Silent Killers: macOS EDR Bypass, Fortinet Credential Harvesting, and a Record ICS Advisory Surge Threaten State Government Networks

<p> <strong> Threat Assessment Level: ELEVATED </strong> </p> <p> <em> (Unchanged from prior cycle; escalation to HIGH possible within 72 hours if Cisco UCM exploitation scales against state agencies or Fortinet credential abuse produces confirmed state government intrusions.) </em> </p> <h2> <strong> Introduction </strong> </h2> <p> State government IT leaders face a convergence of threats this week that demands immediate attention. A newly disclosed macOS vulnerability can silently disable your endpoint detection and response (EDR) agents from a standard user account. CISA has issued a second update confirming that nation-state actors continue harvesting credentials from Fortinet devices across government networks. And in a single 24-hour window, seven industrial control system advisories dropped &mdash; the highest volume we've observed in recent memory. </p> <p> Meanwhile, the actors behind the FortiBleed campaign (430,000+ compromised devices, 110 million+ stolen credentials), Iranian IRGC-affiliated intrusions into U.S. water utilities, and Chinese state-sponsored pre-positioning in government networks remain active threats from prior weeks. None of these have been resolved &mdash; they've simply gone quiet, which is not the same as gone. </p> <p> This brief translates today's intelligence into decisions you can make before close of business. </p> <h2> <strong> What Changed </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Development </strong> </p> </th> <th> <p> <strong> Why It Matters for State Government </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> CVE-2026-39118 </strong> &mdash; macOS XPC privilege escalation disables CrowdStrike Falcon and Kandji MDM from a standard user account </p> </td> <td> <p> Any compromised macOS endpoint in your fleet can have its security tooling silently removed before data theft or ransomware deployment </p> </td> </tr> <tr> <td> <p> <strong> CISA updates Fortinet credential alert </strong> (22 June) &mdash; confirms continued government targeting </p> </td> <td> <p> If any FortiGate management interface was ever internet-exposed, assume credentials are compromised </p> </td> </tr> <tr> <td> <p> <strong> CVE-2026-20230 (Cisco UCM) </strong> confirmed actively exploited against government (24 June) &mdash; unauthenticated root access via WebDialer </p> </td> <td> <p> State VoIP infrastructure at immediate risk; patch or restrict access before end of day </p> </td> </tr> <tr> <td> <p> <strong> VOID MANTICORE </strong> (Iran-affiliated) breaches California water utility (12 June) </p> </td> <td> <p> <strong> Demonstrates Iranian capability against U.S. critical infrastructure; state water systems at elevated risk </strong> </p> </td> </tr> <tr> <td> <p> <strong> Salt Typhoon refreshes SNAPPYBEE loader C2 </strong> infrastructure targeting U.S. government (23 June) </p> </td> <td> <p> Chinese state-sponsored pre-positioning remains active; federal-interconnected state networks are lateral-movement targets </p> </td> </tr> <tr> <td> <p> <strong> 4 new CISA KEV entries </strong> including CVE-2025-67038 (Lantronix EDS5000, CVSS 9.8) </p> </td> <td> <p> Unauthenticated command injection in serial-to-Ethernet devices common in building automation and OT environments </p> </td> </tr> <tr> <td> <p> <strong> 7 ICS advisories in 24 hours </strong> &mdash; Siemens (&times;4), ABB, Hubbell, B&amp;R </p> </td> <td> <p> Record single-day volume; affects SCADA/DCS products in state-overseen utility environments </p> </td> </tr> <tr> <td> <p> <strong> NETSUPPORT RAT </strong> delivered via fake Microsoft Teams advertisements targeting government </p> </td> <td> <p> Second independent delivery campaign for this RAT family against government &mdash; it's becoming the commodity tool of choice </p> </td> </tr> <tr> <td> <p> <strong> Post-Quantum Executive Order </strong> (23 June) </p> </td> <td> <p> Federal mandate with direct implications for state systems interconnected with federal partners </p> </td> </tr> <tr> <td> <p> <strong> SASE/TIC 3.0 guidance </strong> published