When Your Help Desk Becomes the Backdoor: Critical Authentication Bypass and Ransomware's Credential Pivot Threaten State Government

<p> <strong> Threat Assessment Level: ELEVATED </strong> </p> <p> <em> (Unchanged from prior cycle. Escalation to HIGH remains possible within 72 hours pending confirmation of SimpleHelp exploitation against government targets or a new state-sector ransomware incident.) </em> </p> <h2> <strong> Executive Summary </strong> </h2> <p> State government IT leaders face a convergence of threats this week that demands immediate attention. A perfect-10 CVSS vulnerability in SimpleHelp remote support software &mdash; now confirmed exploited in the wild &mdash; could give attackers unauthenticated access to the very tools your help desk uses to manage every endpoint in your environment. Simultaneously, the Akira ransomware group has fundamentally shifted tactics: they're no longer breaking in through unpatched VPNs &mdash; they're <em> buying </em> your administrators' stolen credentials on criminal marketplaces. And Russian intelligence services continue phishing government officials through the commercial messaging apps many of us use daily. </p> <p> Three critical or high-severity vulnerabilities were added to CISA's Known Exploited Vulnerabilities catalog in just five days. A municipal government in Maine remains shuttered after a network breach that may be part of a broader regional campaign. The message is clear: the threat actors are adapting faster than many government security programs. </p> <h2> <strong> What Changed This Week </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Development </strong> </p> </th> <th> <p> <strong> Significance </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> Jun 29 </strong> </p> </td> <td> <p> CISA adds CVE-2026-48558 (SimpleHelp auth bypass, CVSS 10.0) to KEV catalog </p> </td> <td> <p> Remote support tools used by state IT and MSPs can be fully compromised without credentials </p> </td> </tr> <tr> <td> <p> <strong> Jun 28 </strong> </p> </td> <td> <p> Qilin ransomware claims new U.S. victim (Futuredontics/1-800-DENTIST) </p> </td> <td> <p> Confirms Qilin's sustained U.S. operational tempo; affiliates can pivot to any sector </p> </td> </tr> <tr> <td> <p> <strong> Jun 30 </strong> </p> </td> <td> <p> Akira &amp; Lynx ransomware confirmed targeting MSPs via purchased admin credentials </p> </td> <td> <p> Patching alone no longer mitigates ransomware risk &mdash; credential hygiene is now primary control </p> </td> </tr> <tr> <td> <p> <strong> Jun 26 </strong> </p> </td> <td> <p> CISA/FBI updated advisory: Russian Intelligence Services targeting commercial messaging apps </p> </td> <td> <p> Government officials using Signal, WhatsApp, Telegram remain active targets </p> </td> </tr> <tr> <td> <p> <strong> Late Jun </strong> </p> </td> <td> <p> Bar Harbor, ME municipal government network breach &mdash; offices remain closed </p> </td> <td> <p> Possible indicator of regional campaign targeting New England municipalities </p> </td> </tr> <tr> <td> <p> <strong> Jun 25 </strong> </p> </td> <td> <p> CVE-2026-12569 (CVSS 9.8) and CVE-2026-34197 (CVSS 8.8) added to KEV </p> </td> <td> <p> <strong> Apache ActiveMQ RCE and additional critical vulns require immediate patching </strong> </p> </td> </tr> <tr> <td> <p> <strong> Ongoing (2026) </strong> </p> </td> <td> <p> Salt Typhoon / Genesis Panda (China) expanding exploitation of CVE-2025-53770 in government SharePoint environments </p> </td> <td> <p> Active multi-campaign threat to state and federal SharePoint infrastructure; 4+ campaigns tracked </p> </td> </tr> <tr> <td> <p> <strong> Jun 12 </strong> </p> </td> <td> <p> VOID MANTICORE (Iran/IRGC) confirms breach of California water utility </p> </td> <td> <p> <strong> Validates Iranian capability and intent against U.S. critical infrastructure; heightened risk to water sector </strong> </p> </td> </tr> </tbody> </table> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Actor/Campaign </strong> </p> </th> <th> <p> <strong> Target </strong> </p> </th> <th> <p> <strong> Status </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> Ongoing (2026) </strong> </p> </td> <td> <p> Salt Typhoon / Genesis Panda (China) </p> </td> <td> <p> Government