Silent Escalation: Exchange Hybrid Vulnerability Creates Invisible Path to Total Cloud Compromise for State Government

<p> <strong> Threat Assessment Level: ELEVATED &uarr; </strong> </p> <p> <em> (Elevated from ELEVATED-STABLE. Escalation to HIGH possible within 72 hours pending Exchange hybrid exploitation confirmation or state-sector ransomware incident.) </em> </p> <h2> <strong> Introduction </strong> </h2> <p> State government IT leaders face a convergence of threats this week that demands immediate attention. A newly cataloged Exchange hybrid vulnerability allows attackers to silently escalate from a compromised on-premises server to full Microsoft 365 tenant ownership &mdash; with <strong> zero cloud-side audit trail </strong> . Meanwhile, Russian intelligence services continue harvesting government officials' messaging credentials, a new ransomware group is weaponizing EDR vendor binaries to bypass endpoint protection, and seven ICS advisories in a single day signal an expanding attack surface across state-managed infrastructure. </p> <p> For CIOs and CISOs managing hybrid Exchange environments &mdash; which describes the vast majority of state government IT architectures &mdash; the window for action is narrow. Fiscal year-end distractions compound the risk. </p> <h2> <strong> What Changed This Week </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Development </strong> </p> </th> <th> <p> <strong> Why It Matters for State Government </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> CVE-2025-53786 </strong> &mdash; Exchange hybrid privilege escalation disclosed; CISA warns of "total domain compromise" </p> </td> <td> <p> Most state governments run hybrid Exchange with Entra Connect. A compromised on-prem server = silent cloud takeover with no M365 audit logs. </p> </td> </tr> <tr> <td> <p> <strong> CVE-2026-12569 </strong> added to CISA KEV (CVSS 9.8) </p> </td> <td> <p> <strong> PTC Windchill/FlexPLM critical RCE &mdash; mandatory remediation timeline triggered for any state agency using PLM for asset lifecycle management. </strong> </p> </td> </tr> <tr> <td> <p> <strong> CISA/FBI PSA </strong> &mdash; Russian Intelligence Services (APT29/SVR, GRU) actively phishing Signal, WhatsApp, Telegram </p> </td> <td> <p> Government officials using commercial messaging apps for work communications are actively targeted for credential harvesting. </p> </td> </tr> <tr> <td> <p> <strong> Cephalus ransomware </strong> emerges with SentinelOne DLL sideloading technique </p> </td> <td> <p> New ransomware group weaponizes legitimate EDR executables &mdash; if your state uses SentinelOne, the trusted binary is already on every endpoint. </p> </td> </tr> <tr> <td> <p> <strong> 7 ICS/medical advisories </strong> including Schneider Electric PowerLogic P7, Daktronics controllers, EVoke charging stations </p> </td> <td> <p> Directly relevant to state-regulated power infrastructure, highway signage, government buildings, and fleet electrification programs. </p> </td> </tr> <tr> <td> <p> <strong> DragonForce </strong> updated targeting (27 Jun) &mdash; government/public services confirmed </p> </td> <td> <p> Ransomware group explicitly adding government to target verticals alongside existing state-sector threats from Akira and AiLock. </p> </td> </tr> <tr> <td> <p> <strong> China-nexus actors </strong> (Salt Typhoon, Genesis Panda) expanding CVE-2025-53770 SharePoint exploitation &mdash; 4 government-targeted campaigns observed 22&ndash;24 Jun </p> </td> <td> <p> Unpatched SharePoint instances in state government remain under active, multi-campaign exploitation by Chinese intelligence-linked actors. </p> </td> </tr> <tr> <td> <p> <strong> TA444/Bluenoroff (DPRK) </strong> active IOC infrastructure detected this cycle targeting financial systems </p> </td> <td> <p> State treasury, revenue, and comptroller offices share IT maturity and exposure profiles with TA444's confirmed victim set. </p> </td> </tr> </tbody> </table> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Event </strong> </p> </th> <th> <p> <strong> Actor/Source </strong> </p> </th> <th> <p> <strong> State Gov Impact </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 12 Jun 2026 </p> </td> <td> <p> California water utility breach confirmed </p> </td> <td> <p> VOID MANTICORE (Iran/IRGC) </p> </td> <td> <p> <strong> Validates