastructure affected </p> </td> </tr> <tr> <td> <p> 1 July 2026 </p> </td> <td> <p> CVE-2026-45659 (SharePoint RCE) added to CISA KEV &mdash; active exploitation confirmed </p> </td> <td> <p> State SharePoint farms are confirmed attack surface </p> </td> </tr> <tr> <td> <p> 2 July 2026 </p> </td> <td> <p> SCATTERED SPIDER vishing campaign advisory published (Singapore CSA/CrowdStrike) </p> </td> <td> <p> Identical TTPs to state help desk identity reset procedures </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. SharePoint Under Sustained Attack &mdash; CVE-2026-45659 </strong> </h3> <p> <strong> What it is: </strong> A deserialization-of-untrusted-data vulnerability in Microsoft SharePoint that allows an authenticated attacker to execute arbitrary code remotely. CVSS 8.8. </p> <p> <strong> Why it matters now: </strong> CISA confirmed active exploitation and added it to the KEV catalog on 1 July 2026. This is the <em> second </em> SharePoint deserialization vulnerability to hit the KEV in recent cycles, establishing a clear pattern: adversaries are systematically targeting SharePoint as an initial access vector into organizations that rely on it for document management and collaboration. </p> <p> State government agencies typically run SharePoint in hybrid configurations with significant on-premises footprints &mdash; often with patching cycles measured in weeks rather than days. Every day unpatched is a day exposed. </p> <p> <strong> ATT&amp;CK techniques: </strong> T1190 (Exploit Public-Facing Application), T1059.001 (PowerShell execution post-compromise), T1078.004 (Cloud Accounts persistence) </p> <h3> <strong> 2. SCATTERED SPIDER Vishing &mdash; Your Help Desk Is the Front Door </strong> </h3> <p> <strong> What it is: </strong> SCATTERED SPIDER (also tracked as UNC3944) is conducting active campaigns using voice phishing (vishing) to manipulate IT help desk staff into resetting MFA and passwords on Entra ID, SSO, and VDI accounts. Once inside, they use legitimate tools for reconnaissance (ADExplorer, ADRecon.ps1), extract credential databases (ntds.dit), establish tunneled command-and-control (Chisel via trycloudflare[.]com, ngrok), suppress email notifications via PowerShell transport rules, and exfiltrate data to cloud storage (S3 Browser). </p> <p> <strong> Why it matters for state government: </strong> This group's playbook is a near-perfect match for how state IT service desks operate. If your help desk will reset an Entra ID password based on a phone call &mdash; even with basic identity verification &mdash; you are vulnerable. Notably, a <em> separate </em> group (CHATTY SPIDER) uses the same vishing-to-identity-reset technique, meaning state help desks face compound risk from multiple independent threat actors exploiting the same procedural weakness. </p> <p> <strong> ATT&amp;CK techniques: </strong> T1566.004 (Spearphishing Voice), T1078.004 (Cloud Accounts), T1087.002 (Domain Account Discovery), T1003.003 (NTDS credential dumping), T1572 (Protocol Tunneling), T1564.008 (Email Hiding Rules), T1537 (Transfer Data to Cloud Account) </p> <h3> <strong> 3. JetBrains Hub CVE-2026-50242 &mdash; CVSS 10.0 Supply Chain Risk </strong> </h3> <p> <strong> What it is: </strong> A critical authentication bypass in JetBrains Hub that allows unauthenticated attackers to gain full administrative access via direct database manipulation. JetBrains Hub manages identity and access for all connected JetBrains services &mdash; including TeamCity (CI/CD), YouTrack, and Space. </p> <p> <strong> Why it matters: </strong> Any state development team using JetBrains tools with an exposed Hub instance faces complete supply chain compromise. An attacker with Hub admin access can inject malicious code into CI/CD pipelines, compromise build artifacts, and pivot into production environments. Historical precedent: CVE-2024-27198 (TeamCity) was weaponized within 48 hours of disclosure. </p> <p> <strong> Current status: </strong> No confirmed in-the-wild exploitation yet &mdash; but the CVSS 10.0 score and full admin takeover capability mean the weaponization window is narrow. </p> <h3> <strong> 4. ICS/SCADA Advisory Surge &mdash; State Water and Facilities at Risk </strong> </h3> <p> Seven ICS advisories published on 30 June 2026 affect equipment commonly deployed in state government operational