by CISA (24 June) </p> </td> <td> <p> Architecture blueprint for state agencies modernizing network security </p> </td> </tr> </tbody> </table> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Event </strong> </p> </th> <th> <p> <strong> Relevance </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 12 June 2026 </p> </td> <td> <p> VOID MANTICORE (IRGC-affiliated) breaches California water utility </p> </td> <td> <p> <strong> Demonstrates Iranian capability against U.S. critical infrastructure; state water systems at risk </strong> </p> </td> </tr> <tr> <td> <p> 17&ndash;18 June 2026 </p> </td> <td> <p> UNC5435 (Russia-nexus) publishes 73,932 FortiGate admin credentials; later confirmed at 430,000+ devices </p> </td> <td> <p> Any state agency running FortiGate with exposed management must assume compromise </p> </td> </tr> <tr> <td> <p> 22 June 2026 </p> </td> <td> <p> CISA issues second Fortinet update confirming continued government targeting </p> </td> <td> <p> Validates ongoing exploitation &mdash; not a one-time dump </p> </td> </tr> <tr> <td> <p> 23 June 2026 </p> </td> <td> <p> Salt Typhoon refreshes SNAPPYBEE loader C2 infrastructure targeting U.S. government </p> </td> <td> <p> Chinese state-sponsored pre-positioning remains active </p> </td> </tr> <tr> <td> <p> 23 June 2026 </p> </td> <td> <p> Post-Quantum Executive Order signed </p> </td> <td> <p> Compliance clock starts for federal-interconnected state systems </p> </td> </tr> <tr> <td> <p> 23 June 2026 </p> </td> <td> <p> 4 new CISA KEV entries including CVE-2025-67038 (CVSS 9.8) </p> </td> <td> <p> Mandatory patching timeline triggered </p> </td> </tr> <tr> <td> <p> 23 June 2026 </p> </td> <td> <p> 7 ICS advisories published (Siemens, ABB, Hubbell, B&amp;R) </p> </td> <td> <p> Highest single-day OT advisory volume in recent tracking </p> </td> </tr> <tr> <td> <p> 24 June 2026 </p> </td> <td> <p> CVE-2026-20230 (Cisco UCM) confirmed actively exploited against government </p> </td> <td> <p> Unauthenticated root access via WebDialer &mdash; state VoIP infrastructure at risk </p> </td> </tr> <tr> <td> <p> 24 June 2026 </p> </td> <td> <p> CISA publishes SASE/TIC 3.0 guidance </p> </td> <td> <p> Architecture planning document for state network modernization </p> </td> </tr> <tr> <td> <p> 25 June 2026 </p> </td> <td> <p> CVE-2026-39118 (macOS XPC EDR/MDM bypass) disclosed </p> </td> <td> <p> CrowdStrike Falcon and Kandji MDM confirmed vulnerable; patch available </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. macOS EDR Bypass Creates Ransomware Kill Chain (CVE-2026-39118) </strong> </h3> <p> XM Cyber disclosed a technique that exploits macOS XPC inter-process communication to allow a <strong> standard user </strong> &mdash; not an administrator &mdash; to unload EDR agents and MDM profiles. The attack works by tampering with a legitimate application to inherit its trusted CDHash, then calling privileged helper functions that the operating system trusts implicitly. </p> <p> <strong> Confirmed impact: </strong> CrowdStrike Falcon (full agent unload) and Kandji MDM (profile removal). </p> <p> <strong> Why this matters for state government: </strong> Executive offices, communications teams, and creative departments commonly run macOS. If any of these endpoints are compromised &mdash; even at a standard user level via phishing &mdash; the attacker can blind your security team before deploying ransomware or exfiltrating data. This creates a kill chain: <em> local privilege escalation &rarr; EDR disable &rarr; credential dump &rarr; lateral movement &rarr; ransomware deployment. </em> </p> <p> No in-the-wild exploitation has been confirmed yet, but the technique is fully documented and reproducible. </p> <h3> <strong> 2. Fortinet Credential Harvesting &mdash; Government Confirmed as Target </strong> </h3> <p> CISA's second update to its Fortinet alert removes any ambiguity: nation-state actors are actively harvesting credentials from internet-exposed FortiGate management interfaces, and <strong> government is an explicitly named target sector </strong> . This follows the FortiBleed campaign attributed to Russia-nexus actor UNC5435, which exposed 430,000+ devices and over 110 