Iranian offensive capability against U.S. critical infrastructure </strong> </p> </td> </tr> <tr> <td> <p> 22&ndash;24 Jun 2026 </p> </td> <td> <p> SharePoint CVE-2025-53770 exploitation expanded to 4 campaigns targeting government </p> </td> <td> <p> China-nexus actors </p> </td> <td> <p> Unpatched SharePoint instances remain under active exploitation </p> </td> </tr> <tr> <td> <p> 25 Jun 2026 </p> </td> <td> <p> CVE-2026-12569 added to CISA KEV </p> </td> <td> <p> CISA </p> </td> <td> <p> Mandatory remediation timeline for PTC Windchill (CVSS 9.8) </p> </td> </tr> <tr> <td> <p> 25 Jun 2026 </p> </td> <td> <p> 7 ICS/medical advisories published </p> </td> <td> <p> CISA </p> </td> <td> <p> Schneider Electric, Daktronics, EVoke, H.VIEW cameras &mdash; all state-relevant </p> </td> </tr> <tr> <td> <p> 26 Jun 2026 </p> </td> <td> <p> RIS messaging app phishing PSA updated </p> </td> <td> <p> CISA/FBI </p> </td> <td> <p> APT29/SVR + GRU targeting government officials' Signal/WhatsApp/Telegram </p> </td> </tr> <tr> <td> <p> 27 Jun 2026 </p> </td> <td> <p> DragonForce targeting update &mdash; gov/public services added </p> </td> <td> <p> ThreatStream Next-Gen </p> </td> <td> <p> Explicit government targeting by active ransomware operator </p> </td> </tr> <tr> <td> <p> 29 Jun 2026 </p> </td> <td> <p> CVE-2025-53786 Exchange hybrid escalation disclosed </p> </td> <td> <p> Microsoft/CISA </p> </td> <td> <p> Silent privilege escalation from on-prem to M365 &mdash; no audit trail </p> </td> </tr> <tr> <td> <p> 29 Jun 2026 </p> </td> <td> <p> Cephalus ransomware SentinelOne sideloading documented </p> </td> <td> <p> Industry reporting </p> </td> <td> <p> EDR vendor binary weaponization &mdash; new evasion class </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. Exchange Hybrid: The Silent Takeover (CVE-2025-53786) </strong> </h3> <p> <strong> This is the most consequential finding of this cycle for state government. </strong> </p> <p> Microsoft disclosed a privilege escalation vulnerability in Exchange Server hybrid deployments (Exchange 2016, 2019, and Subscription Edition). An attacker with on-premises Exchange admin access can forge service-to-service (S2S) tokens to escalate privileges into Exchange Online &mdash; <strong> without generating any M365 audit log entries </strong> . </p> <p> The implications are severe: </p> <ul> <li> <strong> Attack path: </strong> Compromise on-prem Exchange &rarr; forge delegation token &rarr; access any mailbox in Exchange Online &rarr; read executive/legal/CISO email &rarr; no detection </li> <li> <strong> Audit blindness: </strong> The escalation bypasses M365's audit logging entirely. Your cloud SIEM sees nothing. </li> <li> <strong> State government exposure: </strong> Hybrid Exchange with Entra Connect is the standard architecture for state agencies migrating to M365. The shared service principal between on-prem and cloud is the vulnerability. </li> </ul> <p> Microsoft tagged this "Exploitation More Likely." Combined with the Black Hat research demonstrating Entra Connect certificate theft for token forging, state hybrid identity infrastructure is under multi-vector pressure. </p> <p> <strong> Associated ATT&amp;CK Techniques: </strong> T1078.004 (Valid Accounts: Cloud), T1550.001 (Application Access Token), T1114.002 (Remote Email Collection), T1070 (Indicator Removal) </p> <h3> <strong> 2. Russian Intelligence Services &mdash; Messaging App Credential Harvesting </strong> </h3> <p> CISA and FBI updated their joint advisory confirming that Russian Intelligence Services &mdash; specifically APT29/SVR and GRU-linked units &mdash; continue active phishing campaigns targeting Signal, WhatsApp, and Telegram users. The primary targets are government officials and political figures. </p> <p> For state government, this means: </p> <ul> <li> Any official using commercial messaging apps for work-related communication is a target </li> <li> The attack uses spearphishing links (T1566.002) to steal web session cookies (T1539) </li> <li> Once compromised, attackers can modify authentication processes for persistent access (T1556) </li> </ul> <p> This campaign has been tracked for over 120 days with consistent activity. The threat is not theoretical &mdash; it is ongoing and confirmed by the nation's top law enforcement and