SharePoint environments </p> </td> <td> <p> Active &mdash; CVE-2025-53770 exploitation across 4+ campaigns </p> </td> </tr> <tr> <td> <p> <strong> Jun 29 </strong> </p> </td> <td> <p> Unattributed (TaskWeaver chain) </p> </td> <td> <p> SimpleHelp remote support deployments </p> </td> <td> <p> Active exploitation confirmed </p> </td> </tr> <tr> <td> <p> <strong> Jun 28 </strong> </p> </td> <td> <p> Qilin RaaS </p> </td> <td> <p> U.S. commercial/healthcare </p> </td> <td> <p> Active &mdash; new victim claimed </p> </td> </tr> <tr> <td> <p> <strong> Jun 26 </strong> </p> </td> <td> <p> Russian Intelligence Services (APT29/SVR, GRU) </p> </td> <td> <p> Government officials' messaging apps </p> </td> <td> <p> Active &mdash; CISA/FBI advisory updated </p> </td> </tr> <tr> <td> <p> <strong> Jun 22&ndash;24 </strong> </p> </td> <td> <p> Salt Typhoon / Genesis Panda </p> </td> <td> <p> Government SharePoint (hybrid) </p> </td> <td> <p> Expanded campaign activity </p> </td> </tr> <tr> <td> <p> <strong> Jun 12 </strong> </p> </td> <td> <p> VOID MANTICORE (Iran/IRGC) </p> </td> <td> <p> California water utility </p> </td> <td> <p> <strong> Confirmed breach &mdash; validates Iranian capability against U.S. critical infrastructure </strong> </p> </td> </tr> <tr> <td> <p> <strong> Late Jun </strong> </p> </td> <td> <p> Akira / Lynx ransomware </p> </td> <td> <p> Managed Service Providers </p> </td> <td> <p> Active &mdash; credential purchase as primary vector </p> </td> </tr> <tr> <td> <p> <strong> Late Jun </strong> </p> </td> <td> <p> Unattributed </p> </td> <td> <p> Bar Harbor, ME municipal government </p> </td> <td> <p> Active &mdash; forensics ongoing, "regional campaign" referenced </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. CVE-2026-48558: SimpleHelp Authentication Bypass (CVSS 10.0) </strong> </h3> <p> This is the most urgent finding for any state agency or MSP using SimpleHelp remote support software. When OIDC authentication is configured, the software accepts identity tokens <strong> without verifying cryptographic signatures </strong> . An attacker can forge a token, obtain a fully authenticated technician session, and bypass MFA entirely &mdash; all without valid credentials. </p> <p> <strong> Why this matters for state government: </strong> Remote support tools are the skeleton keys of IT operations. A compromised SimpleHelp instance gives an attacker the same access as your most privileged help desk technician &mdash; to every endpoint they can reach. Security firm Blackpoint Cyber has already documented a "TaskWeaver" Node.js intrusion chain leveraging this vulnerability. </p> <p> <strong> Affected versions: </strong> SimpleHelp &le;5.5.15 and 6.0 pre-release builds. </p> <h3> <strong> 2. Akira &amp; Lynx Ransomware: The Credential Pivot </strong> </h3> <p> Akira (220+ victims) and Lynx (~145 victims, incorporating leaked LockBit source code) have shifted their primary initial access vector from exploiting VPN vulnerabilities to <strong> purchasing stolen administrator credentials </strong> from criminal marketplaces. When credentials fail, they fall back to exfiltration using whitelisted tools that bypass endpoint detection. </p> <p> <strong> Why this matters: </strong> Your perimeter patching program &mdash; while still essential &mdash; no longer stops these groups. They're logging in as your administrators. Double extortion (encrypt + leak) remains their model, with shadow copy deletion to prevent recovery. </p> <h3> <strong> 3. Russian Intelligence Services: Messaging App Credential Harvesting </strong> </h3> <p> The June 26 CISA/FBI advisory confirms that Russian Intelligence Services continue targeting government officials through phishing campaigns aimed at commercial messaging applications (Signal, WhatsApp, Telegram). The goal is credential theft and session hijacking &mdash; enabling persistent access to officials' private communications. </p> <h3> <strong> 4. Bar Harbor Municipal Breach: Canary in the Coal Mine </strong> </h3> <p> Bar Harbor, Maine's town offices remain closed after a network breach. Notably, <strong> no malware, encryption, or deletion was detected </strong> &mdash; suggesting credential-based intrusion or data theft rather than ransomware. Town officials