technology environments: </p> <table> <thead> <tr> <th> <p> <strong> Advisory </strong> </p> </th> <th> <p> <strong> Product </strong> </p> </th> <th> <p> <strong> Risk </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> ICSA-26-181-07 </p> </td> <td> <p> Delta Electronics DVP12SE PLC </p> </td> <td> <p> Remote command execution, operational value modification </p> </td> </tr> <tr> <td> <p> ICSA-26-181-04 </p> </td> <td> <p> Schneider Electric EasyLogic T150 / Saitel DP RTU </p> </td> <td> <p> Unauthorized access, sensitive information exposure </p> </td> </tr> <tr> <td> <p> ICSA-26-181-06 </p> </td> <td> <p> StoneFly Storage Concentrator </p> </td> <td> <p> Arbitrary command execution </p> </td> </tr> <tr> <td> <p> ICSA-26-181-05 </p> </td> <td> <p> B&amp;R Products (XZ Utils) </p> </td> <td> <p> Supply chain backdoor via compromised library </p> </td> </tr> <tr> <td> <p> ICSA-26-181-03 </p> </td> <td> <p> Schneider Electric EcoStruxure IT Data Center Expert </p> </td> <td> <p> DCIM platform vulnerability </p> </td> </tr> <tr> <td> <p> ICSA-26-181-02 </p> </td> <td> <p> Frangoteam FUXA SCADA/HMI </p> </td> <td> <p> Unauthenticated user enumeration </p> </td> </tr> <tr> <td> <p> ICSA-26-181-01 </p> </td> <td> <p> Mitsubishi Electric MELSOFT Update Manager </p> </td> <td> <p> Local data tampering/destruction </p> </td> </tr> </tbody> </table> <p> The Delta DVP12SE PLC and Schneider Saitel DP RTU advisories are particularly concerning: they describe remote command execution capabilities that align with documented pre-positioning tactics used by <strong> Volt Typhoon </strong> (Chinese state-sponsored) in U.S. water/wastewater infrastructure. The absence of new Volt Typhoon reporting this cycle does <em> not </em> indicate absence of activity &mdash; it may indicate successful concealment. </p> <h3> <strong> 5. Ransomware Ecosystem Reshuffling </strong> </h3> <p> <strong> Hunters International </strong> has shut down ransomware operations and released decryption keys, rebranding as "World Leaks" (data extortion only). This is operationally significant because their affiliates &mdash; experienced operators with established access to victim networks &mdash; will migrate to other ransomware-as-a-service platforms. </p> <p> Meanwhile, the U.S. Treasury sanctioned <strong> Aeza Group </strong> , a Russia-based bulletproof hosting provider that supported <strong> BianLian </strong> ransomware, <strong> Lumma </strong> infostealer, <strong> Meduza </strong> infostealer, and <strong> RedLine </strong> infostealer operations. While sanctions disrupt infrastructure, displaced actors historically reconstitute within weeks. </p> <p> <strong> Active ransomware groups updated in the last 48 hours with government targeting: </strong> Krybit, Stormous, ShinyHunters, Gunra, NightSpire. No specific state/local government victim was reported this cycle, but reporting lag is common. </p> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Basis </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> CVE-2026-45659 exploitation expands; scanning activity against state SharePoint instances </p> </td> <td> <p> <strong> HIGH (70%) </strong> </p> </td> <td> <p> 72 hours </p> </td> <td> <p> Active exploitation confirmed; state SharePoint widely deployed and often slow to patch </p> </td> </tr> <tr> <td> <p> SCATTERED SPIDER expands targeting to government sector </p> </td> <td> <p> <strong> MODERATE (50%) </strong> </p> </td> <td> <p> 2&ndash;4 weeks </p> </td> <td> <p> Entra ID ubiquity in government; group historically expands to adjacent sectors </p> </td> </tr> <tr> <td> <p> Hunters International affiliates surface under new RaaS banners (Qilin, DragonForce, Akira) </p> </td> <td> <p> <strong> MODERATE (40%) </strong> </p> </td> <td> <p> 2 weeks </p> </td> <td> <p> Standard affiliate migration pattern after RaaS shutdown </p> </td> </tr> <tr> <td> <p> JetBrains Hub CVE-2026-50242 weaponized </p> </td> <td> <p> <strong> LOW-MODERATE (20%) </strong> </p> </td> <td> <p> 7 days </p> </td> <td> <p> <strong> CVSS 10.0 attracts attention; less internet-exposed than TeamCity but high value </strong> </p> </td> </tr> <tr> <td> <p> Nation-state exploitation of Delta/Schneider ICS vulnerabilities against state water systems </p> </td> <td> <p> <strong> LOW (15%) </strong> </p> </td> <td> <p> 30 days </p> </td> <td> <p> Volt Typhoon has demonstrated interest; advisories provide roadmap </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Detection Priorities </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> What to Monitor </strong> </p> </th> <th> <p> <strong> ATT&amp;CK ID </strong> </p> </th> <th> <p> <strong> Detection Logic </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> CRITICAL </strong> </p> </td> <td> <p> SharePoint deserialization exploitation attempts </p> </td> <td> <p> T1190 </p> </td> <td> <p> WAF alerts for serialized object payloads in SharePoint requests; IIS logs showing unusual POST requests to /_layouts/ or /_vti_bin/ endpoints </p> </td> </tr> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> Help desk credential reset anomalies </p> </td> <td> <p> T1566.004 </p> </td> <td> <p> Track all Entra ID password/MFA resets initiated via phone &mdash; correlate with subsequent impossible-travel or new device enrollments within 1 hour </p> </td> </tr> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> Tunneling tool usage </p> </td> <td> <p> T1572 </p> </td> <td> <p> DNS queries to trycloudflare[.]com, ngrok[.]io, pinggy[.]io; process creation for chisel.exe, ngrok.exe; outbound connections on non-standard ports </p> </td> </tr> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> Email transport rule modifications </p> </td> <td> <p> T1564.008 </p> </td> <td> <p> M365 Unified Audit Log: Set-TransportRule, New-TransportRule, New-InboxRule with redirect/delete actions &mdash; especially from recently-reset accounts </p> </td> </tr> <tr> <td> <p> <strong> MEDIUM </strong> </p> </td> <td> <p> NTDS.dit access </p> </td> <td> <p> T1003.003 </p> </td> <td> <p> Volume Shadow Copy creation (vssadmin/wmic), ntdsutil.exe execution, large file transfers from domain controllers </p> </td> </tr> <tr> <td> <p> <strong> MEDIUM </strong> </p> </td> <td> <p> AD reconnaissance tooling </p> </td> <td> <p> T1087.002 </p> </td> <td> <p> Process creation for ADExplorer.exe, ADRecon.ps1, Get-ADUser with -Filter * parameters </p> </td> </tr> <tr> <td> <p> <strong> MEDIUM </strong> </p> </td> <td> <p> Adaptix C2 beaconing </p> </td> <td> <p> T1071.001 </p> </td> <td> <p> Outbound connections to 45.32.64[.]12 on port 4321 (Vultr ASN 20473) &mdash; persistent IOC from prior cycles </p> </td> </tr> </tbody> </table> <h3> <strong> Hunting Hypotheses </strong> </h3> <ol> <li> <strong> "Did anyone vish our help desk this week?" </strong> &mdash; Review all password/MFA reset tickets opened via phone in the last 14 days. Cross-reference the reset accounts with: new device enrollments, impossible-travel alerts, mail forwarding rule changes, or SharePoint/OneDrive bulk downloads within 24 hours of reset. </li> <li> <strong> "Is anyone tunneling out?" </strong> &mdash; Hunt for DNS resolution of trycloudflare[.]com, ngrok[.]io, or pinggy[.]io across all endpoints. Check for Chisel, Rsocx, or Teleport binaries. Look for sustained outbound connections on ports 443/8443 to cloud tunnel providers. </li> <li> <strong> "Has our SharePoint been probed?" </strong> &mdash; Review SharePoint/IIS access logs for unusual POST requests containing serialized .NET objects, base64-encoded payloads, or requests to rarely-accessed administrative endpoints. Correlate with any new CISA KEV scanning signatures. </li> <li> <strong> "Is Adaptix C2 active in our environment?" </strong> &mdash; Search network flow data for any communication with 45.32.64[.]12 or 107.191.61[.]105 (107.191.61.105.vultr.com). Check for beaconing patterns on port 4321. </li> </ol> <h3> <strong> IOC Blocking Guidance </strong> </h3> <p> The following indicators should be added to blocking/alerting rules: </p> <table> <thead> <tr> <th> <p> <strong> Type </strong> </p> </th> <th> <p> <strong> Value </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> IPv4 </p> </td> <td> <p> 45.205.1[.]20 </p> </td> <td> <p> APT29-associated infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 124.198.131[.]185 </p> </td> <td> <p> APT-associated infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 45.32.64[.]12 </p> </td> <td> <p> Adaptix C2 node (Vultr, ASN 20473) </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 107.191.61[.]105 </p> </td> <td> <p> Adaptix C2 infrastructure (Vultr) </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 