intelligence agencies. </p> <h3> <strong> 3. Cephalus Ransomware &mdash; When Your EDR Becomes the Weapon </strong> </h3> <p> A new ransomware group called <strong> Cephalus </strong> (emerged June 2025) has introduced a technique that should concern every CISO: abusing the legitimate SentinelOne executable SentinelBrowserNativeHost.exe for DLL sideloading to deploy ransomware. </p> <p> <strong> How it works: </strong> </p> <ol> <li> Initial access via RDP with compromised credentials (no MFA) </li> <li> Drop malicious SentinelAgentCore.dll alongside the legitimate SentinelBrowserNativeHost.exe </li> <li> The trusted executable loads the malicious DLL &mdash; bypassing allowlisting and potentially EDR self-protection </li> <li> Payload (data.bin) executes: disables Windows Defender, deletes shadow copies, encrypts files </li> <li> Exfiltration to MEGA cloud storage before encryption (double extortion) </li> </ol> <p> <strong> Why this matters for state agencies: </strong> </p> <ul> <li> If your state uses SentinelOne, the legitimate executable is already present and trusted on every endpoint </li> <li> Application allowlisting policies would permit its execution </li> <li> This represents a broader trend: both Cephalus and the previously tracked "Gentlemen" group are weaponizing EDR binaries rather than simply disabling them </li> </ul> <p> Named victims so far include U.S. law firms and architecture firms &mdash; sectors with similar IT maturity and budget constraints to state government. </p> <h3> <strong> 4. ICS/OT: The Expanding Perimeter </strong> </h3> <p> Seven ICS and medical device advisories in a single day reflect the reality that "critical infrastructure" for state government now extends far beyond traditional SCADA systems: </p> <table> <thead> <tr> <th> <p> <strong> System </strong> </p> </th> <th> <p> <strong> Relevance to State Government </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> Schneider Electric PowerLogic P7 </strong> </p> </td> <td> <p> Power grid protection/control &mdash; state-regulated utilities </p> </td> </tr> <tr> <td> <p> <strong> Daktronics Controller Firmware </strong> </p> </td> <td> <p> Highway message signs, building displays, public venues &mdash; unauthenticated root access </p> </td> </tr> <tr> <td> <p> <strong> EVoke Charging Station Management </strong> </p> </td> <td> <p> State fleet electrification programs &mdash; unauthorized admin control </p> </td> </tr> <tr> <td> <p> <strong> H.VIEW HV-500S6 IP Camera </strong> </p> </td> <td> <p> Physical security systems in state buildings &mdash; arbitrary code execution </p> </td> </tr> <tr> <td> <p> <strong> Delta Electronics DTM Soft </strong> </p> </td> <td> <p> Industrial automation in state-managed facilities </p> </td> </tr> <tr> <td> <p> <strong> OHIF/pydicom Medical Imaging </strong> </p> </td> <td> <p> State health agency DICOM systems &mdash; patient data exposure </p> </td> </tr> </tbody> </table> <p> The Daktronics vulnerability is particularly noteworthy: unauthenticated root-level access to controllers that manage highway signs and public displays across state infrastructure. </p> <h3> <strong> 5. Nation-State Convergence: China, Russia, Iran </strong> </h3> <p> Three nation-state adversaries maintained active operations against U.S. government targets this cycle: </p> <ul> <li> <strong> China (Salt Typhoon, Genesis Panda, Glacial Panda): </strong> Continued exploitation of cloud and telecom infrastructure; SharePoint CVE-2025-53770 campaigns explicitly targeting government; TWOPIPE campaign active </li> <li> <strong> Russia (APT29/SVR, GRU): </strong> Messaging app credential harvesting against government officials; ANGRYSIGN/BEACON campaign infrastructure active </li> <li> <strong> Iran (VOID MANTICORE/IRGC): </strong> Confirmed breach of California water utility (12 Jun) &mdash; validates capability against U.S. critical infrastructure </li> </ul> <p> <strong> Volt Typhoon absence noted: </strong> No new indicators this cycle, but this does not indicate reduced threat. CISA warnings about pre-positioning in U.S. critical infrastructure remain active. Absence of detection &ne; absence of activity. </p> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Basis </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> CVE-2025-53786 PoC code published; exploitation