All Posts
Anomali Cyber Watch
Public Sector
1
min read

Critical Cisco SD-WAN Zero-Day and Government Cloud Credential Harvesting Demand Immediate State Agency Response

Published on
May 15, 2026
Table of Contents
<p> <strong> Threat Assessment Level: ELEVATED </strong> (trending toward HIGH) </p> <p> <em> Changed from: Maintained at ELEVATED from prior cycle (2026-05-14). Escalation to HIGH pending confirmation of direct exploitation against U.S. state government networks. The addition of a new CVSS 10.0 vulnerability in state WAN backbone infrastructure and confirmed government cloud credential targeting by supply chain malware increases pressure toward escalation. </em> </p> <h2> <strong> Executive Summary </strong> </h2> <p> State government IT leaders face a convergence of threats this week that demand immediate attention. A new critical authentication bypass in Cisco Catalyst SD-WAN &mdash; the backbone of many state wide-area networks &mdash; has been added to CISA's Known Exploited Vulnerabilities catalog. Simultaneously, a sophisticated supply chain worm is actively harvesting AWS GovCloud credentials from compromised developer environments, with OpenAI confirmed as a victim. Five nation-state adversary groups remain active against government targets, and a wave of industrial control system advisories affects equipment deployed in state water and building automation environments. </p> <p> This is not a theoretical risk briefing. These are active campaigns with confirmed victims and government-specific targeting. </p> <h2> <strong> What Changed This Cycle </strong> </h2> <table> <thead> <tr> <th> <p> Development </p> </th> <th> <p> Why It Matters to State Government </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> CVE-2026-20182 </strong> &mdash; Cisco SD-WAN CVSS 10.0 auth bypass disclosed (May 14) </p> </td> <td> <p> Many states use Cisco Catalyst SD-WAN as their inter-agency network fabric. Complete administrative takeover possible without credentials. </p> </td> </tr> <tr> <td> <p> <strong> TeamPCP/Shai-Hulud </strong> worm confirmed targeting AWS GovCloud zones (May 15) </p> </td> <td> <p> The worm explicitly enumerates us-gov-east-1 and us-gov-west-1 &mdash; zones restricted to government agencies. This is purpose-built government targeting. </p> </td> </tr> <tr> <td> <p> <strong> Siemens ICS advisory batch </strong> &mdash; 8 advisories including SIMATIC CN 4100 and Ruggedcom ROX (May 14) </p> </td> <td> <p> Affects communication nodes and ruggedized switches deployed in state water treatment, transportation, and building automation. </p> </td> </tr> <tr> <td> <p> <strong> China-nexus SLICKDEMON </strong> malware via DAEMON Tools supply chain (updated May 14) </p> </td> <td> <p> Government explicitly listed as a target sector. New supply chain vector using legitimate disk imaging software. </p> </td> </tr> <tr> <td> <p> <strong> ClickFix + NETSUPPORT RAT </strong> campaigns targeting government (updated May 14) </p> </td> <td> <p> Social engineering technique tricks state employees into running malicious PowerShell &mdash; deploys remote access trojan. </p> </td> </tr> <tr> <td> <p> <strong> MuddyWater (Iran/MOIS) </strong> deploys Chaos ransomware as false-flag covering espionage (May 11) </p> </td> <td> <p> Destructive ransomware payload masks underlying intelligence-collection mission; state agencies may misclassify incident as financially motivated. </p> </td> </tr> <tr> <td> <p> <strong> Akira (PUNK SPIDER) and Qilin (REVENANT SPIDER) </strong> ransomware groups update operations (May 15) </p> </td> <td> <p> Both groups remain operationally active with state and local government among preferred target sectors. </p> </td> </tr> <tr> <td> <p> <strong> Cloud phishing infrastructure </strong> abusing Google App Engine and Azure App Service (ongoing) </p> </td> <td> <p> Over 100 unique appspot.com