Cisco SD-WAN Under Active Attack, FortiSandbox Exploits Go AI-Assisted, and Dual-RMM Phishing Targets Government: What State CISOs Must Do This Week

<p> <strong> Threat Assessment Level: ELEVATED </strong> </p> <p> <em> Elevated from GUARDED in the prior cycle due to confirmed mass exploitation of state government enterprise systems and active weaponization of perimeter VPN and SD-WAN infrastructure by both criminal and nation-state actors. This level is maintained based on three new actively exploited vulnerabilities added to CISA's Known Exploited Vulnerabilities (KEV) catalog within 72 hours, continued ransomware operator infrastructure refresh targeting government, and fresh APT29 malware samples targeting government networks. </em> </p> <h2> <strong> Introduction </strong> </h2> <p> State government IT leaders face a convergence of threats this week that demands immediate executive attention. In the span of 72 hours, CISA has confirmed active exploitation of Cisco SD-WAN infrastructure &mdash; the backbone of many state wide-area networks &mdash; while three critical Fortinet FortiSandbox vulnerabilities are being exploited in the wild, one using a confirmed AI-developed exploit. Simultaneously, a sophisticated phishing campaign is delivering dual remote management tools to government targets, and Russia's APT29 has deployed fresh credential-harvesting malware aimed at government and telecommunications sectors. </p> <p> This is not a theoretical risk briefing. These are confirmed, active campaigns with direct relevance to state government technology stacks. The window to act is measured in hours, not weeks. </p> <h2> <strong> What Changed </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Development </strong> </p> </th> <th> <p> <strong> Why It Matters for State Government </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> CVE-2026-20262 </strong> added to CISA KEV (June 15) &mdash; Cisco Catalyst SD-WAN Manager arbitrary file write </p> </td> <td> <p> Second Cisco SD-WAN KEV in two weeks. Many states rely on Cisco Catalyst for WAN connectivity. Authenticated attackers can escalate to root. </p> </td> </tr> <tr> <td> <p> <strong> CVE-2026-54420 / CVE-2026-48172 </strong> added to CISA KEV &mdash; LiteSpeed cPanel privilege escalation </p> </td> <td> <p> Actively exploited. New CISA BOD 26-04 mandates 3-day remediation for internet-facing exploitable vulnerabilities. Affects shared hosting used by smaller state agencies. </p> </td> </tr> <tr> <td> <p> <strong> FortiSandbox triple exploitation </strong> (CVE-2026-39813, CVE-2026-39808, CVE-2026-25089) </p> </td> <td> <p> All CVSS 9.1. Unauthenticated RCE. One exploit confirmed to use AI-assisted development &mdash; a first for network security appliances. </p> </td> </tr> <tr> <td> <p> <strong> Adobe-spoofing dual-RMM phishing campaign </strong> targeting government </p> </td> <td> <p> Delivers both ConnectWise ScreenConnect and MSP360 RMM via a single phishing lure. Legitimate tools abused for persistent access. </p> </td> </tr> <tr> <td> <p> <strong> APT29 fresh government-targeting malware </strong> (June 15) </p> </td> <td> <p> New Windows executable with credential theft, security tool disabling, and sandbox evasion capabilities. Targets government and telecom. </p> </td> </tr> <tr> <td> <p> <strong> CISA BOD 26-04 replaces BOD 22-01 </strong> (June 11) </p> </td> <td> <p> New risk-tiered patching framework: 3 days for KEV + internet-facing + automatable. Will cascade to states via federal funding conditions. </p> </td> </tr> <tr> <td> <p> <strong> ShinyHunters/UNC6040 mass exploitation of Oracle PeopleSoft </strong> (CVE-2026-35273, June 12) </p> </td> <td> <p> Approximately 100 organizations compromised; state financial ERP systems running PeopleSoft are directly in scope. CISA KEV addition confirmed. </p> </td> </tr> <tr> <td> <p> <strong> Ransomware operators explicitly add government targeting </strong> (June 14&ndash;16) </p> </td> <td> <p> REVENANT