referenced a "large-scale malicious effort in the region," suggesting multiple New England municipalities may be affected. Their air-gapped SCADA systems for water/wastewater remained operational &mdash; a validation of proper network segmentation. </p> <h3> <strong> 5. Nation-State Pre-Positioning Continues </strong> </h3> <p> Salt Typhoon and Genesis Panda (China-nexus) continue exploiting CVE-2025-53770 in SharePoint environments across government targets. VOID MANTICORE (Iran/IRGC) confirmed a breach of a California water utility on June 12. Volt Typhoon activity remains absent from detection &mdash; which, given their documented "living off the land" pre-positioning doctrine, is not reassuring. Absence of detection is consistent with successful, undetected access. </p> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Basis </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Additional CISA KEV additions this week (given 3 in 5 days) </p> </td> <td> <p> <strong> 70% </strong> </p> </td> <td> <p> Tempo analysis; CVE-2026-31431 (Linux kernel, CVSS 7.8) shows active exploitation indicators </p> </td> </tr> <tr> <td> <p> Bar Harbor forensics reveals credential-based access linked to known RaaS affiliate </p> </td> <td> <p> <strong> 50% </strong> </p> </td> <td> <p> No malware detected + "regional campaign" language + credential-based access pattern </p> </td> </tr> <tr> <td> <p> CISA issues Binding Operational Directive on remote support/RMM tool security </p> </td> <td> <p> <strong> 40% </strong> </p> </td> <td> <p> SimpleHelp KEV + broader RMM abuse trend (ConnectWise, AnyDesk incidents in 2025) </p> </td> </tr> <tr> <td> <p> State-sector ransomware incident within 30 days leveraging MSP credential access </p> </td> <td> <p> <strong> 45% </strong> </p> </td> <td> <p> Akira/Lynx MSP targeting + state government MSP dependency + credential marketplace activity </p> </td> </tr> <tr> <td> <p> Additional New England municipal breaches disclosed </p> </td> <td> <p> <strong> 55% </strong> </p> </td> <td> <p> "Regional campaign" language from Bar Harbor officials + typical campaign breadth </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Detection Priorities </strong> </h3> <table> <thead> <tr> <th> <p> <strong> ATT&amp;CK Technique </strong> </p> </th> <th> <p> <strong> What to Hunt </strong> </p> </th> <th> <p> <strong> Detection Logic </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> T1190 </strong> (Exploit Public-Facing Application) </p> </td> <td> <p> SimpleHelp technician sessions created without corresponding Azure AD/Entra ID authentication events </p> </td> <td> <p> Correlate SimpleHelp session logs with identity provider authentication logs &mdash; alert on sessions with no matching auth event </p> </td> </tr> <tr> <td> <p> <strong> T1078 </strong> (Valid Accounts) </p> </td> <td> <p> Admin credential use from unexpected geolocations, at unusual hours, or from non-state IP ranges </p> </td> <td> <p> Baseline admin logon patterns for VPN, RDP, and remote support tools &mdash; alert on statistical anomalies </p> </td> </tr> <tr> <td> <p> <strong> T1563.001 </strong> (Remote Service Session Hijacking) </p> </td> <td> <p> SimpleHelp sessions initiated from IP addresses outside state-managed ranges </p> </td> <td> <p> GeoIP enrichment on all remote support session source IPs </p> </td> </tr> <tr> <td> <p> <strong> T1566.002 </strong> (Spearphishing Link) </p> </td> <td> <p> Phishing links targeting messaging app OAuth flows (Signal, WhatsApp, Telegram web interfaces) </p> </td> <td> <p> Monitor email gateway and web proxy for URLs matching messaging app login pages served from non-official domains </p> </td> </tr> <tr> <td> <p> <strong> T1486 </strong> (Data Encrypted for Impact) </p> </td> <td> <p> Volume shadow copy deletion, mass file rename operations </p> </td> <td> <p> Monitor for vssadmin delete shadows, wmic shadowcopy delete, and rapid file extension changes across network shares </p> </td> </tr> <tr> <td> <p> <strong> T1490 </strong> (Inhibit System Recovery) </p> </td> <td> <p> Backup service disruption, shadow copy deletion </p> </td> <td> <p> Alert on backup agent service stops, VSS writer failures, and backup console access from non-backup-admin accounts </p> </td> </tr> <tr> <td> <p> <strong> T1562.001 </strong> (Impair Defenses) </p> </td> <td> <p> EDR/AV service tampering, SentinelOne binary sideloading (Cephalus TTP) </p> </td> <td> <p> Monitor for DLL sideloading attempts using legitimate security vendor binaries; alert on security service stops </p> </td> </tr> </tbody> </table> <h3> <strong> Hunting Hypotheses </strong> </h3> <ol> <li> <strong> "Do we have SimpleHelp?" </strong> &mdash; Query asset inventory, software deployment tools, and MSP contracts for any SimpleHelp instance. Check for processes named after SimpleHelp components on endpoints. If found, verify version immediately. </li> <li> <strong> "Are stolen admin credentials being used?" </strong> &mdash; Pull all VPN and RDP admin logons for the past 14 days. Flag any that originate from commercial VPN exit nodes, TOR, or residential proxy services. Cross-reference with credential breach databases. </li> <li> <strong> "Is anyone forging OIDC tokens?" </strong> &mdash; Review OIDC/OAuth token validation logs for any remote support or SaaS application. Look for tokens with unusual issuers, missing signatures, or claims that don't match known user attributes. </li> <li> <strong> "Are MSP access paths being abused?" </strong> &mdash; Audit all MSP remote access sessions for the past 30 days. Flag sessions outside contracted maintenance windows or accessing systems outside the MSP's scope of work. </li> </ol> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Government (State &amp; Local Agencies) </strong> </h3> <ul> <li> <strong> Immediate: </strong> Inventory all remote support tools across agencies and MSPs. Confirm SimpleHelp is not in use or is patched above 5.5.15. </li> <li> <strong> 7-Day: </strong> Issue threat advisory to municipal IT directors regarding the Bar Harbor breach and potential regional campaign. Offer state forensic support resources. </li> <li> <strong> 30-Day: </strong> Implement behavioral analytics on privileged account usage &mdash; focus on detecting credential-based access that bypasses perimeter controls. </li> <li> <strong> Key risk: </strong> Municipal governments in your jurisdiction may be compromised and serve as pivot points into state shared services. </li> </ul> <h3> <strong> Financial Services (State Treasury, Revenue, Pension Systems) </strong> </h3> <ul> <li> <strong> Immediate: </strong> Verify that financial system admin accounts have hardware token MFA (not SMS/OIDC alone). Akira's credential purchase vector targets high-value admin accounts. </li> <li> <strong> 7-Day: </strong> Review Salesforce instances used for constituent financial services against ShinyHunters/UNC6040 campaign indicators. Implement IP allowlisting. </li> <li> <strong> 30-Day: </strong> Conduct tabletop exercise simulating ransomware encryption of financial processing systems during peak tax season. </li> <li> <strong> Key risk: </strong> Bar Harbor froze financial accounts as precaution &mdash; your treasury systems need tested isolation procedures. </li> </ul> <h3> <strong> Energy &amp; Water/Wastewater (Critical Infrastructure) </strong> </h3> <ul> <li> <strong> Immediate: </strong> Validate air-gap and network segmentation for all SCADA/ICS systems (Yokogawa, Schneider, Honeywell). Bar Harbor's air-gap saved their water systems &mdash; confirm yours would do the same. </li> <li> <strong> 7-Day: </strong> Review ICS advisory content from CISA's June 26 batch (6 ICS advisories issued). Patch or mitigate as applicable. </li> <li> <strong> 30-Day: </strong> Conduct network segmentation penetration test specifically targeting IT-to-OT boundary crossings. </li> <li> <strong> Key risk: </strong> VOID MANTICORE's confirmed California water utility breach (Jun 12) validates Iranian capability and intent against U.S. water infrastructure. </li> </ul> <h3> <strong> Healthcare (State Health Agencies, Medicaid Systems) </strong> </h3> <ul> <li> <strong> Immediate: </strong> Qilin's continued U.S. healthcare-adjacent targeting (Futuredontics, Jun 28) confirms the sector remains in the crosshairs. Verify backup integrity and test restoration procedures. </li> <li> <strong> 7-Day: </strong> Audit all third-party remote access to health systems &mdash; telehealth platforms, medical device vendors, and IT support