subdomains identified hosting Microsoft 365 credential harvesting pages; hosted on legitimate cloud platforms to bypass domain reputation filters. </p> </td> </tr> </tbody> </table> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> Date </p> </th> <th> <p> Event </p> </th> <th> <p> Severity </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 2026-05-08 </p> </td> <td> <p> CISA adds CVE-2026-6973 (Ivanti EPMM zero-day) to KEV catalog </p> </td> <td> <p> <strong> CRITICAL </strong> </p> </td> </tr> <tr> <td> <p> 2026-05-11 </p> </td> <td> <p> MuddyWater (Iran/MOIS) deploys Chaos ransomware as false-flag covering espionage </p> </td> <td> <p> <strong> HIGH </strong> </p> </td> </tr> <tr> <td> <p> 2026-05-11 </p> </td> <td> <p> TeamPCP compromises 170+ npm/PyPI packages via TanStack supply chain attack </p> </td> <td> <p> <strong> CRITICAL </strong> </p> </td> </tr> <tr> <td> <p> 2026-05-12 </p> </td> <td> <p> MISTBRICK malware deployed via Ivanti CVE-2026-1281/CVE-2026-1340 against government targets </p> </td> <td> <p> <strong> HIGH </strong> </p> </td> </tr> <tr> <td> <p> 2026-05-12 </p> </td> <td> <p> CISA publishes 7 ICS advisories (ABB AC500 V3, Fuji Electric Tellus HMI) </p> </td> <td> <p> <strong> ELEVATED </strong> </p> </td> </tr> <tr> <td> <p> 2026-05-14 </p> </td> <td> <p> CVE-2026-20182 disclosed &mdash; Cisco SD-WAN CVSS 10.0 authentication bypass </p> </td> <td> <p> <strong> CRITICAL </strong> </p> </td> </tr> <tr> <td> <p> 2026-05-14 </p> </td> <td> <p> Siemens ICS advisory batch: SIMATIC CN 4100, Ruggedcom ROX &times;4, Simcenter, Teamcenter </p> </td> <td> <p> <strong> ELEVATED </strong> </p> </td> </tr> <tr> <td> <p> 2026-05-14 </p> </td> <td> <p> China-nexus SLICKDEMON campaign updated &mdash; government targeting confirmed </p> </td> <td> <p> <strong> HIGH </strong> </p> </td> </tr> <tr> <td> <p> 2026-05-15 </p> </td> <td> <p> OpenAI confirms employee compromise via Shai-Hulud; AWS GovCloud credential targeting revealed </p> </td> <td> <p> <strong> CRITICAL </strong> </p> </td> </tr> <tr> <td> <p> 2026-05-15 </p> </td> <td> <p> Akira (PUNK SPIDER) and Qilin (REVENANT SPIDER) ransomware groups update operations </p> </td> <td> <p> <strong> ELEVATED </strong> </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. Cisco SD-WAN: Your State Network Backbone Is at Risk </strong> </h3> <p> <strong> CVE-2026-20182 </strong> is a peering authentication bypass in Cisco Catalyst SD-WAN Controller/Manager that allows unauthenticated remote attackers to gain full administrative NETCONF access. An attacker exploiting this vulnerability can manipulate the entire SD-WAN fabric configuration &mdash; effectively controlling routing, segmentation, and traffic flow across all connected state agency sites. </p> <p> This is the <strong> second CVSS 10.0 </strong> in this product family in three months (following CVE-2026-20127 from February 2026). The February vulnerabilities are already being actively exploited in the wild. The new vulnerability introduces an additional attack vector in the control connection handshake. </p> <p> <strong> Bottom line: </strong> If your state uses Cisco Catalyst SD-WAN for inter-agency connectivity, a successful exploitation could segment or surveil the entire state network. </p> <h3> <strong> 2. Supply Chain Worm Targeting Government Cloud Credentials </strong> </h3> <p> The <strong> TeamPCP </strong> threat group has executed one of the most significant supply chain attacks of 2026. Their <strong> Shai-Hulud </strong> worm compromised 170+ packages across npm and PyPI ecosystems, including widely-used TanStack libraries. The worm: </p> <ul> <li> <strong> Explicitly targets AWS GovCloud </strong> &mdash; enumerating all 19 AWS availability zones including the government-restricted us-gov-east-1 and us-gov-west-1 </li> <li> <strong> Exfiltrates credentials </strong> from source