million credentials. </p> <p> <strong> The risk is not theoretical. </strong> If your FortiGate management plane was ever internet-accessible &mdash; even briefly &mdash; assume those credentials are in adversary hands. Credential rotation alone is insufficient if the underlying exposure hasn't been remediated. </p> <h3> <strong> 3. Record ICS/OT Advisory Volume Signals Expanding Attack Surface </strong> </h3> <p> Seven ICS advisories in a single day across four major vendors: </p> <table> <thead> <tr> <th> <p> <strong> Vendor </strong> </p> </th> <th> <p> <strong> Product </strong> </p> </th> <th> <p> <strong> Risk </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Hubbell </p> </td> <td> <p> Aclara Metrum </p> </td> <td> <p> Cellular web interface manipulation, device disruption </p> </td> </tr> <tr> <td> <p> Siemens </p> </td> <td> <p> WinCC Certificate Manager </p> </td> <td> <p> Key material extraction </p> </td> </tr> <tr> <td> <p> ABB </p> </td> <td> <p> Freelance Security Lock </p> </td> <td> <p> OS function access bypass </p> </td> </tr> <tr> <td> <p> Siemens </p> </td> <td> <p> SINEC INS </p> </td> <td> <p> Multiple vulnerabilities (pre-V1.0 SP2 Update 6) </p> </td> </tr> <tr> <td> <p> B&amp;R </p> </td> <td> <p> Multiple products </p> </td> <td> <p> Linux kernel vulnerabilities in shipped products </p> </td> </tr> <tr> <td> <p> Siemens </p> </td> <td> <p> SIPROTEC 5 </p> </td> <td> <p> Arbitrary file upload via DIGSI5 protocol </p> </td> </tr> <tr> <td> <p> Siemens </p> </td> <td> <p> Products using OpenSSL </p> </td> <td> <p> Stack buffer overflow (DoS/RCE) </p> </td> </tr> </tbody> </table> <p> State agencies that oversee water treatment, transportation, and energy utilities should treat this as a coordinated disclosure event requiring immediate patch assessment. </p> <p> Additionally, <strong> CVE-2025-67038 </strong> (Lantronix EDS5000, CVSS 9.8) &mdash; an unauthenticated OS command injection in a serial-to-Ethernet device common in building automation &mdash; is now on CISA's KEV list with confirmed active exploitation. </p> <h3> <strong> 4. NETSUPPORT RAT: Two Campaigns, One Target &mdash; Government </strong> </h3> <p> Two independent delivery campaigns now target government employees with NETSUPPORT RAT: </p> <ul> <li> <strong> ClickFix social engineering </strong> (previously tracked) </li> <li> <strong> Fake Microsoft Teams advertisements </strong> (newly identified) </li> </ul> <p> The convergence of two separate campaigns using the same malware family against the same target sector indicates NETSUPPORT is becoming the commodity remote access tool of choice for government-targeting actors. The confirmed C2 domain is bksnb[.]com. </p> <h3> <strong> 5. Nation-State Actors: Quiet Does Not Mean Safe </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Actor </strong> </p> </th> <th> <p> <strong> Affiliation </strong> </p> </th> <th> <p> <strong> Last Observed Activity </strong> </p> </th> <th> <p> <strong> Current Assessment </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> VOID MANTICORE </p> </td> <td> <p> Iran (IRGC) </p> </td> <td> <p> 12 June &mdash; California water utility breach </p> </td> <td> <p> <strong> Capability demonstrated against U.S. critical infrastructure </strong> </p> </td> </tr> <tr> <td> <p> UNC5435 </p> </td> <td> <p> Russia-nexus </p> </td> <td> <p> 17&ndash;18 June &mdash; FortiBleed credential dump </p> </td> <td> <p> Credentials still being exploited per CISA 22 June update </p> </td> </tr> <tr> <td> <p> Salt Typhoon </p> </td> <td> <p> China (state-sponsored) </p> </td> <td> <p> 23 June &mdash; SNAPPYBEE C2 refresh </p> </td> <td> <p> Active pre-positioning in U.S. government networks </p> </td> </tr> <tr> <td> <p> Volt Typhoon </p> </td> <td> <p> China (state-sponsored) </p> </td> <td> <p> Extended quiet period </p> </td> <td> <p> Living-off-the-land actors deliberately minimize observable activity; absence is expected tradecraft </p> </td> </tr> <tr> <td> <p> APT29 </p> </td> <td> <p> Russia (SVR) </p> </td> <td> <p> 22 June &mdash; last ThreatStream Next-Gen update </p> </td> <td> <p> Possible retooling or operational pause </p> </td> </tr> </tbody> </table> <p> <strong> Critical