tools. </li> <li> <strong> 30-Day: </strong> Review data loss prevention controls for citizen health records (Medicaid, public health databases). Double extortion means data theft precedes encryption. </li> <li> <strong> Key risk: </strong> Healthcare data commands premium prices on criminal marketplaces, making state health agencies high-value targets for RaaS affiliates. </li> </ul> <h3> <strong> Aviation &amp; Logistics (State DOT, Airports, Transit) </strong> </h3> <ul> <li> <strong> Immediate: </strong> Review Daktronics controller deployments (traffic signage, airport displays) against CISA ICS advisory for root access vulnerability. </li> <li> <strong> 7-Day: </strong> Audit EV charging station infrastructure (EVoke vulnerabilities) if deployed at state facilities or transit hubs. </li> <li> <strong> 30-Day: </strong> Assess supply chain risk from logistics software providers &mdash; Akira's MSP targeting could reach transportation management systems through vendor access. </li> <li> <strong> Key risk: </strong> China-nexus pre-positioning (Volt Typhoon doctrine) specifically targets transportation infrastructure for disruption capability during geopolitical crisis. </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Confirm or deny SimpleHelp presence </strong> in state infrastructure and all MSP environments. If present at version &le;5.5.15, disable OIDC authentication or upgrade immediately per CISA KEV deadline. </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Deploy detection </strong> for SimpleHelp technician sessions created without corresponding identity provider authentication events. Alert on sessions from non-state IP ranges. </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Create alerting rule </strong> for admin credential use from unexpected geolocations or at unusual hours &mdash; specifically VPN and RDP admin logons. Akira's primary vector is now purchased credentials. </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Issue threat advisory </strong> to municipal IT directors in your jurisdiction regarding the Bar Harbor breach and potential regional campaign. Offer forensic support. </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY Actions </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 5 </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Audit all MSP remote access tools </strong> (SimpleHelp, ConnectWise, Splashtop, AnyDesk) for version currency and authentication configuration. Require FIDO2/hardware token MFA for all MSP technician access. </p> </td> </tr> <tr> <td> <p> 6 </p> </td> <td> <p> SOC / IT Security </p> </td> <td> <p> <strong> Harden helpdesk credential reset procedures </strong> per CISA/FBI advisory. Implement mandatory callback verification to pre-registered numbers for any password reset or MFA re-enrollment request. </p> </td> </tr> <tr> <td> <p> 7 </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Patch Apache ActiveMQ </strong> to version 5.19.4 or 6.2.3 if deployed. CVE-2026-34197 (CVSS 8.8) enables remote code execution via Jolokia JMX bridge. </p> </td> </tr> <tr> <td> <p> 8 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Review messaging app phishing defenses. </strong> Brief senior officials on Russian Intelligence Services targeting of Signal, WhatsApp, and Telegram. Implement web proxy blocks for known credential harvesting domains mimicking messaging app login pages. </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY Actions </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 9 </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Commission review of Salesforce instances </strong> (constituent services, HR, procurement) for access control hardening against ShinyHunters/UNC6040 campaign. Implement IP allowlisting and session anomaly detection. </p> </td> </tr> <tr> <td> <p> 10 </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Validate SCADA air-gap procedures at state water/wastewater facilities. Confirm network segmentation documentation is current and tested. Bar Harbor's air-gap saved their critical systems &mdash; verify yours would too. </strong> </p> </td> </tr> <tr> <td> <p> 11 </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Implement multi-provider OSINT