attempts against state Exchange servers increase </p> </td> <td> <p> <strong> 75% </strong> </p> </td> <td> <p> 72 hours </p> </td> <td> <p> <strong> Microsoft tagged "Exploitation More Likely"; security researcher interest is high </strong> </p> </td> </tr> <tr> <td> <p> Ransomware incident targeting state/local government (fiscal year-end exploitation) </p> </td> <td> <p> <strong> 50% </strong> </p> </td> <td> <p> 48&ndash;72 hours </p> </td> <td> <p> DragonForce, Akira, AiLock all actively targeting government; fiscal year-end (30 Jun) creates IT staff distraction </p> </td> </tr> <tr> <td> <p> Cephalus ransomware expands targeting to government sector </p> </td> <td> <p> <strong> 30% </strong> </p> </td> <td> <p> 30 days </p> </td> <td> <p> RDP + no-MFA attack pattern aligns with common state agency exposure; group is in growth phase </p> </td> </tr> <tr> <td> <p> Additional Exchange hybrid exploitation details emerge from APT groups (Silk Typhoon/Hafnium historical precedent) </p> </td> <td> <p> <strong> 60% </strong> </p> </td> <td> <p> 14 days </p> </td> <td> <p> <strong> Hafnium previously exploited Exchange vulnerabilities at scale; hybrid escalation is high-value for espionage </strong> </p> </td> </tr> <tr> <td> <p> Chinese actors leverage CVE-2025-53786 for government email collection </p> </td> <td> <p> <strong> 40% </strong> </p> </td> <td> <p> 30 days </p> </td> <td> <p> Consistent with Salt Typhoon and Silk Typhoon operational patterns targeting government communications </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Priority Detection Rules </strong> </h3> <ol> <li> <strong> Exchange Hybrid Token Abuse (CVE-2025-53786) </strong> </li> </ol> <ul> <li> <strong> Hunt Hypothesis: </strong> Attacker with on-prem Exchange admin access is forging S2S tokens to access Exchange Online mailboxes without triggering M365 Unified Audit Log. </li> <li> <strong> What to monitor: </strong> </li> <ul> <li> On-premises Exchange server logs for unusual trustedForDelegation token requests (T1550.001) </li> <li> Entra Connect synchronization server for unauthorized certificate exports or new certificate enrollments </li> <li> Azure AD sign-in logs for service principal authentications from unexpected source IPs </li> <li> Exchange Online mailbox access patterns that do NOT have corresponding Unified Audit Log entries (the absence IS the indicator) </li> </ul> <li> <strong> Detection gap: </strong> M365 audit logs will NOT capture this activity. Detection must occur on-premises or at the Entra Connect layer. </li> <li> <strong> ATT&amp;CK: </strong> T1078.004, T1550.001, T1114.002, T1070 </li> </ul> <ol start="2"> <li> <strong> Cephalus Ransomware &mdash; SentinelOne Sideloading </strong> </li> </ol> <ul> <li> <strong> Hunt Hypothesis: </strong> Attacker accessed environment via RDP, dropped malicious DLL alongside legitimate SentinelOne binary, and is preparing for encryption. </li> <li> <strong> What to monitor: </strong> </li> <ul> <li> SentinelBrowserNativeHost.exe spawning cmd.exe or powershell.exe child processes (T1574.002) </li> <li> Commands: vssadmin delete shadows, wmic shadowcopy delete, Add-MpPreference -ExclusionPath (T1490, T1562.001) </li> <li> SentinelAgentCore.dll loaded from non-standard paths (not the legitimate SentinelOne installation directory) </li> <li> MEGA upload traffic from endpoints (T1567.002) &mdash; monitor for mega.nz or MEGA client connections </li> <li> RDP authentication from external IPs without MFA challenge (T1021.001) </li> </ul> <li> <strong> ATT&amp;CK: </strong> T1021.001, T1574.002, T1562.001, T1490, T1486, T1567.002 </li> </ul> <ol start="3"> <li> <strong> Russian Messaging App Credential Theft </strong> </li> </ol> <ul> <li> <strong> Hunt Hypothesis: </strong> Government officials received spearphishing links targeting Signal/WhatsApp/Telegram web sessions. </li> <li> <strong> What to monitor: </strong> </li> <ul> <li> Email gateway logs for links to domains mimicking Signal/WhatsApp/Telegram login pages (T1566.002) </li> <li> DNS queries for typosquatted messaging app domains </li> <li> Unusual browser session cookie exports or web session token reuse from new devices (T1539) </li> <li> Officials reporting "re-authentication" prompts on messaging apps they didn't initiate </li> </ul> <li> <strong> ATT&amp;CK: </strong> T1566.002, T1539, T1556, T1071.001 </li> </ul> <ol start="4"> <li> <strong> AD/Entra ID Hybrid Soft-Matching Attack </strong> </li> </ol> <ul> <li> <strong> Hunt Hypothesis: </strong> Attacker is exploiting Entra Connect certificate trust to forge tokens and escalate cloud-only accounts to hybrid with elevated privileges. </li> <li> <strong> What to monitor: </strong> </li> <ul> <li> Entra Connect audit logs for new synchronization rule creation </li> <li> Certificate store changes on the Entra Connect server (new certs, private key exports) </li> <li> Cloud-only accounts suddenly appearing as "hybrid" (directory sync enabled) without change management ticket </li> <li> Directory.ReadWrite.All permission grants to unexpected applications </li> </ul> <li> <strong> ATT&amp;CK: </strong> T1078.004, T1556, T1550.001 </li> </ul> <h3> <strong> Hunting Priorities This Week </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Hunt </strong> </p> </th> <th> <p> <strong> Data Source </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> Exchange S2S token issuance anomalies </p> </td> <td> <p> On-prem Exchange logs, Entra ID sign-in logs </p> </td> <td> <p> Last 30 days </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> SentinelOne binary execution from non-standard paths </p> </td> <td> <p> EDR telemetry, Sysmon Event ID 7 (DLL load) </p> </td> <td> <p> Last 14 days </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> RDP access without MFA from external IPs </p> </td> <td> <p> VPN/firewall logs, Azure AD Conditional Access logs </p> </td> <td> <p> Last 7 days </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> MEGA cloud storage connections from endpoints </p> </td> <td> <p> Proxy/firewall logs, DNS logs </p> </td> <td> <p> Last 14 days </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> Entra Connect certificate store modifications </p> </td> <td> <p> Windows Security Event Log (4662, 4663), Entra Connect audit </p> </td> <td> <p> Last 30 days </p> </td> </tr> </tbody> </table> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (State Treasury, Revenue, Comptroller) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Exchange hybrid escalation (CVE-2025-53786) enabling silent access to financial communications and wire transfer approvals </li> <li> <strong> Secondary threat: </strong> TA444/Bluenoroff (DPRK) targeting financial systems &mdash; active IOC infrastructure detected this cycle </li> <li> <strong> Action: </strong> Audit Exchange Online mailbox delegation rules for treasury/comptroller accounts; verify no unauthorized forwarding rules exist; implement Privileged Access Workstations for financial transaction approval </li> </ul> <h3> <strong> Energy (Public Utility Commissions, State Energy Offices) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Schneider Electric PowerLogic P7 vulnerability in state-regulated power infrastructure; Volt Typhoon pre-positioning (absence noted but threat persists) </li> <li> <strong> Secondary threat: </strong> VOID MANTICORE (Iran) demonstrated capability against U.S. water utilities &mdash; energy sector shares similar ICS/SCADA exposure </li> <li> <strong> Action: </strong> Inventory PowerLogic P7 devices in regulated utilities; verify network segmentation between IT and OT; confirm CISA Shields Up posture for all energy-sector oversight systems; apply patches per ICSA-26-176-07 </li> </ul> <h3> <strong> Healthcare (State Health Agencies, Medicaid Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> OHIF/pydicom DICOM viewer vulnerabilities (ICSMA-26-176-01, -02) enabling patient data exposure in state health imaging systems </li> <li> <strong> Secondary threat: </strong> Ransomware groups (DragonForce, Akira) targeting healthcare for double extortion leverage </li> <li> <strong> Action: </strong> Inventory DICOM/medical imaging systems; verify segmentation from administrative networks; confirm backup integrity for Medicaid claims processing systems; validate that medical device firmware is current </li> </ul> <h3> <strong> Government (All Executive Branch Agencies) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Exchange hybrid silent escalation (CVE-2025-53786) &mdash; near-certain exposure given standard state architecture </li> <li> <strong> Secondary threat: </strong> Russian messaging credential