code repositories, CI/CD pipelines, and environment variables </li> <li> <strong> Uses a novel fallback C2 mechanism (FIRESCALE) </strong> that scans ALL public GitHub commit messages for RSA-4096 signed alternative server URLs &mdash; making takedown extremely difficult </li> <li> <strong> Activates destructive payloads </strong> (file deletion) on machines geolocated to Israel or Iran, while exiting on Russian-locale systems </li> </ul> <p> Confirmed victims include OpenAI (two employee devices compromised), with TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI also affected. Any state agency developer environment using these packages is at risk. </p> <p> <strong> Primary C2: </strong> 83.142.209[.]194 </p> <h3> <strong> 3. Nation-State Actor Landscape </strong> </h3> <p> Five nation-state adversary groups remain active against government targets: </p> <table> <thead> <tr> <th> <p> Actor </p> </th> <th> <p> Origin </p> </th> <th> <p> Current Activity </p> </th> <th> <p> Primary Concern </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> Volt Typhoon / Salt Typhoon </strong> </p> </td> <td> <p> China (PLA/MSS) </p> </td> <td> <p> Silent pre-positioning in critical infrastructure </p> </td> <td> <p> Highest-consequence scenario &mdash; living-off-the-land makes detection extremely difficult </p> </td> </tr> <tr> <td> <p> <strong> Kimsuky / APT43 </strong> </p> </td> <td> <p> North Korea (RGB) </p> </td> <td> <p> LLM-assisted spear-phishing, VSCode tunnel C2 </p> </td> <td> <p> Credential theft targeting government employees </p> </td> </tr> <tr> <td> <p> <strong> MuddyWater </strong> </p> </td> <td> <p> Iran (MOIS) </p> </td> <td> <p> Chaos ransomware as false-flag for espionage </p> </td> <td> <p> Destructive capability masked as financially motivated </p> </td> </tr> <tr> <td> <p> <strong> VENOMOUS BEAR / Turla </strong> </p> </td> <td> <p> Russia (FSB) </p> </td> <td> <p> Refreshed Kazuar RAT variants </p> </td> <td> <p> Long-term persistent access to government networks </p> </td> </tr> <tr> <td> <p> <strong> China-nexus (unattributed) </strong> </p> </td> <td> <p> China </p> </td> <td> <p> SLICKDEMON via DAEMON Tools supply chain </p> </td> <td> <p> Government, education, telecom targeting across 7 countries </p> </td> </tr> </tbody> </table> <p> <strong> Critical absence to note: </strong> No Volt Typhoon activity was detected this cycle. For a living-off-the-land actor that has already achieved persistence in critical infrastructure, silence is not reassurance &mdash; it likely indicates successful persistence without triggering detections. </p> <h3> <strong> 4. Industrial Control Systems Under Pressure </strong> </h3> <p> Fourteen ICS advisories have been published in the past week affecting systems deployed in state-coordinated OT environments: </p> <ul> <li> <strong> Siemens SIMATIC CN 4100 </strong> &mdash; communication nodes in industrial automation </li> <li> <strong> Siemens Ruggedcom ROX </strong> (4 advisories) &mdash; ruggedized switches in utility and transportation networks </li> <li> <strong> ABB AC500 V3 PLCs </strong> &mdash; programmable logic controllers in water treatment </li> <li> <strong> Fuji Electric Tellus HMI </strong> (CVE-2026-8108) &mdash; human-machine interfaces in building automation </li> <li> <strong> Universal Robots </strong> &mdash; authentication bypass in robotic systems </li> </ul> <p> These systems are often managed by separate OT teams with different patching cadences than enterprise IT. Coordination is essential. </p> <h3> <strong> 5. Social Engineering Evolution: ClickFix Campaigns </strong> </h3> <p> A growing wave of <strong> ClickFix </strong> campaigns is specifically targeting government sector employees. The technique presents fake browser update or error messages that instruct users to copy and paste PowerShell commands &mdash; effectively tricking