point: </strong> Volt Typhoon's silence is <em> by design </em> . These actors pre-position using legitimate tools (valid accounts, native system utilities) specifically to avoid detection. The absence of indicators is not evidence of absence. </p> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability (30-day) </strong> </p> </th> <th> <p> <strong> Basis </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Ransomware group weaponizes CVE-2026-39118 macOS EDR bypass as pre-encryption step </p> </td> <td> <p> <strong> 60% </strong> </p> </td> <td> <p> Technique is fully documented, trivial to implement, and directly enables the "blind then encrypt" playbook already used by Gentlemen RaaS (GentleKiller) on Windows </p> </td> </tr> <tr> <td> <p> State government FortiGate credentials from FortiBleed campaign used for initial access in targeted intrusion </p> </td> <td> <p> <strong> 70% </strong> </p> </td> <td> <p> 430K+ devices compromised; CISA confirms continued government targeting; credential-based access is the lowest-friction entry point </p> </td> </tr> <tr> <td> <p> NETSUPPORT RAT infection in state agency via fake Teams/ClickFix campaign </p> </td> <td> <p> <strong> 55% </strong> </p> </td> <td> <p> Two active delivery campaigns specifically targeting government; Microsoft Teams is ubiquitous in state IT </p> </td> </tr> <tr> <td> <p> Exploitation of Lantronix EDS5000 (CVE-2025-67038) in state building automation </p> </td> <td> <p> <strong> 40% </strong> </p> </td> <td> <p> Confirmed active exploitation; device is common in facilities management but may not be present in all state environments </p> </td> </tr> <tr> <td> <p> Salt Typhoon or Volt Typhoon activity detected in state government network </p> </td> <td> <p> <strong> 35% </strong> </p> </td> <td> <p> Active C2 refresh indicates ongoing operations; state .gov interconnections with federal systems create lateral paths </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Detection Priorities </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> What to Monitor </strong> </p> </th> <th> <p> <strong> ATT&amp;CK Technique </strong> </p> </th> <th> <p> <strong> Detection Logic </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> CRITICAL </strong> </p> </td> <td> <p> macOS system extension unload events </p> </td> <td> <p> T1562.001 (Impair Defenses) </p> </td> <td> <p> Alert on systemextensionsctl uninstall or es_event_type_t: ES_EVENT_TYPE_NOTIFY_PROC_EXEC matching EDR/MDM binary paths being terminated by non-admin processes </p> </td> </tr> <tr> <td> <p> <strong> CRITICAL </strong> </p> </td> <td> <p> FortiGate management plane access from unexpected sources </p> </td> <td> <p> T1133 (External Remote Services), T1078 (Valid Accounts) </p> </td> <td> <p> Audit all FortiGate admin logins; alert on logins from non-whitelisted IPs; correlate with known compromised credential lists </p> </td> </tr> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> DNS queries to bksnb[.]com </p> </td> <td> <p> T1219 (Remote Access Software) </p> </td> <td> <p> Block at DNS/proxy; hunt in 30-day DNS logs for historical resolution </p> </td> </tr> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> NetSupportManager network traffic patterns </p> </td> <td> <p> T1219 (Remote Access Software) </p> </td> <td> <p> Detect NetSupport's characteristic HTTP beacon pattern (typically port 443 with distinctive User-Agent strings) </p> </td> </tr> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> Cisco UCM WebDialer access attempts </p> </td> <td> <p> T1190 (Exploit Public-Facing Application) </p> </td> <td> <p> Monitor for unauthenticated requests to WebDialer endpoints; alert on any successful authentication bypass indicators (CVE-2026-20230) </p> </td> </tr> <tr> <td> <p> <strong> MEDIUM </strong> </p> </td> <td> <p> XPC service manipulation on macOS </p> </td> <td> <p> T1574.002 (Hijack Execution Flow) </p> </td> <td> <p> Monitor for new XPC service registrations or modifications to existing service plists by non-system processes </p> </td> </tr> <tr> <td> <p> <strong> MEDIUM </strong> </p> </td> <td> <p> Lantronix device HTTP RPC calls </p> </td> <td> <p> T1190 (Exploit Public-Facing