45.32.137[.]94 </p> </td> <td> <p> APT-associated infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> trycloudflare[.]com </p> </td> <td> <p> Abused for SCATTERED SPIDER tunneling (alert, not block &mdash; legitimate service) </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> Vpsvault[.]host </p> </td> <td> <p> Malicious hosting infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> 107.191.61.105.vultr[.]com </p> </td> <td> <p> Adaptix C2 reverse DNS </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> 9e0c2a9f281d7e54a542f59a6255016a0079cb24afcc6feead968ced3042a6d4 </p> </td> <td> <p> Malware sample &mdash; APT-associated </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> 703ad46a35788b02709709f2687530d3adf8d9098f4599f86932b7f861f667ef </p> </td> <td> <p> Malware sample &mdash; APT-associated </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> f939005f6f4ffd8db22fda5da78d0d6d54a35e41d9c63ed0088c98c453d9c002 </p> </td> <td> <p> Malware sample &mdash; APT-associated </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> 38c2a69ff2cec4892feab5f4c936f9b37d345edf66a8da2647ac2b0a0fb91508 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> 34decefae1a43abb9194993eafbbe8a53aec75a64d1b7c5ec968a977b8e9cbe8 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> 3df168d6c5732e448edb4b4bd120bf2573e67fcbcf3618792a90d20f9a4460b0 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> e1c7c16eaccd612a8b4c93b7d07907ec7ef8b4fef4034deb2e444fe0a05932e7 </p> </td> <td> <p> Malware sample </p> </td> </tr> </tbody> </table> <p> Additional IOCs available via Anomali ThreatStream Next-Gen. </p> <p> <strong> <em> Note on trycloudflare[.]com: </em> </strong> <em> This is a legitimate Cloudflare service abused by SCATTERED SPIDER for tunneling. Blocking it outright may cause operational disruption. Recommended approach: alert on DNS resolution, investigate any endpoint resolving it, and block only if your organization has no legitimate use case. </em> </p> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (State Treasury, Revenue, Benefits Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Infostealer campaigns (Lumma, Meduza, RedLine) targeting credentials for financial platforms; BianLian ransomware targeting data exfiltration from payment systems </li> <li> <strong> Action: </strong> Audit all service accounts accessing financial databases for credential hygiene. Deploy browser-based credential theft detection. Monitor for bulk PII access patterns that could indicate pre-ransomware staging. </li> <li> <strong> Specific concern: </strong> Aeza Group sanctions may temporarily disrupt infostealer C2, but operators will migrate infrastructure within days. Do not assume reduced risk. </li> </ul> <h3> <strong> Energy (State Facilities, Power Management, Building Automation) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> ICS vulnerabilities in Schneider Electric EcoStruxure (data center management) and B&amp;R products (XZ Utils supply chain backdoor) </li> <li> <strong> Action: </strong> Inventory all Schneider Electric EcoStruxure IT Data Center Expert deployments. Verify B&amp;R product firmware is not running compromised XZ Utils versions. Ensure building automation systems are network-segmented from IT. </li> <li> <strong> Specific concern: </strong> The XZ Utils backdoor in B&amp;R products (ICSA-26-181-05) represents a supply chain compromise &mdash; verify integrity of all B&amp;R firmware updates applied in the last 12 months. </li> </ul> <h3> <strong> Healthcare (State Health &amp; Human Services, Medicaid Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Ransomware (Krybit, Stormous, NightSpire all active against healthcare); SCATTERED SPIDER lateral movement to SaaS platforms containing PHI </li> <li> <strong> Action: </strong> Verify backup integrity for Medicaid management systems. Ensure SaaS platforms storing PHI (Salesforce Health Cloud, Epic integrations) have conditional access policies preventing access from unmanaged devices. Brief clinical system administrators on vishing risk. </li> <li> <strong> Specific concern: </strong> ICSMA-26-181-01 (OFFIS DCMTK medical imaging toolkit) &mdash; verify if state health systems use DCMTK for DICOM processing and patch accordingly. </li> </ul> <h3> <strong> Government (All Executive Branch