them into executing malware. The current campaign deploys <strong> NETSUPPORT RAT </strong> for persistent remote access. </p> <p> This technique bypasses traditional email security because the initial lure often comes through compromised legitimate websites or search engine results rather than email. </p> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> Scenario </p> </th> <th> <p> Probability </p> </th> <th> <p> Timeframe </p> </th> <th> <p> Basis </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Additional TeamPCP supply chain victims disclosed (state agencies potentially among them) </p> </td> <td> <p> <strong> 75% </strong> </p> </td> <td> <p> Next 72 hours </p> </td> <td> <p> 170+ packages compromised; only a handful of victims publicly confirmed so far </p> </td> </tr> <tr> <td> <p> Exploitation attempts against CVE-2026-20182 increase significantly </p> </td> <td> <p> <strong> 50% </strong> </p> </td> <td> <p> Next 7 days </p> </td> <td> <p> February CVEs already exploited; new advisory details lower the exploitation bar </p> </td> </tr> <tr> <td> <p> Ransomware incident against a U.S. state/local government entity </p> </td> <td> <p> <strong> 60% </strong> </p> </td> <td> <p> Next 14 days </p> </td> <td> <p> Akira and Qilin both operationally active; state/local gov remains a preferred target </p> </td> </tr> <tr> <td> <p> Volt Typhoon activity surfaces in state critical infrastructure </p> </td> <td> <p> <strong> 30% </strong> </p> </td> <td> <p> Next 30 days </p> </td> <td> <p> Continued silence from a confirmed pre-positioned actor increases probability of eventual detection or activation </p> </td> </tr> <tr> <td> <p> Copycat supply chain attacks inspired by TeamPCP's "$1,000 Monero contest" </p> </td> <td> <p> <strong> 25% </strong> </p> </td> <td> <p> Next 30 days </p> </td> <td> <p> Public gamification of supply chain attacks may attract additional actors </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Detection Priorities </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> What to Detect </p> </th> <th> <p> ATT&amp;CK Technique </p> </th> <th> <p> Detection Logic </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> P1 </strong> </p> </td> <td> <p> Cisco SD-WAN unauthorized NETCONF access </p> </td> <td> <p> <strong> T1190 </strong> , <strong> T1078 </strong> </p> </td> <td> <p> Alert on NETCONF sessions from non-management IPs; monitor for configuration changes outside change windows </p> </td> </tr> <tr> <td> <p> <strong> P1 </strong> </p> </td> <td> <p> Shai-Hulud C2 communication </p> </td> <td> <p> <strong> T1071.001 </strong> , <strong> T1567 </strong> </p> </td> <td> <p> Block/alert on traffic to 83.142.209[.]194; monitor for unexpected outbound connections from CI/CD build servers </p> </td> </tr> <tr> <td> <p> <strong> P1 </strong> </p> </td> <td> <p> ClickFix PowerShell execution </p> </td> <td> <p> <strong> T1204.001 </strong> , <strong> T1059.001 </strong> </p> </td> <td> <p> Alert on PowerShell spawned as child process of any browser (chrome.exe, msedge.exe, firefox.exe) with -enc or -encodedcommand flags </p> </td> </tr> <tr> <td> <p> <strong> P2 </strong> </p> </td> <td> <p> FIRESCALE GitHub C2 fallback </p> </td> <td> <p> <strong> T1102 </strong> </p> </td> <td> <p> Monitor for GitHub API calls (api.github.com/search/commits) from non-developer endpoints or build servers </p> </td> </tr> <tr> <td> <p> <strong> P2 </strong> </p> </td> <td> <p> AWS GovCloud credential exfiltration </p> </td> <td> <p> <strong> T1552.001 </strong> , <strong> T1134 </strong> </p> </td> <td> <p> Alert on AWS API calls from unexpected source IPs; monitor for enumeration of us-gov-* regions from developer workstations </p> </td> </tr> <tr> <td> <p> <strong> P2 </strong> </p> </td> <td> <p> NETSUPPORT RAT persistence </p> </td> <td> <p> <strong> T1219 </strong> , <strong> T1547.001 </strong> </p> </td> <td> <p> Detect NETSUPPORT Manager installation artifacts; monitor registry Run keys for unexpected remote access tools </p> </td> </tr> <tr> <td> <p> <strong> P3 </strong> </p> </td> <td> <p> Volt Typhoon living-off-the-land </p> </td> <td> <p> <strong> T1078 </strong> , <strong> T1072 </strong> </p> </td> <td> <p> Hunt for legitimate admin tool usage (ntdsutil, netsh, wmic) from unexpected user accounts or at unusual times </p> </td> </tr> </tbody> </table> <h3> <strong> Hunting Hypotheses </strong> </h3> <ul> <li> <strong> <strong> Hypothesis: </strong> TeamPCP supply chain compromise has already affected state developer environments. </strong> </li> </ul> <ul> <li> <strong> Hunt: </strong> Query package manager logs for any TanStack, UiPath, Mistral AI, OpenSearch, or Guardrails AI npm/PyPI packages installed after May 11. Check CI/CD pipeline execution logs for unexpected network connections to 83.142.209[.]194. </li> </ul> <ul> <li> <strong> <strong> Hypothesis: </strong> Cisco SD-WAN controllers have been probed or exploited via CVE-2026-20182 or predecessor CVEs. </strong> </li> </ul> <ul> <li> <strong> Hunt: </strong> Review SD-WAN controller authentication logs for failed/anomalous peering attempts. Check NETCONF session logs for configuration reads or changes from unrecognized sources. </li> </ul> <ul> <li> <strong> <strong> Hypothesis: </strong> ClickFix has already delivered NETSUPPORT to state employee endpoints. </strong> </li> </ul> <ul> <li> <strong> Hunt: </strong> Search EDR telemetry for PowerShell execution with encoded commands spawned by browser processes in the past 14 days. Look for NETSUPPORT Manager client installations not deployed by IT. </li> </ul> <ul> <li> <strong> <strong> Hypothesis: </strong> Volt Typhoon maintains persistence in state network infrastructure. </strong> </li> </ul> <ul> <li> <strong> Hunt: </strong> Audit all administrative account usage on network devices (routers, switches, firewalls) for the past 90 days. Flag any use of built-in admin tools (ntdsutil, netsh, wmic) from service accounts or at off-hours. </li> </ul> <h3> <strong> IOC Blocking Actions </strong> </h3> <table> <thead> <tr> <th> <p> Type </p> </th> <th> <p> Indicator </p> </th> <th> <p> Context </p> </th> </tr> </thead> <tbody> <tr> <td> <p> IPv4 </p> </td> <td> <p> 83.142.209[.]194 </p> </td> <td> <p> TeamPCP/Shai-Hulud primary C2 server </p> </td> </tr> </tbody> </table> <p> <strong> Note: </strong> Additional IOCs for all campaigns discussed in this report &mdash; including file hashes, additional network indicators, and phishing infrastructure &mdash; are available through Anomali ThreatStream Next-Gen and partner feeds. Contact your Anomali representative for access. </p> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (State Treasury, Revenue, Comptroller) </strong> </h3> <p> <strong> Primary threat: </strong> TeamPCP credential harvesting targeting financial system API keys and AWS credentials used for tax processing and payment systems </p> <p> <strong> Action: </strong> Audit all npm/PyPI dependencies in citizen-facing financial applications (tax portals, payment gateways). Rotate all AWS IAM keys accessible from development environments. Enable MFA on all service accounts with access to financial data stores. </p> <p> <strong> Monitor: </strong> Unusual AWS API calls to S3 buckets containing tax records or payment data, especially from new source IPs or GovCloud region enumeration. </p> <h3> <strong> Energy &amp; Utilities (State-Coordinated Water, Power, Transportation) </strong> </h3> <p> <strong> Primary threat: </strong> Siemens SIMATIC CN 4100 and Ruggedcom ROX vulnerabilities in water treatment and transportation SCADA networks; Volt Typhoon pre-positioning </p> <p> <strong> Action: </strong> Coordinate with OT teams to inventory Siemens SIMATIC CN 4100 and