<p> <strong> Threat Assessment Level: ELEVATED </strong>
</p>
<p> <em> Elevated from GUARDED. Two actively exploited critical vulnerabilities directly affecting state government infrastructure, a novel Microsoft 365 credential theft technique, and expanding Chinese APT relay networks collectively compress the risk window for state agencies. </em>
</p>
<h2> <strong> Introduction </strong>
</h2>
<p> State government IT leaders face a convergence of threats this week that demands immediate executive attention. CISA added two critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on July 7 — one scoring a perfect CVSS 10.0 — both targeting software commonly deployed across state agencies. Simultaneously, a new credential theft toolset renders traditional phishing defenses ineffective against Microsoft 365 environments, and Chinese intelligence services are expanding infrastructure that could silently conscript state networking equipment into espionage relay networks.
</p>
<p> This is not a theoretical risk assessment. Active exploitation is confirmed. The decisions state CIOs and CISOs make in the next 48–72 hours will determine whether their agencies become the next headline.
</p>
<h2> <strong> What Changed </strong>
</h2>
<table> <thead> <tr> <th> <p> <strong> Development </strong> </p> </th> <th> <p> <strong> Why It Matters for State Government </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> CVE-2026-48282 </strong> (Adobe ColdFusion, CVSS 10.0) added to CISA KEV — active exploitation confirmed </p> </td> <td> <p> State agencies widely use legacy ColdFusion applications for citizen-facing services. Unauthenticated RCE with no user interaction required. </p> </td> </tr> <tr> <td> <p> <strong> CVE-2026-48908 </strong> (Joomla SP Page Builder, CVSS 9.8) added to CISA KEV — active exploitation confirmed </p> </td> <td> <p> Multiple state agencies use Joomla with SP Page Builder for public portals. Unauthenticated file upload leads to webshell deployment. </p> </td> </tr> <tr> <td> <p> <strong> DEBULL toolset </strong> disclosed — abuses Microsoft OAuth device-code flow to steal M365 tokens </p> </td> <td> <p> State M365/Entra ID tenants are exposed. Victims interact with <em> legitimate </em> Microsoft URLs, bypassing URL-based phishing detection and user training. </p> </td> </tr> <tr> <td> <p> <strong> UAT-7810 </strong> (China-nexus) expands ORB relay network with new malware (LONGLEASH, DOGLEASH, JARLEASH) </p> </td> <td> <p> Targets Ruckus wireless routers. State field office equipment could be silently recruited as espionage relay nodes. </p> </td> </tr> <tr> <td> <p> <strong> Volt Typhoon / Salt Typhoon (China-nexus) maintain confirmed pre-positioning in U.S. critical infrastructure and government networks </strong> </p> </td> <td> <p> No new indicators this cycle, but known long-term persistent access via living-off-the-land techniques remains an active, unresolved threat to state agencies. </p> </td> </tr> <tr> <td> <p> <strong> 7 critical Ubiquiti UniFi OS vulnerabilities patched (lead CVE-2026-50746, CVSS 10.0) </strong> </p> </td> <td> <p> 100,000+ exposed instances globally. Russian GRU has historically targeted Ubiquiti devices. </p> </td> </tr> <tr> <td> <p> <strong> 7 ICS advisories </strong> from CISA covering Hitachi Energy, Siemens, and Digi International </p> </td> <td> <p> Digi PortServer authentication bypass directly relevant to water/wastewater SCADA serial-to-IP converters. </p> </td> </tr> <tr> <td> <p> <strong> Canada CSE annual report </strong> confirms ransomware remains the #1 disruptive cyber threat to government </p> </td> <td> <p> Coordinated law enforcement action disrupted 10 major RaaS groups — temporary suppression expected, not elimination. </p> </td> </tr> </tbody>