Agencies) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> APT29/SVR credential harvesting via personal messaging apps (Signal, WhatsApp, Telegram); SCATTERED SPIDER vishing for Entra ID compromise; SharePoint exploitation for initial access </li> <li> <strong> Action: </strong> Issue directive to all senior officials: do not use personal messaging apps for government business. Implement phishing-resistant MFA (FIDO2/hardware keys) for all executive accounts. Patch SharePoint within 48 hours. </li> <li> <strong> Specific concern: </strong> The convergence of SCATTERED SPIDER and CHATTY SPIDER using identical vishing playbooks means your help desk faces attacks from <em> multiple independent groups </em> &mdash; a single procedural fix (callback verification) defeats both. </li> </ul> <h3> <strong> Aviation/Logistics (State DOT, Airport Authorities, Port Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> SCATTERED SPIDER has explicitly expanded to aviation; state transportation systems share infrastructure patterns with commercial aviation targets </li> <li> <strong> Action: </strong> Review all VDI and remote access systems used by DOT staff for MFA bypass vulnerabilities. Audit VMware vCenter access controls &mdash; SCATTERED SPIDER specifically targets vCenter for ntds.dit extraction. Monitor for S3 Browser or unusual cloud storage tool usage. </li> <li> <strong> Specific concern: </strong> State DOT systems often interconnect with federal FAA and FHWA systems &mdash; a compromise could provide lateral access to federal infrastructure, escalating the incident significantly. </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Action </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Rationale </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Patch Microsoft SharePoint for CVE-2026-45659 </p> </td> <td> <p> IT Operations </p> </td> <td> <p> Actively exploited RCE; CISA BOD 22-01 mandates remediation. State SharePoint farms are confirmed in-scope. </p> </td> </tr> <tr> <td> <p> Brief all IT help desk staff on vishing attacks targeting Entra ID/MFA resets </p> </td> <td> <p> Security Operations / IT Service Management </p> </td> <td> <p> SCATTERED SPIDER uses this exact playbook. Implement mandatory callback verification to a registered manager phone number before <em> any </em> credential reset. </p> </td> </tr> <tr> <td> <p> Confirm SimpleHelp patch status (CVE-2026-48558) across all MSP-managed environments </p> </td> <td> <p> IT Operations / Vendor Management </p> </td> <td> <p> CVSS 10.0, on CISA KEV since 29 June. Any unpatched MSP-managed SimpleHelp instance = full system compromise via forged OIDC tokens. </p> </td> </tr> <tr> <td> <p> Block/alert on IOCs listed above </p> </td> <td> <p> SOC </p> </td> <td> <p> Deploy to firewalls, EDR, DNS filtering, and SIEM correlation rules. </p> </td> </tr> <tr> <td> <p> Issue messaging app directive to senior officials </p> </td> <td> <p> CISO / Executive Communications </p> </td> <td> <p> APT29/SVR actively harvesting credentials via Signal, WhatsApp, Telegram. Prohibit use for government business; recommend Signal only for personal use with disappearing messages enabled. </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Action </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Rationale </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Audit JetBrains Hub version; upgrade to 2026.1.13757+ </p> </td> <td> <p> DevOps / Application Security </p> </td> <td> <p> CVSS 10.0 authentication bypass. Verify no internet-facing instances exist. Historical precedent: TeamCity CVE was weaponized in &lt;48 hours. </p> </td> </tr> <tr> <td> <p> Review ICS advisory applicability (ICSA-26-181-04, -07) for state water/facilities </p> </td> <td> <p> OT/ICS Security Team </p> </td> <td> <p> Delta DVP12SE PLC and Schneider Saitel DP RTU &mdash; remote command execution. Apply vendor patches or implement network segmentation. </p> </td> </tr> <tr> <td> <p> Deploy tunneling tool detection </p> </td> <td> <p> SOC / Network Security </p> </td> <td> <p> Alert on DNS queries to trycloudflare[.]com, ngrok[.]io, pinggy[.]io. Hunt for Chisel, Rsocx, Teleport binaries. Monitor PowerShell mail transport rule changes in M365. </p> </td> </tr> <tr> <td> <p> Conduct tabletop exercise: "vishing leads to domain compromise" </p> </td> <td> <p> CISO / IR Team </p> </td> <td> <p> Validate that incident response procedures account for social-engineering-initiated identity compromise. Test: can your SOC detect a vished credential reset before lateral movement begins? </p> </td> </tr> <tr> <td> <p> Review and harden SharePoint WAF rules </p> </td> <td> <p> Network Security / IT Operations </p> </td> <td> <p> Add detection for serialized .NET object payloads. Consider accelerated patching SLA specifically for SharePoint given two KEVs in recent weeks. </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Action </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Rationale </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Resolve OSINT intelligence feed failure </p> </td> <td> <p> CISO / CTO </p> </td> <td> <p> 137 days degraded. Evaluate commercial OSINT API alternatives (Recorded Future, Mandiant Advantage, GreyNoise). This gap is degrading legislative monitoring and nation-state tracking capabilities. Requires executive decision and budget allocation. </p> </td> </tr> <tr> <td> <p> Conduct threat hunt for Adaptix C2 beaconing </p> </td> <td> <p> SOC / Threat Hunting </p> </td> <td> <p> <strong> Search for communications to 45.32.64[.]12 on port 4321. This IOC has persisted at high confidence for 7+ days without confirmed absence from the environment. </strong> </p> </td> </tr> <tr> <td> <p> Evaluate SharePoint migration to fully-managed SharePoint Online </p> </td> <td> <p> IT Architecture / CTO </p> </td> <td> <p> Structural risk reduction: Microsoft manages patching for SharePoint Online. Two KEV-listed deserialization vulnerabilities in recent weeks demonstrate that on-premises SharePoint is a persistent liability. </p> </td> </tr> <tr> <td> <p> Assess Hunters International affiliate migration risk </p> </td> <td> <p> CTI / SOC </p> </td> <td> <p> Monitor for new ransomware campaigns from Qilin, DragonForce, or Akira that show TTPs consistent with former Hunters International operators. Update detection rules accordingly. </p> </td> </tr> <tr> <td> <p> Implement phishing-resistant MFA (FIDO2) for all privileged accounts </p> </td> <td> <p> IAM / IT Security </p> </td> <td> <p> Defeats both vishing-based credential theft and AiTM phishing. Prioritize: domain admins, help desk staff with reset privileges, executive accounts, and OT/ICS administrators. </p> </td> </tr> </tbody> </table> <h2> <strong> Bottom Line </strong> </h2> <p> The threat landscape facing state government IT is not abstract. SharePoint is being exploited <em> right now </em> . Threat actors are calling help desks <em> today </em> to steal identities. PLCs in your water treatment plants have published vulnerabilities enabling remote command execution. </p> <p> The good news: the most impactful defensive actions this week are procedural, not budgetary. A callback-verification policy for credential resets costs nothing and defeats two independent threat groups. Patching SharePoint within 48 hours is an operational decision, not a procurement one. Confirming SimpleHelp patch status with your MSPs requires a phone call. </p> <p> The 30-day items &mdash; OSINT feed restoration, FIDO2 deployment, SharePoint architecture decisions &mdash; require executive sponsorship and budget. But they address <em> structural </em> vulnerabilities that will generate recurring crises until resolved. </p> <p> Act on the immediates today. Brief your leadership on the 7-day items tomorrow. Put the 30-day items on next week's governance agenda. </p> <p> The adversaries are not waiting. </p> <p> <em> Anomali CTI Desk | 2 July 2026 | TLP:GREEN </em> </p> <p> <em> This report is based on intelligence collected through 2 July 2026. IOCs and threat actor attributions are derived from ThreatStream Next-Gen, CISA advisories, and vetted partner feeds. Additional IOCs and context available via ThreatStream Next-Gen. </em> </p>

FEATURED RESOURCES

July 2, 2026
Anomali Cyber Watch

Iran's Cyber War Machine Hits Triple Speed: What CISOs Must Do Now

Read More
July 2, 2026
Anomali Cyber Watch
Public Sector

Actively Exploited SharePoint Flaw, Help Desk Vishing Surge, and ICS Advisories Demand Immediate State Government Action

Read More
July 1, 2026
Anomali Cyber Watch

Iran's Cyber War Machine Isn't Waiting for a Ceasefire: What CISOs Must Do Now

Read More
Explore All