architecture. </strong> Single-source intelligence dependencies create blind spots. Ensure at least two independent open-source intelligence feeds for threat visibility. </p> </td> </tr> <tr> <td> <p> 12 </p> </td> <td> <p> CIO/CISO </p> </td> <td> <p> <strong> Add all RMM/remote support tools to vulnerability scanning scope. </strong> These tools often sit outside normal vulnerability management programs because they're classified as "IT tools" rather than applications &mdash; yet they have the highest privilege levels in your environment. </p> </td> </tr> </tbody> </table> <h3> <strong> Executive &amp; IR Preparedness </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> A </p> </td> <td> <p> CISO / Legal </p> </td> <td> <p> <strong> Update incident response playbook </strong> for credential-based intrusions (no malware indicators). Bar Harbor's breach had no encryption or malware &mdash; would your IR team recognize and respond to a credential-only intrusion? </p> </td> </tr> <tr> <td> <p> B </p> </td> <td> <p> CIO </p> </td> <td> <p> <strong> Brief Governor's office / agency heads </strong> on elevated threat posture and SimpleHelp risk. Decision-makers should understand that a single compromised remote support tool could provide access to every managed endpoint. </p> </td> </tr> <tr> <td> <p> C </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Tabletop exercise: </strong> Simulate a scenario where an MSP's admin credentials are purchased by a ransomware affiliate, used to access state systems, and data is exfiltrated before encryption. Test communication, isolation, and recovery procedures. </p> </td> </tr> </tbody> </table> <h2> <strong> IOC Blocking Guidance </strong> </h2> <p> The following verified indicators are associated with campaigns discussed in this report. Deploy to perimeter controls, EDR, and SIEM as appropriate. </p> <table> <thead> <tr> <th> <p> <strong> Type </strong> </p> </th> <th> <p> <strong> Value </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> IPv4 </p> </td> <td> <p> 173.44.141[.]89 </p> </td> <td> <p> Associated with threat campaign infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> 360scanner[.]store </p> </td> <td> <p> Malicious infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> hendryadrian[.]com </p> </td> <td> <p> Threat actor infrastructure </p> </td> </tr> </tbody> </table> <p> <strong> <em> Note: </em> </strong> <em> File-based indicators (hashes) associated with campaigns in this report are available via Anomali ThreatStream Next-Gen and partner feeds. Analysts are directed to query ThreatStream Next-Gen for the latest malware sample hashes linked to Akira, Lynx, Qilin, and VOID MANTICORE activity. Additional network IOCs are updated continuously in ThreatStream Next-Gen as new infrastructure is identified. </em> </p> <h2> <strong> The Bottom Line </strong> </h2> <p> The convergence of a CVSS 10.0 remote support tool vulnerability, ransomware groups buying their way past your perimeter with stolen credentials, and nation-state actors pre-positioned in critical infrastructure creates a threat environment where <strong> traditional defense-in-depth assumptions are being systematically dismantled </strong> . </p> <p> Your MFA can be bypassed (SimpleHelp OIDC). Your patching program can be circumvented (Akira buys credentials instead of exploiting vulns). Your perimeter can be irrelevant (MSP access paths bypass it entirely). Your municipal partners may already be compromised (Bar Harbor "regional campaign"). </p> <p> The defensive center of gravity has shifted from the perimeter to <strong> identity </strong> . Know who is authenticating, from where, at what time, and whether their behavior matches their role. Inventory every remote access tool &mdash; especially the ones your MSPs use that you may not even know about. And treat the absence of Volt Typhoon detections not as reassurance, but as evidence that their pre-positioning doctrine is working exactly as designed. </p> <p> The agencies that act on this intelligence this week will be the ones that avoid becoming the next Bar Harbor headline. </p> <p> <em> Published June 30, 2026 | Anomali CTI Desk </em> </p> <p> <em> For questions or additional context, contact your Anomali intelligence unit. </em> </p>