</table>
<h2> <strong> Threat Timeline </strong>
</h2>
<table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Event </strong> </p> </th> <th> <p> <strong> Significance </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 12 June 2026 </p> </td> <td> <p> VOID MANTICORE (Iranian IRGC) breaches California water utility </p> </td> <td> <p> <strong> Confirmed destructive nation-state capability against U.S. critical infrastructure </strong> </p> </td> </tr> <tr> <td> <p> 1 July 2026 </p> </td> <td> <p> CVE-2026-45659 (SharePoint RCE, CVSS 8.8) added to CISA KEV; China-nexus exploitation confirmed </p> </td> <td> <p> Active exploitation of collaboration platforms used by state agencies </p> </td> </tr> <tr> <td> <p> 6–7 July 2026 </p> </td> <td> <p> <strong> DragonForce Cartel (590 victims, 284 U.S.) and AiLock RaaS (42 victims) maintain high-tempo operations </strong> </p> </td> <td> <p> Government and public institutions explicitly targeted </p> </td> </tr> <tr> <td> <p> 7 July 2026 </p> </td> <td> <p> CVE-2026-48282 (ColdFusion CVSS 10.0) and CVE-2026-48908 (Joomla CVSS 9.8) added to CISA KEV </p> </td> <td> <p> Both actively exploited; both present in state agency environments </p> </td> </tr> <tr> <td> <p> 7 July 2026 </p> </td> <td> <p> DEBULL device-code flow toolset reported </p> </td> <td> <p> Novel M365 credential theft technique bypasses traditional defenses </p> </td> </tr> <tr> <td> <p> 7 July 2026 </p> </td> <td> <p> Cisco Talos publishes UAT-7810 ORB network expansion research </p> </td> <td> <p> China-nexus group recruiting network devices as espionage relay infrastructure </p> </td> </tr> <tr> <td> <p> 7 July 2026 </p> </td> <td> <p> <strong> Ubiquiti patches 7 critical vulnerabilities (CVSS 10.0 lead) </strong> </p> </td> <td> <p> 100,000+ globally exposed instances; historical GRU targeting of Ubiquiti </p> </td> </tr> <tr> <td> <p> 7 July 2026 </p> </td> <td> <p> CISA publishes 7 ICS advisories including Digi International auth bypass </p> </td> <td> <p> Serial-to-IP converters in SCADA environments vulnerable </p> </td> </tr> </tbody>
</table>
<h2> <strong> Key Threat Analysis </strong>
</h2>
<h3> <strong> 1. Adobe ColdFusion: CVSS 10.0 Under Active Exploitation (CVE-2026-48282) </strong>
</h3>
<p> This is the highest-priority item for any state agency running ColdFusion. The vulnerability enables unauthenticated remote code execution via path traversal — no user interaction, no credentials required. CISA's KEV addition confirms active exploitation in the wild.
</p>
<p> <strong> Why state government is uniquely exposed: </strong> ColdFusion legacy applications persist across state agencies for tax processing, licensing portals, benefits administration, and internal workflows. These applications often lack modern WAF protection and may not be inventoried in centralized asset management systems.
</p>
<p> <strong> Affected versions: </strong> ColdFusion 2025.9, 2023.20, and all earlier releases.
</p>
<p> <strong> Relevant ATT&CK techniques: </strong> T1190 (Exploit Public-Facing Application), T1059.001 (PowerShell execution post-compromise), T1083 (File and Directory Discovery)
</p>
<h3> <strong> 2. Joomla SP Page Builder: Webshell Deployment at Scale (CVE-2026-48908) </strong>
</h3>
<p> An unauthenticated arbitrary file upload vulnerability in the SP Page Builder extension for Joomla allows attackers to deploy PHP webshells on any vulnerable instance. With a CVSS of 9.8 and confirmed active exploitation, this represents an immediate risk to state agencies using Joomla for public-facing websites.