Ruggedcom ROX deployments. Apply patches per ICSA-26-134-10/11/12/16. Verify network segmentation between IT and OT environments. Conduct 90-day audit of administrative access to OT network devices. </p> <p> <strong> Monitor: </strong> Any IT-to-OT lateral movement attempts; unusual NETCONF or SNMP traffic to industrial switches; administrative tool usage on OT-adjacent systems outside maintenance windows. </p> <h3> <strong> Healthcare (State Health Agencies, Medicaid Systems) </strong> </h3> <p> <strong> Primary threat: </strong> Ransomware (Akira/Qilin) targeting healthcare data; ClickFix social engineering against health agency staff; supply chain compromise of health IT applications </p> <p> <strong> Action: </strong> Verify offline backup integrity for Medicaid enrollment and claims systems. Brief health agency staff on ClickFix lure techniques (fake browser updates). Audit third-party health IT vendor access for supply chain exposure. </p> <p> <strong> Monitor: </strong> PowerShell execution from browser processes on health agency endpoints; unusual data exfiltration volumes from health record databases; ransomware precursor activity (Cobalt Strike beacons, credential dumping). </p> <h3> <strong> Government (Executive Branch Agencies, Legislative Support) </strong> </h3> <p> <strong> Primary threat: </strong> Nation-state espionage (Kimsuky credential theft, MuddyWater false-flag ransomware); Cisco SD-WAN exploitation disrupting inter-agency communications </p> <p> <strong> Action: </strong> Confirm Cisco SD-WAN patch status across all agency sites. Enable advanced audit logging on Microsoft 365 (EWS API, Azure AD sign-ins). Brief executives on callback phishing and ClickFix techniques. Review VSCode Remote Tunnel policies &mdash; disable if not operationally required. </p> <p> <strong> Monitor: </strong> Anomalous Azure AD sign-ins (impossible travel, new device registrations); SD-WAN configuration changes outside change windows; VSCode tunnel connections from non-developer endpoints. </p> <h3> <strong> Aviation &amp; Logistics (State DOT, Airport Authorities, Port Systems) </strong> </h3> <p> <strong> Primary threat: </strong> ICS/SCADA vulnerabilities in traffic management and port automation systems; China-nexus supply chain targeting transportation sector </p> <p> <strong> Action: </strong> Inventory Universal Robots and Siemens deployments in port/airport automation. Review DAEMON Tools usage on engineering workstations (SLICKDEMON vector). Verify air-gapping of traffic management systems from enterprise networks. </p> <p> <strong> Monitor: </strong> Authentication anomalies on robotic/automation systems; unexpected software installations on engineering workstations; network connections from OT segments to internet-facing infrastructure. </p> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> Action </p> </th> <th> <p> Owner </p> </th> <th> <p> Rationale </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Verify Cisco Catalyst SD-WAN Manager/Controller is patched to version 20.18+ or apply cisco-sa-sdwan-rpa2-v69WY2SW mitigation </p> </td> <td> <p> Network Operations </p> </td> <td> <p> CVE-2026-20182 is CVSS 10.0, KEV-listed, and predecessor CVEs are actively exploited. This is your WAN backbone. </p> </td> </tr> <tr> <td> <p> Block 83.142.209[.]194 at perimeter firewalls and DNS sinkholes </p> </td> <td> <p> SOC / Network Security </p> </td> <td> <p> Primary C2 for Shai-Hulud supply chain worm actively targeting government cloud credentials </p> </td> </tr> <tr> <td> <p> Audit npm/PyPI dependencies across all state development environments for TanStack and related compromised packages (installed after May 11) </p> </td> <td> <p> DevOps / Application Teams </p> </td> <td> <p> 170+ packages compromised; worm specifically targets AWS GovCloud credentials </p> </td> </tr> <tr> <td> <p> Deploy EDR detection