SPIDER/Qilin, KRYBIT, and AuditTeam all expanded target lists to include government-public-services; infrastructure refresh and pre-ransomware activity detected. </p> </td> </tr> </tbody> </table> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Event </strong> </p> </th> <th> <p> <strong> Actors / CVEs </strong> </p> </th> <th> <p> <strong> Impact </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> June 1, 2026 </p> </td> <td> <p> LiteSpeed confirms active exploitation of cPanel plugin </p> </td> <td> <p> Unknown criminal actors / CVE-2026-54420 </p> </td> <td> <p> Root escalation on shared hosting servers </p> </td> </tr> <tr> <td> <p> June 11, 2026 </p> </td> <td> <p> CISA issues BOD 26-04, revoking BODs 19-02 and 22-01 </p> </td> <td> <p> CISA (policy) </p> </td> <td> <p> New 3-day/14-day/30-day risk-tiered patching mandate </p> </td> </tr> <tr> <td> <p> June 12, 2026 </p> </td> <td> <p> ShinyHunters (UNC6040) begins mass exploitation of Oracle PeopleSoft </p> </td> <td> <p> ShinyHunters / CVE-2026-35273 </p> </td> <td> <p> ~100 organizations compromised; CISA KEV addition </p> </td> </tr> <tr> <td> <p> June 12, 2026 </p> </td> <td> <p> Handala/VOID MANTICORE breaches California water utilities </p> </td> <td> <p> IRGC-affiliated / Handala </p> </td> <td> <p> <strong> Critical infrastructure ICS/OT compromise </strong> </p> </td> </tr> <tr> <td> <p> June 14, 2026 </p> </td> <td> <p> REVENANT SPIDER confirms ransomware deployment via Check Point VPN </p> </td> <td> <p> Qilin affiliate / CVE-2026-50751 </p> </td> <td> <p> Government-public-services added as explicit target </p> </td> </tr> <tr> <td> <p> June 14, 2026 </p> </td> <td> <p> KRYBIT/AuditTeam add government targeting </p> </td> <td> <p> KRYBIT, AuditTeam </p> </td> <td> <p> Expanded ransomware threat to public sector </p> </td> </tr> <tr> <td> <p> June 15, 2026 </p> </td> <td> <p> ShinyHunters posts Council of Europe breach (297 GB) </p> </td> <td> <p> ShinyHunters / UNC6040 </p> </td> <td> <p> 429,000 files including payroll and medical records </p> </td> </tr> <tr> <td> <p> June 15, 2026 </p> </td> <td> <p> CISA adds CVE-2026-20262 to KEV (Cisco SD-WAN) </p> </td> <td> <p> Unknown / CVE-2026-20262 </p> </td> <td> <p> Active exploitation of state WAN infrastructure </p> </td> </tr> <tr> <td> <p> June 15, 2026 </p> </td> <td> <p> CISA adds CVE-2026-54420 to KEV (LiteSpeed cPanel) </p> </td> <td> <p> Unknown / CVE-2026-54420 </p> </td> <td> <p> Root escalation on shared hosting </p> </td> </tr> <tr> <td> <p> June 15, 2026 </p> </td> <td> <p> APT29 deploys new government-targeting credential harvester </p> </td> <td> <p> APT29 (Russia SVR) </p> </td> <td> <p> Fresh IOC targeting government/telecom </p> </td> </tr> <tr> <td> <p> June 16, 2026 </p> </td> <td> <p> FortiSandbox triple exploitation observed in wild </p> </td> <td> <p> Unknown; AI-assisted exploit development confirmed / CVE-2026-39813, CVE-2026-39808, CVE-2026-25089 </p> </td> <td> <p> Unauthenticated RCE on network security appliances </p> </td> </tr> <tr> <td> <p> June 16, 2026 </p> </td> <td> <p> Adobe-spoof dual-RMM phishing campaign active </p> </td> <td> <p> Unattributed criminal </p> </td> <td> <p> ConnectWise + MSP360 delivery to government targets </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. Cisco SD-WAN Manager: Your WAN Backbone Is Under Attack </strong> </h3> <p> CVE-2026-20262 allows an authenticated remote attacker to write arbitrary files to the Cisco Catalyst SD-WAN Manager (formerly vManage) filesystem, enabling privilege escalation to root. This is the <strong> second </strong> Cisco SD-WAN vulnerability added to CISA's KEV catalog in two weeks. </p> <p> <strong> Why this matters for state government: </strong> Cisco Catalyst SD-WAN is the primary WAN fabric for many state networks connecting agency offices, data centers, and field sites. Compromise of the management plane gives an attacker control over routing, traffic inspection, and network