Application) </p> </td> <td> <p> If Lantronix EDS5000 devices exist in environment, monitor for anomalous HTTP RPC traffic patterns </p> </td> </tr> </tbody> </table> <h3> <strong> Hunting Hypotheses </strong> </h3> <ol> <li> <strong> Hypothesis: </strong> Compromised FortiGate credentials have already been used for VPN access to state networks. </li> <ul> <li> <strong> Hunt: </strong> Query VPN authentication logs for FortiGate-managed connections from unusual geolocations or at unusual hours over the past 30 days. Cross-reference with the FortiBleed exposure window (17 June onward). </li> <li> <strong> Techniques: </strong> T1078.004 (Cloud Accounts), T1133 (External Remote Services) </li> </ul> <li> <strong> Hypothesis: </strong> NETSUPPORT RAT is already present on state endpoints delivered via prior ClickFix or malvertising campaigns. </li> <ul> <li> <strong> Hunt: </strong> Search for client32.exe or NetSupport-related registry keys (HKLM\SOFTWARE\NetSupport). Query proxy logs for HTTP beacons to known NetSupport C2 patterns. </li> <li> <strong> Techniques: </strong> T1219 (Remote Access Software), T1105 (Ingress Tool Transfer) </li> </ul> <li> <strong> Hypothesis: </strong> Volt Typhoon has pre-positioned in state network using living-off-the-land techniques. </li> <ul> <li> <strong> Hunt: </strong> Audit scheduled tasks, WMI subscriptions, and service installations created by accounts that also authenticated via VPN or external remote services. Look for legitimate admin tools (PsExec, WMIC, PowerShell remoting) used from unexpected source hosts. </li> <li> <strong> Techniques: </strong> T1078 (Valid Accounts), T1072 (Software Deployment Tools), T1053 (Scheduled Task/Job) </li> </ul> </ol> <h3> <strong> Blocking Actions </strong> </h3> <p> Block the following at your DNS resolver, web proxy, and firewall: </p> <table> <thead> <tr> <th> <p> <strong> IOC </strong> </p> </th> <th> <p> <strong> Type </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> bksnb[.]com </p> </td> <td> <p> Domain </p> </td> <td> <p> NETSUPPORT RAT C2 (confidence 85) </p> </td> </tr> <tr> <td> <p> zauber-edgecb61leise[.]icu </p> </td> <td> <p> Domain </p> </td> <td> <p> Malicious infrastructure </p> </td> </tr> <tr> <td> <p> samtpfotchensnezhok9566leisegepard[.]sbs </p> </td> <td> <p> Domain </p> </td> <td> <p> Malicious infrastructure </p> </td> </tr> <tr> <td> <p> dentalfaxgate[.]vip </p> </td> <td> <p> Domain </p> </td> <td> <p> Malicious infrastructure </p> </td> </tr> <tr> <td> <p> backupsupport[.]comxa[.]com </p> </td> <td> <p> Domain </p> </td> <td> <p> RAT C2 infrastructure </p> </td> </tr> <tr> <td> <p> ewaehhmrqh[.]ws </p> </td> <td> <p> Domain </p> </td> <td> <p> Malicious infrastructure </p> </td> </tr> <tr> <td> <p> 176.116.165[.]207 </p> </td> <td> <p> IPv4 </p> </td> <td> <p> Threat infrastructure </p> </td> </tr> <tr> <td> <p> 124.71.175[.]215 </p> </td> <td> <p> IPv4 </p> </td> <td> <p> Threat infrastructure </p> </td> </tr> <tr> <td> <p> 31.170.160[.]209 </p> </td> <td> <p> IPv4 </p> </td> <td> <p> Threat infrastructure </p> </td> </tr> </tbody> </table> <p> Additional IOCs available via Anomali ThreatStream Next-Gen. </p> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Government (State Agencies) </strong> </h3> <ul> <li> <strong> Immediate: </strong> Verify CrowdStrike Falcon macOS sensor is patched against CVE-2026-39118 across all executive and departmental macOS endpoints </li> <li> <strong> Immediate: </strong> Audit all Fortinet management interfaces &mdash; confirm zero internet exposure; rotate all admin credentials regardless of perceived exposure status </li> <li> <strong> 7-Day: </strong> Implement conditional access policies requiring phishing-resistant MFA for all VPN and remote access, eliminating credential-only authentication paths </li> <li> <strong> 30-Day: </strong> Begin post-quantum cryptographic inventory for all systems interconnecting with federal partners per new Executive Order </li> </ul> <h3> <strong> Financial Services (State Treasury, Revenue, Retirement Systems) </strong> </h3> <ul> <li> <strong> Immediate: </strong> Hunt for NETSUPPORT RAT indicators in environments processing citizen financial data (tax