</p>
<p> <strong> Relevant ATT&CK techniques: </strong> T1190 (Exploit Public-Facing Application), T1505.003 (Web Shell persistence), T1059.001 (Command execution)
</p>
<h3> <strong> 3. DEBULL: A Class Break in Phishing Defense </strong>
</h3>
<p> The DEBULL toolset represents a fundamentally different phishing paradigm. It abuses Microsoft's legitimate OAuth device-code authentication flow — a mechanism designed for devices without browsers (smart TVs, IoT). The attack works as follows:
</p>
<ol> <li> Attacker initiates a device-code flow request to Microsoft </li> <li> Victim receives a phishing lure containing only a short alphanumeric code </li> <li> Victim navigates to microsoft.com/devicelogin (a <em> legitimate </em> Microsoft URL) and enters the code </li> <li> Victim completes MFA normally — because it IS a real Microsoft authentication </li> <li> Attacker receives the victim's access token, gaining persistent access to email, SharePoint, and OneDrive </li>
</ol>
<p> <strong> Why traditional defenses fail: </strong> Email security gateways look for malicious URLs — there are none. Security awareness training teaches employees to verify the URL is legitimate — it IS legitimate. MFA is not bypassed — it's completed by the victim. This requires a <em> control-plane </em> response (conditional access policy restricting device-code flow), not a user-education response.
</p>
<p> <strong> Relevant ATT&CK techniques: </strong> T1528 (Steal Application Access Token), T1078.004 (Valid Accounts: Cloud), T1114.002 (Remote Email Collection), T1550.001 (Application Access Token lateral movement)
</p>
<h3> <strong> 4. UAT-7810: China Builds Espionage Relay Networks from Your Routers </strong>
</h3>
<p> Chinese APT group UAT-7810 operates a specialized function within China's cyber ecosystem: building Operational Relay Box (ORB) networks. These are compromised network devices — specifically Ruckus wireless routers — that serve as relay infrastructure for <em> other </em> Chinese APT groups (including UAT-5918) to conduct espionage operations.
</p>
<p> New malware families disclosed by Cisco Talos:
</p>
<ul> <li> <strong> LONGLEASH </strong> — successor to SHORTLEASH, primary implant </li> <li> <strong> DOGLEASH </strong> — Linux shellcode execution framework </li> <li> <strong> JARLEASH </strong> — Java-based file management and FTP capability </li>
</ul>
<p> Payloads are compiled for MIPS, ARM, and x64 architectures, indicating broad device targeting.
</p>
<p> <strong> The unique risk for state government: </strong> If state networking equipment is recruited into an ORB network, the state becomes <em> unwitting infrastructure </em> in espionage operations against third parties. This creates reputational and potentially legal liability beyond traditional breach scenarios. The compromised device may show no performance degradation — the state would never know without proactive monitoring.
</p>
<p> <strong> Relevant ATT&CK techniques: </strong> T1584.005 (Compromise Infrastructure: Botnet), T1190 (Exploit Public-Facing Application), T1090.003 (Multi-hop Proxy)
</p>
<h3> <strong> 5. Ubiquiti UniFi OS: Seven Critical Vulnerabilities, 100K+ Exposed Instances </strong>
</h3>
<p> Ubiquiti patched seven critical vulnerabilities led by CVE-2026-50746 (CVSS 10.0, command injection). Affected products include UniFi Connect, Talk, Access, and Protect. Censys identifies over 100,000 exposed instances globally, with approximately 50,000 in the United States.
</p>
<p> <strong> Historical context: </strong> Russian GRU previously weaponized Ubiquiti devices via the Moobot botnet. CISA mandated 3-day patching for earlier UniFi flaws. The combination of massive exposure, trivial exploitation, and nation-state interest makes rapid weaponization highly likely.
</p>
<h3> <strong> 6. Persistent Nation-State Pre-Positioning: Volt Typhoon and Salt Typhoon </strong>
</h3>
<p> While no new indicators emerged this cycle for Volt Typhoon or Salt Typhoon (both China-nexus), their known pre-positioning in U.S. critical infrastructure — including government networks — remains an active concern. These groups specialize in living-off-the-land (LOTL) techniques that evade traditional detection. Silence from these actors is not reassuring; it is consistent with their operational methodology of maintaining long-term persistent access without triggering alerts.
</p>
<h3> <strong> 7. Ransomware: Suppressed but Not Eliminated </strong>
</h3>
<p> The Canada CSE annual report confirms that coordinated law enforcement action disrupted 10 major ransomware-as-a-service groups. This likely explains the temporary lull in new government-targeting ransomware incidents. However, historical precedent shows these groups reconstitute within 30–60 days, often under new branding. DragonForce Cartel (590 total victims, 284 in the U.S.), AiLock RaaS (42 victims), and Play ransomware remain active threats to state and local government.