rule: alert on PowerShell spawned by browser processes with encoded commands </p> </td> <td> <p> SOC / Endpoint Security </p> </td> <td> <p> ClickFix campaigns actively targeting government employees </p> </td> </tr> <tr> <td> <p> Rotate AWS IAM credentials on all developer workstations with GovCloud access </p> </td> <td> <p> Cloud Operations </p> </td> <td> <p> Shai-Hulud explicitly enumerates and exfiltrates GovCloud zone credentials </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY Actions </strong> </h3> <table> <thead> <tr> <th> <p> Action </p> </th> <th> <p> Owner </p> </th> <th> <p> Rationale </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Patch Siemens SIMATIC CN 4100 and Ruggedcom ROX per ICSA-26-134-10/11/12/16 advisories </p> </td> <td> <p> OT / Facilities Teams </p> </td> <td> <p> Exploitation could compromise water treatment and building automation systems </p> </td> </tr> <tr> <td> <p> Implement network detection for GitHub API commit search calls from non-developer endpoints </p> </td> <td> <p> SOC / Network Security </p> </td> <td> <p> FIRESCALE C2 fallback mechanism scans GitHub commits for signed C2 URLs </p> </td> </tr> <tr> <td> <p> Enable CloudTrail alerts for AWS API calls from unexpected geolocations and for us-gov-* region enumeration </p> </td> <td> <p> Cloud Security </p> </td> <td> <p> Early warning of credential abuse from Shai-Hulud compromise </p> </td> </tr> <tr> <td> <p> Conduct targeted threat hunt for Volt Typhoon TTPs across network infrastructure </p> </td> <td> <p> SOC / Threat Hunting </p> </td> <td> <p> Continued silence from a confirmed pre-positioned actor warrants proactive validation </p> </td> </tr> <tr> <td> <p> Brief all agency IT liaisons on ClickFix social engineering technique with visual examples </p> </td> <td> <p> Security Awareness </p> </td> <td> <p> Government-targeted campaigns active; user recognition is the primary defense </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY Actions </strong> </h3> <table> <thead> <tr> <th> <p> Action </p> </th> <th> <p> Owner </p> </th> <th> <p> Rationale </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Commission architecture review of WAN resilience &mdash; assess single-vendor concentration risk in Cisco SD-WAN </p> </td> <td> <p> CISO / Enterprise Architecture </p> </td> <td> <p> Two CVSS 10.0 vulnerabilities in 3 months in the same product family indicates systemic risk </p> </td> </tr> <tr> <td> <p> Operationalize Software Bill of Materials (SBOM) for all citizen-facing applications </p> </td> <td> <p> DevOps / Procurement </p> </td> <td> <p> Four active supply chain campaigns in the past week; inventory is prerequisite to defense </p> </td> </tr> <tr> <td> <p> Inventory and evaluate DAEMON Tools usage across state endpoints &mdash; remove or replace if non-essential </p> </td> <td> <p> IT Operations / Endpoint Mgmt </p> </td> <td> <p> China-nexus SLICKDEMON campaign uses trojanized versions for government network access </p> </td> </tr> <tr> <td> <p> Establish secondary OSINT intelligence collection capability with automatic failover </p> </td> <td> <p> CISO / CTI Team </p> </td> <td> <p> Single-provider dependency has created a 6-day intelligence gap affecting legislative monitoring and threat corroboration </p> </td> </tr> <tr> <td> <p> Conduct tabletop exercise: "Ransomware + SD-WAN compromise" dual-incident scenario </p> </td> <td> <p> CISO / IR Team </p> </td> <td> <p> Tests response capability for the most probable compound scenario given current threat landscape </p> </td> </tr> </tbody> </table> <h3> <strong> Executive / IR Preparedness </strong> </h3> <ul> <li> <strong> Update incident response playbooks </strong> to include supply chain compromise scenarios (npm/PyPI package contamination &rarr; credential theft &rarr; cloud infrastructure access) </li> <li> <strong> Pre-authorize