systems, payment portals) </li> <li> <strong> 7-Day: </strong> Review Cisco UCM deployments in call centers handling sensitive financial information; apply CVE-2026-20230 mitigations </li> <li> <strong> 30-Day: </strong> Assess SASE/TIC 3.0 applicability for segmenting citizen-facing financial portals from internal administrative networks </li> </ul> <h3> <strong> Energy (State-Overseen Utilities) </strong> </h3> <ul> <li> <strong> Immediate: </strong> Distribute ICS advisory details to utility operators for Siemens SIPROTEC 5 (protection relays) and WinCC (HMI/SCADA) </li> <li> <strong> 7-Day: </strong> Inventory Lantronix EDS5000 devices in substation and generation facility networks; isolate any internet-connected units pending patch </li> <li> <strong> 30-Day: </strong> Establish standing monthly OT patch review meeting aligned to Siemens disclosure cycle; include ABB and Hubbell products </li> </ul> <h3> <strong> Healthcare (State Health Agencies, Medicaid Systems) </strong> </h3> <ul> <li> <strong> Immediate: </strong> Prioritize macOS EDR bypass patching &mdash; healthcare environments often have mixed OS fleets with macOS in clinical and administrative roles </li> <li> <strong> 7-Day: </strong> Validate that Fortinet devices protecting health data networks (HIPAA-regulated) have no exposed management interfaces and credentials are rotated </li> <li> <strong> 30-Day: </strong> Assess ransomware resilience specifically for Medicaid claims processing systems &mdash; the quiet period in ransomware activity historically precedes targeting surges </li> </ul> <h3> <strong> Aviation/Logistics (State DOT, Port Authorities) </strong> </h3> <ul> <li> <strong> Immediate: </strong> Assess Hubbell Aclara Metrum exposure in transportation infrastructure (traffic management, toll systems) </li> <li> <strong> 7-Day: </strong> Review B&amp;R automation products in logistics and port operations for Linux kernel vulnerabilities disclosed in this cycle </li> <li> <strong> 30-Day: </strong> Conduct tabletop exercise simulating Volt Typhoon-style pre-positioning in transportation SCADA &mdash; test detection and response for living-off-the-land techniques </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Action </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Verify CrowdStrike Falcon macOS sensor includes XPC bypass mitigation for CVE-2026-39118; confirm all macOS endpoints updated </p> </td> <td> <p> Endpoint Engineering </p> </td> </tr> <tr> <td> <p> Deploy detection for macOS system extension unload events (T1562.001) &mdash; alert on any EDR/MDM process termination by non-admin users </p> </td> <td> <p> SOC / Detection Engineering </p> </td> </tr> <tr> <td> <p> Validate ALL Fortinet FortiGate management interfaces are not internet-accessible; rotate all admin credentials on any device that was ever exposed </p> </td> <td> <p> Network Operations </p> </td> </tr> <tr> <td> <p> Block bksnb[.]com and associated C2 domains (see IOC table above) at DNS and web proxy </p> </td> <td> <p> SOC / Network Security </p> </td> </tr> <tr> <td> <p> Confirm Cisco UCM WebDialer is patched or access-restricted per CVE-2026-20230 mitigations </p> </td> <td> <p> Unified Communications Team </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Action </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Hunt for NETSUPPORT RAT artifacts across all endpoints (registry keys, client32.exe, beacon patterns) &mdash; 30-day lookback </p> </td> <td> <p> SOC / Threat Hunting </p> </td> </tr> <tr> <td> <p> Inventory Lantronix EDS5000 devices across state facilities; isolate internet-connected units; apply CVE-2025-67038 patch </p> </td> <td> <p> Facilities / OT Security </p> </td> </tr> <tr> <td> <p> Review CISA SASE/TIC 3.0 guidance; schedule IT leadership briefing on zero trust migration implications </p> </td> <td> <p> CISO / Enterprise Architecture </p> </td> </tr> <tr> <td> <p> Distribute ICS advisory package to all utility operators under state oversight; request patch status within 14 days </p> </td> <td> <p> OT Security / Utility Coordination </p> </td> </tr> <tr> <td> <p> Conduct FortiGate VPN authentication log review &mdash; 30-day lookback for anomalous access