</p>
<h2> <strong> Predictive Analysis </strong>
</h2>
<table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Basis </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Exploitation attempts against CVE-2026-48282 hit state ColdFusion instances </p> </td> <td> <p> <strong> 75% </strong> </p> </td> <td> <p> 72 hours </p> </td> <td> <p> KEV confirmation + public PoC availability + legacy state deployments </p> </td> </tr> <tr> <td> <p> Ubiquiti CVEs weaponized in the wild </p> </td> <td> <p> <strong> 50% </strong> </p> </td> <td> <p> 7 days </p> </td> <td> <p> CISA's prior 3-day mandate pattern for UniFi flaws + massive attack surface </p> </td> </tr> <tr> <td> <p> Ransomware incident affecting a U.S. state or local government entity </p> </td> <td> <p> <strong> 65–75% </strong> </p> </td> <td> <p> 14 days </p> </td> <td> <p> Operationalized FortiBleed credentials + RaaS affiliate reconstitution </p> </td> </tr> <tr> <td> <p> DEBULL or similar device-code flow tools used against government M365 tenants </p> </td> <td> <p> <strong> 30% </strong> </p> </td> <td> <p> 14 days </p> </td> <td> <p> <strong> Novel technique still in early adoption; government is high-value target </strong> </p> </td> </tr> <tr> <td> <p> Suppressed RaaS groups reconstitute under new branding </p> </td> <td> <p> <strong> 40% </strong> </p> </td> <td> <p> 30–60 days </p> </td> <td> <p> Historical pattern following law enforcement disruption </p> </td> </tr> <tr> <td> <p> State network devices recruited into Chinese ORB infrastructure (undetected) </p> </td> <td> <p> <strong> 25% </strong> </p> </td> <td> <p> 30 days </p> </td> <td> <p> UAT-7810 actively expanding; Ruckus/Ubiquiti present in state environments </p> </td> </tr> </tbody>
</table>
<h2> <strong> SOC Operational Guidance </strong>
</h2>
<h3> <strong> Detection Priorities </strong>
</h3>
<ol> <li> <strong> Device-Code Flow Abuse (DEBULL) </strong> </li>
</ol>
<ul> <li> <strong> What to monitor: </strong> Entra ID sign-in logs for grant_type=urn:ietf:params:oauth:grant-type:device_code </li> <li> <strong> Hunting hypothesis: </strong> Legitimate device-code flow usage in a state agency should be near-zero (it's designed for browserless devices). Any spike in device-code authentications — especially from user accounts rather than service principals — indicates potential compromise. </li> <li> <strong> Detection logic: </strong> Alert on device-code flow authentications where: (a) the user has never used this flow before, (b) the source IP is outside expected ranges, or (c) volume exceeds baseline by >2 standard deviations. </li> <li> <strong> ATT&CK: </strong> T1528, T1078.004 </li>
</ul>
<ol start="2"> <li> <strong> ColdFusion Exploitation (CVE-2026-48282) </strong> </li>
</ol>
<ul> <li> <strong> What to monitor: </strong> Web server logs for path traversal patterns (../, ..%2f, ..%252f) targeting ColdFusion endpoints; unexpected process spawning from ColdFusion service accounts (cfusion, coldfusion); new files in webroot directories. </li> <li> <strong> Hunting hypothesis: </strong> If ColdFusion instances are internet-facing, assume scanning has already occurred. Hunt for evidence of successful exploitation: webshells, reverse shells, or reconnaissance commands executed under the ColdFusion service context. </li> <li> <strong> ATT&CK: </strong> T1190, T1059.001, T1083 </li>
</ul>
<ol start="3"> <li> <strong> Joomla Webshell Deployment (CVE-2026-48908) </strong> </li>
</ol>
<ul> <li> <strong> What to monitor: </strong> File integrity monitoring on Joomla webroot directories; HTTP POST requests to SP Page Builder's uploadcustomicon endpoint; new .php files created in upload directories. </li> <li> <strong> Hunting hypothesis: </strong> Scan all Joomla instances for recently created PHP files in non-standard locations. Any PHP file created after June 2026 in upload/icon directories warrants immediate investigation. </li> <li> <strong> ATT&CK: </strong> T1190, T1505.003 </li>
</ul>
<ol start="4"> <li> <strong> ORB Network Recruitment (UAT-7810) </strong> </li>
</ol>