segmentation &mdash; effectively owning the network. </p> <p> <strong> Compounding risk: </strong> The HOOK SPIDER access broker (Russia-nexus) was observed refreshing U.S. government credential targeting as recently as June 15. Stolen credentials combined with this authenticated file-write vulnerability create a direct path to root on SD-WAN infrastructure. </p> <h3> <strong> 2. FortiSandbox Triple Exploitation &mdash; With AI-Assisted Exploit Development </strong> </h3> <p> Three FortiSandbox vulnerabilities (CVE-2026-39813, CVE-2026-39808, CVE-2026-25089) are under active exploitation. All carry CVSS 9.1 scores. Two were patched in April 2026; one was patched last week. Critically, the CVE-2026-25089 exploit shows <strong> confirmed markers of AI-model-assisted development </strong> &mdash; a first for network security appliance exploitation. </p> <p> <strong> The AI dimension: </strong> While this particular exploit is currently faulty, it validates what threat intelligence has been tracking: AI-augmented exploit development is no longer theoretical. Expect exploit development timelines to compress by 40&ndash;60% for well-documented vulnerability class types. Your patch windows are shrinking in real time. </p> <h3> <strong> 3. Dual-RMM Phishing: Legitimate Tools as Weapons </strong> </h3> <p> A campaign using "Signed Non-Disclosure Agreement" themed emails spoofing Adobe is delivering <strong> both </strong> ConnectWise ScreenConnect and MSP360 RMM to targets. This dual-RMM approach provides attackers with redundant persistent access using tools that may already be authorized in your environment. </p> <p> This follows a pattern: adversaries are systematically rotating through legitimate remote management tools &mdash; NetSupport, MeshCentral, ConnectWise, MSP360 &mdash; to evade signature-based detection. The only scalable defense is a positive-security model: if an RMM tool isn't on your authorized list, its installation is an incident. </p> <h3> <strong> 4. APT29: Fresh Government-Targeting Malware </strong> </h3> <p> A new APT29-attributed Windows executable (SHA256: e5a6ca0d2a2a8727a7b05fc9ca77f41db7d9b704f499e3c9cebb13f25af385f3) was ingested on June 15 with government and telecommunications targeting tags. The sample demonstrates extensive capabilities including PowerShell execution, process injection, token impersonation, security tool disabling, browser credential theft, and sandbox evasion. </p> <p> <strong> Current assessment: </strong> Primary targeting appears focused on European and APAC government entities (Belgium, France, India, Ukraine). However, APT29 has historically pivoted to U.S. state government targets, and the credential-harvesting TTPs align with techniques used against federated identity systems common in state IT environments. </p> <h3> <strong> 5. Ransomware Operators Refreshing Government Targeting </strong> </h3> <p> REVENANT SPIDER (Qilin affiliate) confirmed direct ransomware deployment via CVE-2026-50751 (Check Point VPN bypass) on June 14, with government-public-services explicitly added as a targeting category. KRYBIT and AuditTeam ransomware groups have similarly expanded their target lists to include government. A "Pre-Ransomware Activity" campaign targeting government was detected in threat intelligence feeds on June 16. </p> <p> No new state/local government ransomware victim was confirmed in the past 24 hours &mdash; but this absence should not be mistaken for safety. Infrastructure refresh and explicit targeting declarations typically precede operational deployment by 7&ndash;14 days. </p> <h3> <strong> 6. CISA BOD 26-04: The New Patching Paradigm </strong> </h3> <p> CISA's Binding Operational Directive 26-04 (issued June 11) replaces the familiar BOD 22-01 with a risk-tiered framework: </p> <ul> <li> <strong> 3 days </strong> for KEV + internet-facing + automatable vulnerabilities </li> <li> <strong> 14 days </strong> for KEV + internet-facing </li> <li> <strong> 30 