patterns post-FortiBleed </p> </td> <td> <p> SOC / Identity Team </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Action </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Initiate post-quantum cryptographic inventory &mdash; identify all RSA/ECC systems interconnecting with federal partners; assign project owner </p> </td> <td> <p> CISO / Enterprise Architecture </p> </td> </tr> <tr> <td> <p> Audit all Siemens WinCC, SINEC INS, and SIPROTEC 5 deployments in state-overseen utility SCADA environments; coordinate patch scheduling </p> </td> <td> <p> OT Security </p> </td> </tr> <tr> <td> <p> Establish monthly OT patch review cadence aligned to vendor disclosure cycles (Siemens, ABB, Schneider) </p> </td> <td> <p> OT Security / Change Management </p> </td> </tr> <tr> <td> <p> Conduct tabletop exercise: "Ransomware actor uses macOS EDR bypass as initial disablement step" &mdash; test detection, containment, and recovery </p> </td> <td> <p> CISO / IR Team </p> </td> </tr> <tr> <td> <p> Evaluate OSINT collection capability &mdash; current intelligence blind spot (5 days degraded) reduces threat visibility; approve alternative provider or accept risk </p> </td> <td> <p> CISO </p> </td> </tr> </tbody> </table> <h3> <strong> Executive / IR Preparedness </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Action </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Timeline </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Brief agency CIOs on FortiBleed exposure risk and macOS EDR bypass &mdash; frame as "your security tools can be silently disabled" </p> </td> <td> <p> CISO </p> </td> <td> <p> This week </p> </td> </tr> <tr> <td> <p> Update incident response playbook to include "EDR agent tampered/unloaded" scenario with macOS-specific procedures </p> </td> <td> <p> IR Team </p> </td> <td> <p> 7 days </p> </td> </tr> <tr> <td> <p> Request risk acceptance decision on degraded OSINT collection capability &mdash; 5 days without open-source intelligence correlation </p> </td> <td> <p> CISO </p> </td> <td> <p> 48 hours </p> </td> </tr> <tr> <td> <p> Engage CrowdStrike TAM to confirm state-specific exposure to CVE-2026-39118 and obtain detection content </p> </td> <td> <p> Security Operations </p> </td> <td> <p> This week </p> </td> </tr> </tbody> </table> <h2> <strong> Bottom Line </strong> </h2> <p> The threat landscape facing state government this week is defined by a dangerous pattern: adversaries are systematically targeting the tools we rely on for defense. An EDR bypass that works from a standard user account. Credential harvesting from the firewalls protecting our perimeters. Pre-positioning by nation-state actors designed to be invisible until activation. </p> <p> The seven ICS advisories in a single day are not routine &mdash; they represent an expanding attack surface in the operational technology that underpins the services citizens depend on. </p> <p> Three decisions require your attention today: </p> <ol> <li> <strong> Confirm your macOS EDR agents are patched. </strong> CVE-2026-39118 turns every unpatched macOS endpoint into a potential blind spot. Verify with your endpoint team before end of day. </li> <li> <strong> Validate your Fortinet exposure. </strong> CISA has now issued two updates confirming government targeting. If you haven't rotated credentials and confirmed no management interface exposure, you are operating on borrowed time. </li> <li> <strong> Decide on your intelligence collection gap. </strong> Five days without OSINT correlation capability means we cannot fully validate threats or confirm their absence. Accept the risk formally or approve the fix. </li> </ol> <p> The quiet periods &mdash; in ransomware activity, in Volt Typhoon operations, in APT29 campaigns &mdash; are not reassurance. They are the sound of adversaries selecting targets, staging infrastructure, and waiting for the moment of maximum impact. </p> <p> Act on what you can control today. The window between disclosure and exploitation continues to shrink. </p> <p> <em> Published 25 June 2026 | Anomali CTI Desk </em> </p> <p> <em> For IOC feeds and machine-readable intelligence, contact your Anomali ThreatStream Next-Gen representative. </em> </p>