<ul> <li> <strong> What to monitor: </strong> Unexpected outbound connections from Ruckus APs and Ubiquiti devices to non-vendor IPs; firmware integrity changes; new scheduled tasks or cron jobs on network devices; DNS queries from infrastructure devices to unusual domains. </li> <li> <strong> Hunting hypothesis: </strong> Network devices should have predictable communication patterns (NTP, firmware updates, management plane). Any outbound connection to non-whitelisted destinations — particularly on non-standard ports — from a Ruckus or Ubiquiti device indicates potential ORB recruitment. </li> <li> <strong> ATT&CK: </strong> T1584.005, T1090.003 </li>
</ul>
<ol start="5"> <li> <strong> Volt Typhoon / Salt Typhoon LOTL Activity </strong> </li>
</ol>
<ul> <li> <strong> What to monitor: </strong> Anomalous use of native administration tools (ntdsutil, netsh, wmic, PowerShell) on network infrastructure; new local accounts on edge devices; scheduled tasks created outside change windows; VPN authentication from unexpected geographic locations. </li> <li> <strong> Hunting hypothesis: </strong> These actors avoid custom malware. Hunt for legitimate tool usage at unusual times, from unusual accounts, or targeting unusual systems. Focus on Cisco SD-WAN and Fortinet edge devices. </li> <li> <strong> ATT&CK: </strong> T1059.001, T1053.005, T1078 </li>
</ul>
<h3> <strong> Indicators to Block/Monitor </strong>
</h3>
<p> IOCs associated with the campaigns discussed in this report — including file hashes, IP addresses, and additional domains — are available through Anomali ThreatStream Next-Gen and partner feeds. Analysts should query ThreatStream Next-Gen for indicators tagged to UAT-7810, DEBULL, CVE-2026-48282, CVE-2026-48908, and CVE-2026-50746 for the most current and verified blocking lists. Contact your Anomali account team for access or to request a curated indicator export for your SIEM/EDR platform.
</p>
<h2> <strong> Sector-Specific Defensive Priorities </strong>
</h2>
<h3> <strong> Financial Services (State Treasury, Revenue, Tax Systems) </strong>
</h3>
<ul> <li> <strong> Primary risk: </strong> ColdFusion exploitation (CVE-2026-48282). Tax processing and revenue applications frequently run on legacy ColdFusion. A compromise could expose taxpayer PII/financial data and disrupt revenue collection. </li> <li> <strong> Action: </strong> Emergency patch all ColdFusion instances supporting financial applications. Deploy WAF rules blocking path traversal patterns. Implement network segmentation isolating ColdFusion servers from databases containing taxpayer records. </li> <li> <strong> Secondary risk: </strong> DEBULL M365 token theft targeting finance staff with access to payment systems and wire transfer approvals. </li>
</ul>
<h3> <strong> Energy (State Energy Office, Grid Coordination, Utility Oversight) </strong>
</h3>
<ul> <li> <strong> Primary risk: </strong> ICS vulnerabilities in Hitachi Energy e-mesh EMS (buffer overflow) and PROMOD V (insecure HTTP). States coordinating with utilities on grid operations may have these systems in their environment or connected networks. </li> <li> <strong> Action: </strong> Verify whether Hitachi Energy products are deployed in state-coordinated energy management. Apply vendor patches. Ensure SCADA/EMS systems are air-gapped or segmented from enterprise IT networks. </li> <li> <strong> Secondary risk: </strong> Volt Typhoon pre-positioning in energy infrastructure for potential disruption during geopolitical crisis. </li>
</ul>
<h3> <strong> Healthcare (Medicaid, State Health Agencies, Public Health Systems) </strong>
</h3>
<ul> <li> <strong> Primary risk: </strong> Ransomware. Healthcare and public health agencies remain primary targets for DragonForce, AiLock, and Play ransomware groups. Medicaid systems containing PHI for millions of residents are high-value targets. </li> <li> <strong> Action: </strong> Validate offline backup integrity for Medicaid and vital records systems. Ensure incident response playbooks include healthcare-specific regulatory notification requirements (HIPAA, state breach notification). Test failover procedures for critical health systems. </li> <li> <strong> Secondary risk: </strong> M365 credential theft (DEBULL) targeting health agency staff with access to PHI. </li>
</ul>