days </strong> for all other KEV entries </li> </ul> <p> While directly binding only on federal agencies, this directive will cascade to state governments through federal grant conditions, audit frameworks, and CISA partnership agreements. Most state patching SLAs (typically 14&ndash;30 days for critical vulnerabilities) are now misaligned with federal expectations. </p> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Basis </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Additional exploitation of Cisco SD-WAN infrastructure at state agencies </p> </td> <td> <p> <strong> 75% (HIGH) </strong> </p> </td> <td> <p> 7 days </p> </td> <td> <p> Public PoC availability, KEV listing, state reliance on Cisco SD-WAN, access broker credential activity </p> </td> </tr> <tr> <td> <p> AI-assisted FortiSandbox exploit refined to working state and redistributed </p> </td> <td> <p> <strong> 50% (MODERATE) </strong> </p> </td> <td> <p> 14 days </p> </td> <td> <p> Confirmed AI development markers; current version faulty but iterative improvement expected </p> </td> </tr> <tr> <td> <p> REVENANT SPIDER / Qilin claims new state or local government ransomware victim </p> </td> <td> <p> <strong> 45% (MODERATE) </strong> </p> </td> <td> <p> 14 days </p> </td> <td> <p> Infrastructure refresh June 14&ndash;16, explicit government targeting added, pre-ransomware campaign detected </p> </td> </tr> <tr> <td> <p> Dual-RMM phishing campaign (CLU-219 pattern) hits state agency employees </p> </td> <td> <p> <strong> 60% (MODERATE-HIGH) </strong> </p> </td> <td> <p> 7 days </p> </td> <td> <p> Government targeting confirmed; Adobe/NDA lure is sector-agnostic; IOCs are fresh </p> </td> </tr> <tr> <td> <p> APT29 pivots credential harvester to U.S. state government targets </p> </td> <td> <p> <strong> 25% (LOW) </strong> </p> </td> <td> <p> 30 days </p> </td> <td> <p> Current targeting EU/APAC; historical precedent for U.S. pivot exists but no direct evidence </p> </td> </tr> <tr> <td> <p> State agencies face compliance pressure from BOD 26-04 alignment requirements </p> </td> <td> <p> <strong> 70% (HIGH) </strong> </p> </td> <td> <p> 90 days </p> </td> <td> <p> Federal funding conditions historically cascade; CISA partnership frameworks will reference new directive </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Immediate Detection Priorities </strong> </h3> <ol> <li> <strong> Cisco SD-WAN Manager File Write Detection </strong> </li> </ol> <ul> <li> <strong> ATT&amp;CK: </strong> T1190 (Exploit Public-Facing Application), T1068 (Exploitation for Privilege Escalation), T1105 (Ingress Tool Transfer) </li> <li> <strong> Hunt hypothesis: </strong> Authenticated sessions to vManage API writing files outside expected directories, particularly to /etc/, /opt/cisco/, or cron directories </li> <li> <strong> Detection: </strong> Monitor vManage audit logs for file write operations by non-service accounts; alert on any new files in system directories created via HTTP API calls; baseline normal file write patterns and alert on deviation </li> <li> <strong> Defensive guidance: </strong> Restrict vManage management plane access to dedicated jump hosts only; enforce MFA on all SD-WAN administrative accounts; segment management network from data plane </li> </ul> <ol start="2"> <li> <strong> Dual-RMM Installation Detection </strong> </li> </ol> <ul> <li> <strong> ATT&amp;CK: </strong> T1219 (Remote Access Software), T1566.002 (Spearphishing Link), T1204.001 (User Execution &mdash; Malicious Link) </li> <li> <strong> Hunt hypothesis: </strong> Two or more RMM tools installed on the same endpoint within a 24-hour window, where at least one is not on the agency's authorized RMM list </li> <li> <strong> Detection: </strong> Alert on ScreenConnect.ClientSetup.msi or MSP360 RMM agent installation on non-IT-admin workstations; monitor for outbound connections to *.screenconnect.com:443 and *.mspbackups.com from endpoints without authorized RMM; correlate