emergency patching </strong> for CVSS 10.0 vulnerabilities without standard change advisory board delays </li> <li> <strong> Establish communication plan </strong> for potential SD-WAN outage affecting inter-agency connectivity </li> <li> <strong> Review cyber insurance coverage </strong> for supply chain compromise scenarios &mdash; confirm coverage extends to third-party package contamination </li> </ul> <h2> <strong> Cloud Phishing Infrastructure Alert </strong> </h2> <p> Intelligence this cycle identified an extensive phishing infrastructure abusing <strong> Google App Engine </strong> (*.appspot.com) and <strong> Azure App Service </strong> (*.azurewebsites.net) to host credential harvesting pages impersonating Microsoft 365 login portals. Over 100 unique appspot.com subdomains were identified hosting phishing content targeting Office 365, SharePoint, and OneDrive credentials. </p> <p> <strong> Key indicators of this campaign: </strong> </p> <ul> <li> Domains follow patterns like login-microsoft-office365.df.r.appspot[.]com, outlook-office365-signin.el.r.appspot[.]com, and sharepoint-secure-online.df.r.appspot[.]com </li> <li> Typosquatting variants: mlcrosoft-0nedrive-portal, logln-micr0s0ft-0nline, outlook-0ffice365-0nline </li> <li> Hosted on legitimate cloud infrastructure to bypass domain reputation filters </li> </ul> <p> <strong> SOC Action: </strong> Update web proxy and CASB policies to flag *.r.appspot.com URLs containing Microsoft/Office365/SharePoint keywords in the subdomain. These are not legitimate Microsoft services. </p> <h2> <strong> Bottom Line </strong> </h2> <p> The threat landscape facing state government networks is intensifying across multiple vectors simultaneously. The combination of a CVSS 10.0 vulnerability in WAN backbone infrastructure, purpose-built government cloud credential harvesting, and persistent nation-state pre-positioning creates a compound risk that exceeds any single threat in isolation. </p> <p> The window between vulnerability disclosure and active exploitation continues to shrink. CVE-2026-20182's predecessor was weaponized within weeks. The TeamPCP supply chain worm is already harvesting credentials from government-restricted cloud zones. These are not future risks &mdash; they are present-tense operational realities. </p> <p> <strong> Three decisions for state IT leadership today: </strong> </p> <ul> <li> <strong> <strong> Confirm your SD-WAN is patched. </strong> Call your network team. Get a definitive answer within 24 hours. This is your inter-agency communications backbone. </strong> </li> </ul> <ul> <li> <strong> Audit your software supply chain. </strong> If your developers use npm or PyPI packages from any of the 170+ compromised libraries, assume credential exposure and rotate keys immediately. </li> </ul> <ul> <li> <strong> Hunt, don't just monitor. </strong> Volt Typhoon's silence is not absence. ClickFix bypasses email security. Supply chain worms don't trigger perimeter alerts. Your SOC needs to be actively hunting, not waiting for alerts. </li> </ul> <p> The adversaries are not waiting. Neither should you. </p> <p> <em> Published 2026-05-15 by the Anomali CTI Desk. For questions or additional IOC feeds, contact your Anomali representative or access indicators directly via Anomali ThreatStream Next-Gen. </em> </p>

FEATURED RESOURCES

July 10, 2026
Anomali Cyber Watch

Iranian Cyber Operations Reach Inflection Point: FortiBleed Pipeline Weaponized, Multi-Actor Convergence Accelerates

Read More
July 10, 2026
Anomali Cyber Watch
Public Sector

Critical ColdFusion Vulnerability, New Phishing-as-a-Service Platform, and Russian Infrastructure Refresh Demand Immediate State Government Action

Read More
July 8, 2026
Anomali Cyber Watch
Public Sector

Critical Vulnerabilities and Novel Attack Techniques Threaten State Government Networks

Read More
Explore All