<h3> <strong> Government (All Executive Branch Agencies) </strong>
</h3>
<ul> <li> <strong> Primary risk: </strong> Multi-vector. State agencies face simultaneous exposure to ColdFusion RCE, Joomla webshell deployment, M365 credential theft, and ransomware. The breadth of the attack surface — combined with budget-constrained patching cycles — creates compounding risk. </li> <li> <strong> Action: </strong> Prioritize patching by internet exposure: ColdFusion and Joomla instances facing the internet are highest priority. Restrict device-code flow in Entra ID tenant-wide. Ensure all agencies have reported their ColdFusion and Joomla inventories to the central security team. </li> <li> <strong> Secondary risk: </strong> Chinese APT pre-positioning (Volt Typhoon, Salt Typhoon) for potential disruption of government services during a geopolitical crisis. </li>
</ul>
<h3> <strong> Aviation / Logistics (State DOT, Airport Authorities, Port Operations) </strong>
</h3>
<ul> <li> <strong> Primary risk: </strong> ICS/OT vulnerabilities. Digi International PortServer authentication bypass affects serial-to-IP converters used in transportation SCADA (traffic management, bridge controls, port operations). Siemens RUGGEDCOM vulnerabilities affect industrial networking equipment common in transportation infrastructure. </li> <li> <strong> Action: </strong> Inventory Digi International and Siemens RUGGEDCOM devices in transportation infrastructure. Apply patches. Ensure OT networks are segmented from IT networks with monitored jump hosts for administrative access. </li> <li> <strong> Secondary risk: </strong> Ubiquiti vulnerabilities in airport/port facility networking equipment. ORB network recruitment of networking devices at transportation facilities. </li>
</ul>
<h2> <strong> Prioritized Defense Recommendations </strong>
</h2>
<h3> <strong> IMMEDIATE (Within 48 Hours) </strong>
</h3>
<table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Responsible Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Patch Adobe ColdFusion </strong> to versions 2025.10+ / 2023.21+ across ALL agencies. CVE-2026-48282 is CVSS 10.0 with confirmed active exploitation. Inventory all ColdFusion instances including shadow IT deployments. </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Inventory and patch all Joomla instances </strong> with SP Page Builder extension. CVE-2026-48908 (CVSS 9.8) is actively exploited for webshell deployment. Disable uploadcustomicon functionality immediately if patch is unavailable. </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> Identity / SOC </p> </td> <td> <p> <strong> Restrict device-code flow </strong> in Entra ID conditional access policies. Block grant_type=urn:ietf:params:oauth:grant-type:device_code for all user accounts. Whitelist only verified service accounts that require it. </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Create detection alerts </strong> for device-code flow authentications from unexpected locations, devices, or user accounts in Entra ID sign-in logs. </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> Executive / IR </p> </td> <td> <p> <strong> Pre-authorize emergency patching windows </strong> for ColdFusion and Joomla across all agencies. Communicate to agency heads that downtime for patching is authorized and expected. </p> </td> </tr> </tbody>
</table>
<h3> <strong> 7-DAY </strong>
</h3>
<table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Responsible Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 6 </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Update all Ubiquiti UniFi OS devices </strong> to latest firmware. Audit internet-exposed UniFi management interfaces using Censys/Shodan. Segment management interfaces to dedicated VLAN unreachable from the internet. </p> </td> </tr> <tr> <td> <p> 7 </p> </td> <td> <p> Network Operations </p> </td> <td> <p> <strong> Inventory Ruckus wireless access points </strong> across all state facilities. Verify firmware currency. Monitor for unexpected outbound connections (indicator of UAT-7810 ORB recruitment). </p> </td> </tr> <tr> <td> <p> 8 </p> </td> <td> <p> OT / SCADA Teams </p> </td> <td> <p> <strong> Audit Digi