with email gateway logs for "Signed Non-Disclosure Agreement" subject lines with external links </li> <li> <strong> Defensive guidance: </strong> Maintain an authorized RMM tool registry per agency; any unauthorized RMM installation = HIGH priority alert; block known C2 domains at web proxy </li> </ul> <ol start="3"> <li> <strong> APT29 Credential Harvesting TTPs </strong> </li> </ol> <ul> <li> <strong> ATT&amp;CK: </strong> T1059.001 (PowerShell), T1055 (Process Injection), T1134.001 (Token Impersonation), T1562.001 (Disable Security Tools), T1555.003 (Credentials from Web Browsers), T1497 (Virtualization/Sandbox Evasion) </li> <li> <strong> Hunt hypothesis: </strong> PowerShell processes spawning with token manipulation followed by browser credential store access, particularly on systems where security tools have been stopped or modified </li> <li> <strong> Detection: </strong> Deploy hash-based detection for e5a6ca0d2a2a8727a7b05fc9ca77f41db7d9b704f499e3c9cebb13f25af385f3; hunt for PowerShell with -TokenImpersonation or AdjustTokenPrivileges calls; alert on security service stop/disable events (T1562.001) followed by credential file access within 60 minutes </li> <li> <strong> Defensive guidance: </strong> Enable credential guard on Windows endpoints; restrict PowerShell to constrained language mode on non-admin workstations; monitor for browser credential store access by non-browser processes </li> </ul> <ol start="4"> <li> <strong> LiteSpeed cPanel Exploitation </strong> </li> </ol> <ul> <li> <strong> ATT&amp;CK: </strong> T1505.003 (Web Shell), T1068 (Exploitation for Privilege Escalation), T1548.001 (Setuid/Setgid Abuse) </li> <li> <strong> Hunt hypothesis: </strong> Symlink creation in web-accessible directories pointing to system files, followed by privilege escalation to root </li> <li> <strong> Detection: </strong> Run detection command on all cPanel servers: grep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2&gt;/dev/null </li> <li> <strong> Defensive guidance: </strong> Update LiteSpeed cPanel plugin to &ge;2.4.8 immediately; audit for existing web shells; restrict FTP access to known administrative IPs </li> </ul> <ol start="5"> <li> <strong> FortiSandbox Unauthenticated Access </strong> </li> </ol> <ul> <li> <strong> ATT&amp;CK: </strong> T1190 (Exploit Public-Facing Application), T1059 (Command and Scripting Interpreter) </li> <li> <strong> Hunt hypothesis: </strong> Unauthenticated HTTP requests to FortiSandbox management interfaces resulting in command execution </li> <li> <strong> Detection: </strong> Monitor FortiSandbox logs for authentication bypass indicators; alert on any command execution from unauthenticated sessions; inspect HTTP access logs for exploit patterns against management endpoints </li> <li> <strong> Defensive guidance: </strong> If FortiSandbox is internet-facing, restrict access immediately via ACL while patching; verify patches for CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 are applied </li> </ul> <h2> <strong> IOC Blocking Table </strong> </h2> <p> The following indicators are confirmed from intelligence collection and should be blocked or alerted upon immediately: </p> <table> <thead> <tr> <th> <p> <strong> Type </strong> </p> </th> <th> <p> <strong> Value </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Domain </p> </td> <td> <p> file-readers[.]gomera[.]com </p> </td> <td> <p> Phishing delivery &mdash; Adobe-spoof dual-RMM campaign </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> instance-ndmshy-relay[.]screenconnect[.]com </p> </td> <td> <p> ConnectWise ScreenConnect RAT C2 </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> client[.]rmm[.]mspbackups[.]com </p> </td> <td> <p> MSP360 RMM C2 </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> rm[.]mspbackups[.]com </p> </td> <td> <p> MSP360 RMM WebSocket C2 </p> </td> </tr> <tr> <td> <p> MD5 </p> </td> <td> <p> b480e6c4983d108513dcc09d021e49de </p> </td> <td> <p> ScreenConnect.ClientSetup.msi </p> </td> </tr> <tr> <td> <p> MD5 </p> </td> <td> <p> 386529af136fe96a23da6aaa39711e2b </p> </td> <td> <p> MSP360 RMM installer </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> e5a6ca0d2a2a8727a7b05fc9ca77f41db7d9b704f499e3c9cebb13f25af385f3 </p> </td> <td> <p> APT29 government-targeting credential harvester </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> bb128eb2f2277fc59cc9f7dcf4ca628a293a800afb7709b8cdb4505d249abb02 </p> </td> <td> <p> Associated malware sample </p> </td> </tr> </tbody> </table> <p> Additional IOCs for the campaigns discussed in this report are available through Anomali ThreatStream Next-Gen and partner feeds. </p> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (State Treasury, Revenue, Comptroller) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> ShinyHunters/UNC6040 mass exploitation of Oracle PeopleSoft (CVE-2026-35273) &mdash; state financial ERP systems running PeopleSoft are directly in the crosshairs </li> <li> <strong> Action: </strong> Verify PeopleSoft patches applied; audit for unauthorized database access since June 12; review PeopleSoft web server logs for exploitation indicators </li> <li> <strong> Secondary threat: </strong> Credential harvesting campaigns (APT29, phishing) targeting financial system administrators </li> <li> <strong> Action: </strong> Enforce phishing-resistant MFA (FIDO2) on all financial system admin accounts; review privileged access logs for anomalous authentication patterns </li> </ul> <h3> <strong> Energy (State-Regulated Utilities, Public Power) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> IRGC-affiliated Handala/VOID MANTICORE confirmed breach of California water utilities (June 12) &mdash; demonstrates active Iranian targeting of U.S. water/energy infrastructure </li> <li> <strong> Action: </strong> Verify OT/ICS network segmentation from IT networks; audit remote access to SCADA systems; confirm no shared credentials between IT and OT environments </li> <li> <strong> Secondary threat: </strong> FortiSandbox exploitation (CVE-2026-39813/39808/25089) &mdash; Fortinet appliances are common in utility network architectures </li> <li> <strong> Action: </strong> Inventory all Fortinet appliances in OT-adjacent networks; prioritize patching of internet-facing instances; implement network-level access restrictions to management interfaces </li> </ul> <h3> <strong> Healthcare (State Health Agencies, Medicaid Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Ransomware operators (REVENANT SPIDER/Qilin, KRYBIT) explicitly adding government-public-services targeting &mdash; health agencies hold high-value PII and face extreme pressure to restore services </li> <li> <strong> Action: </strong> Verify offline backup integrity for Medicaid and health records systems; test incident response playbooks for ransomware scenarios; confirm network segmentation between clinical/claims systems and general IT </li> <li> <strong> Secondary threat: </strong> Dual-RMM phishing campaign &mdash; healthcare administrative staff are high-value phishing targets </li> <li> <strong> Action: </strong> Deploy email gateway rules for "Signed Non-Disclosure Agreement" lures; brief staff on Adobe-spoofing tactics; block unauthorized RMM tools at endpoint level </li> </ul> <h3> <strong> Government (Executive Branch Agencies, Legislature, Courts) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Cisco SD-WAN Manager exploitation (CVE-2026-20262) &mdash; state WAN infrastructure compromise enables lateral movement across all connected agencies </li> <li> <strong> Action: </strong> Emergency patching of vManage; restrict management plane access; audit for unauthorized file writes on SD-WAN infrastructure </li> <li> <strong> Secondary threat: </strong> APT29 credential harvesting and HOOK SPIDER access broker activity targeting government credentials </li> <li> <strong> Action: </strong> Hunt for PowerShell-based credential theft TTPs; review dark