International PortServer TS and Digi One SP IA </strong> serial-to-IP converters in water/wastewater and transportation SCADA environments. Apply vendor patches for authentication bypass vulnerability. </p> </td> </tr> <tr> <td> <p> 9 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Establish baseline </strong> for device-code flow usage across state M365 tenant. Export 30 days of Entra ID sign-in logs filtered to this grant type. Create anomaly detection rule. </p> </td> </tr> <tr> <td> <p> 10 </p> </td> <td> <p> IR / Legal </p> </td> <td> <p> <strong> Review and update incident response playbooks </strong> to account for: (a) ColdFusion webshell scenarios, (b) M365 token theft without traditional phishing indicators, (c) discovery that state devices are part of foreign espionage relay infrastructure. </p> </td> </tr> </tbody>
</table>
<h3> <strong> 30-DAY </strong>
</h3>
<table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Responsible Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 11 </p> </td> <td> <p> CISO / SOC </p> </td> <td> <p> <strong> Commission proactive threat hunt </strong> for Volt Typhoon / Salt Typhoon living-off-the-land indicators across Cisco SD-WAN, Fortinet edge devices, and network infrastructure. Focus on anomalous admin account usage and scheduled task creation. </p> </td> </tr> <tr> <td> <p> 12 </p> </td> <td> <p> Security Awareness </p> </td> <td> <p> <strong> Develop training module </strong> on device-code flow phishing. Employees must understand that legitimate Microsoft URLs can be weaponized if they didn't initiate the authentication request. </p> </td> </tr> <tr> <td> <p> 13 </p> </td> <td> <p> CISO / Architecture </p> </td> <td> <p> <strong> Develop ColdFusion sunset roadmap. </strong> Today's CVSS 10.0 KEV validates what has been a persistent risk. Begin planning migration of legacy ColdFusion applications to modern, supported frameworks. </p> </td> </tr> <tr> <td> <p> 14 </p> </td> <td> <p> Network Architecture </p> </td> <td> <p> <strong> Implement network device integrity monitoring </strong> for all Ruckus, Ubiquiti, and Cisco equipment. Establish firmware hash baselines and alert on unauthorized changes. This addresses both ORB recruitment and Volt Typhoon pre-positioning. </p> </td> </tr> <tr> <td> <p> 15 </p> </td> <td> <p> CISO / Budget </p> </td> <td> <p> <strong> Evaluate ransomware readiness posture </strong> given expected RaaS group reconstitution within 30–60 days. Validate backup integrity, test restoration procedures, and confirm cyber insurance coverage and notification procedures. </p> </td> </tr> </tbody>
</table>
<h2> <strong> Bottom Line </strong>
</h2>
<p> The threat environment facing state government networks has materially intensified. Two CISA KEV additions targeting software deployed across state agencies, a novel credential theft technique that defeats existing phishing defenses, confirmed Chinese APT pre-positioning via living-off-the-land techniques, and active ORB network expansion create a compressed and multi-front decision window.
</p>
<p> The ColdFusion patching decision is binary: patch within 48 hours or accept significant probability of compromise. There is no middle ground when a CVSS 10.0 vulnerability with confirmed active exploitation targets production systems.
</p>
<p> The DEBULL device-code flow technique signals a broader shift — adversaries are moving to attack patterns where every component the user sees is legitimate. Policy-level controls (conditional access restrictions) must replace reliance on user vigilance.
</p>
<p> The ORB network expansion introduces a risk category many state leaders have not yet considered: your infrastructure being used as a weapon against others without your knowledge. Proactive network device monitoring is no longer optional.
</p>
<p> The decisions made this week — on patching authority, conditional access policy, and threat hunting investment — will determine whether your state is reading about the next government breach or responding to one.
</p>
<p> <em> Published 8 July 2026 | Anomali CTI Desk </em>
</p>
<p> <em> For questions or additional context, contact your Anomali account team. </em>
</p>