web monitoring for state government credential listings; rotate credentials for any accounts with suspected exposure </li> <li> <strong> Tertiary threat: </strong> Pre-ransomware activity campaign detected targeting government &mdash; REVENANT SPIDER infrastructure refreshed June 14&ndash;16 </li> <li> <strong> Action: </strong> Elevate monitoring for lateral movement indicators (PsExec, WMI, RDP from unusual sources); verify EDR coverage on all domain controllers and file servers </li> </ul> <h3> <strong> Aviation / Logistics (State DOT, Airports, Port Authorities) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Supply chain compromise via legitimate vendor tools &mdash; ConnectWise ScreenConnect and MSP360 are commonly used by MSPs serving transportation agencies </li> <li> <strong> Action: </strong> Audit all third-party remote access tools in use by contractors and MSPs; verify each against authorized RMM registry; require MFA on all vendor remote access sessions </li> <li> <strong> Secondary threat: </strong> Nation-state targeting of transportation infrastructure &mdash; APT29 has historical interest in government-adjacent transportation networks </li> <li> <strong> Action: </strong> Review network segmentation between operational technology (traffic management, port systems) and administrative IT; ensure ICS/SCADA systems are not accessible via compromised IT credentials </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> 🔴 IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Action </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Rationale </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Patch Cisco Catalyst SD-WAN Manager to address CVE-2026-20262. Verify no unauthorized file writes on vManage filesystem. </p> </td> <td> <p> IT Operations </p> </td> <td> <p> Active exploitation confirmed by CISA KEV. State WAN infrastructure at direct risk. </p> </td> </tr> <tr> <td> <p> Run LiteSpeed detection command on all cPanel shared hosting servers. Update plugin to &ge;2.4.8. </p> </td> <td> <p> IT Operations </p> </td> <td> <p> BOD 26-04 mandates 3-day remediation. Active exploitation confirmed. </p> </td> </tr> <tr> <td> <p> Block phishing campaign IOCs at email gateway and web proxy: file-readers[.]gomera[.]com, instance-ndmshy-relay[.]screenconnect[.]com, client[.]rmm[.]mspbackups[.]com, rm[.]mspbackups[.]com. Block MD5 hashes at endpoint. </p> </td> <td> <p> SOC </p> </td> <td> <p> Active campaign targeting government with dual-RMM delivery. </p> </td> </tr> <tr> <td> <p> Alert on email subject line "Signed Non-Disclosure Agreement" with external links from non-Adobe domains. </p> </td> <td> <p> SOC / Email Security </p> </td> <td> <p> Direct detection of phishing lure in active campaign. </p> </td> </tr> <tr> <td> <p> Restrict Cisco vManage management plane access to dedicated jump hosts; enforce MFA on all SD-WAN admin accounts. </p> </td> <td> <p> Network Operations </p> </td> <td> <p> Reduces exploitation surface for authenticated file-write vulnerability. </p> </td> </tr> </tbody> </table> <h3> <strong> 🟠 7-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Action </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Rationale </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Verify FortiSandbox appliances patched for CVE-2026-39813, CVE-2026-39808, CVE-2026-25089. If internet-facing, treat as IMMEDIATE. </p> </td> <td> <p> IT Operations </p> </td> <td> <p> Triple CVSS 9.1 exploitation in wild; AI-assisted exploit development accelerates risk. </p> </td> </tr> <tr> <td> <p> Deploy EDR detection for APT29 SHA256 hash. Hunt for PowerShell token impersonation (T1134.001), security tool disabling (T1562.001), and browser credential theft (T1555.003). </p> </td> <td> <p> SOC </p> </td> <td> <p> Fresh nation-state malware targeting government sector. </p> </td> </tr> <tr> <td> <p> Establish authorized RMM tool registry per agency. Configure alerts for any RMM installation not on the approved list. </p> </td> <td> <p> SOC / Endpoint Team </p> </td> <td> <p> Converts RMM abuse detection gap into positive-security model. </p> </td> </tr> <tr> <td> <p> Review Oracle PeopleSoft patching status for CVE-2026-35273 (CVSS 9.8). Audit database access logs since June 12. </p> </td> <td> <p> ERP / Database Team </p> </td> <td> <p> <strong> ShinyHunters mass exploitation of ~100 organizations; state PeopleSoft instances are high-value targets. </strong> </p> </td> </tr> </tbody> </table> <h3> <strong> 🟡 30-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Action </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Rationale </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Brief executive leadership on CISA BOD 26-04 implications. Assess state patching SLAs against new 3-day/14-day/30-day framework. Determine federal funding compliance requirements. </p> </td> <td> <p> CISO / CIO </p> </td> <td> <p> New federal patching paradigm will cascade to states via grant conditions and audit frameworks. </p> </td> </tr> <tr> <td> <p> Develop behavioral detection for dual-RMM installation patterns (any two RMM tools on same endpoint within 24 hours). </p> </td> <td> <p> SOC / Detection Engineering </p> </td> <td> <p> Adversaries rotating through legitimate RMM tools; signature-based detection is insufficient. </p> </td> </tr> <tr> <td> <p> <strong> Evaluate SD-WAN vendor diversification for critical network segments given recurring Cisco SD-WAN vulnerabilities. </strong> </p> </td> <td> <p> Network Architecture / CISO </p> </td> <td> <p> Two KEV entries in two weeks indicates systemic vendor risk concentration. </p> </td> </tr> <tr> <td> <p> Conduct tabletop exercise for ransomware scenario targeting state government services, incorporating REVENANT SPIDER/Qilin TTPs and Check Point VPN initial access vector. </p> </td> <td> <p> CISO / IR Team </p> </td> <td> <p> Ransomware operators have explicitly added government targeting; infrastructure refresh indicates imminent operations. </p> </td> </tr> <tr> <td> <p> Assess OT/ICS network segmentation posture for water/wastewater and transportation systems given confirmed Iranian targeting of U.S. water utilities. </p> </td> <td> <p> CISO / OT Security </p> </td> <td> <p> <strong> Handala/VOID MANTICORE breach of California water utilities (June 12) demonstrates direct threat to state critical infrastructure. </strong> </p> </td> </tr> </tbody> </table> <h2> <strong> Bottom Line </strong> </h2> <p> The threat environment facing state government IT systems is defined by speed and convergence. Exploit development is accelerating through AI assistance. Patch mandates are compressing from weeks to days. Ransomware operators are explicitly naming government as a target category while refreshing their infrastructure. And nation-state actors continue to harvest credentials from government networks with fresh tooling. </p> <p> The three actions that matter most this week: </p> <ol> <li> <strong> Patch your Cisco SD-WAN Manager today. </strong> Not this sprint. Not next maintenance window. Today. Active exploitation is confirmed, and your WAN backbone is the keys to every agency on your network. </li> <li> <strong> Block the dual-RMM phishing IOCs within hours. </strong> This campaign is active, targeting government, and delivers persistent access through tools your security stack may trust by default. </li> <li> <strong> Start the BOD 26-04 conversation with your CIO now. </strong> The 3-day patching mandate is coming to state government through federal funding conditions. The agencies that prepare now will adapt; those that wait will scramble during their first audit finding. </li> </ol> <p> The adversaries are not waiting. Neither should we. </p> <p> <em> Published June 16, 2026 | Anomali CTI Desk </em> </p> <p> <em> For questions or additional IOC feeds, contact your Anomali representative or access indicators directly via Anomali ThreatStream Next-Gen. </em> </p>