harvesting targeting officials; Cephalus ransomware via RDP </li> <li> <strong> Action: </strong> Emergency Exchange hybrid patching; mandatory MFA audit for all remote access (especially RDP); brief senior officials on messaging app phishing threat; verify that helpdesk cannot be socially engineered to reset MFA (CHATTY SPIDER/Luna Moth TTP &mdash; quiet but not gone) </li> </ul> <h3> <strong> Aviation/Logistics (State DOT, Airport Authorities, Fleet Management) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Daktronics controller firmware vulnerability &mdash; unauthenticated root access to highway message signs and transportation displays </li> <li> <strong> Secondary threat: </strong> EVoke charging station management vulnerability &mdash; unauthorized admin control of state EV fleet charging infrastructure </li> <li> <strong> Action: </strong> Inventory all Daktronics controllers on state highways and in transportation facilities; apply firmware updates per ICSA-26-176-04; segment EV charging management systems from enterprise network; verify that transportation SCADA systems are not accessible from compromised IT networks </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> IT Ops / Exchange Admins </p> </td> <td> <p> <strong> Verify Exchange hybrid deployment patch status. </strong> Confirm whether Entra Connect service principal has been updated per Microsoft's hotfix for CVE-2025-53786. If unpatched, initiate emergency change window. This is the highest-priority action this cycle. </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Deploy detection for SentinelOne binary abuse. </strong> Create alert for SentinelBrowserNativeHost.exe spawning cmd.exe or powershell.exe executing vssadmin, wmic shadowcopy, or Add-MpPreference commands. </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> IT Ops / Identity Team </p> </td> <td> <p> <strong> Audit Entra Connect synchronization server. </strong> Verify certificate store integrity, check for unauthorized private key exports, enable hardware-backed key storage if not configured. </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Confirm EDR vendor across all agencies. </strong> If SentinelOne is deployed, initiate vendor engagement regarding Cephalus mitigation guidance and binary integrity monitoring. </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY Actions </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 5 </p> </td> <td> <p> SOC </p> </td> <td> <p> Implement monitoring for Exchange S2S token issuance from on-premises servers to Exchange Online. Deploy custom detection for trustedForDelegation claims in token requests. </p> </td> </tr> <tr> <td> <p> 6 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> <strong> Review ALL RDP-exposed services across state agencies. Confirm MFA enforcement on every remote access path. Disable RDP where not business-critical. </strong> </p> </td> </tr> <tr> <td> <p> 7 </p> </td> <td> <p> OT/Facilities </p> </td> <td> <p> Inventory Schneider Electric PowerLogic P7 devices in state-regulated power infrastructure and Daktronics controllers in state buildings/highway signage. Apply vendor patches per ICSA-26-176-07 and ICSA-26-176-04. </p> </td> </tr> <tr> <td> <p> 8 </p> </td> <td> <p> Communications / HR </p> </td> <td> <p> Brief senior officials and executive staff on Russian messaging app phishing campaign. Provide specific guidance: do not click re-authentication links in Signal/WhatsApp/Telegram; report to SOC immediately. </p> </td> </tr> <tr> <td> <p> 9 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Inventory and segment EVoke (or equivalent) EV charging station management systems from enterprise IT networks. </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY Actions </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 10 </p> </td> <td> <p> CISO </p> </td> <td> <p> Commission strategic assessment of Exchange hybrid architecture. Evaluate feasibility of application splitting and migration timeline to Exchange Online-only or Exchange Subscription Edition to eliminate the hybrid attack surface. </p> </td> </tr> <tr> <td> <p> 11 </p> </td> <td> <p> CISO </p> </td> <td> <p> Initiate Q3 strategic review of hybrid identity architecture viability. Three independent attack vectors targeting AD/Entra ID hybrid this cycle signals a structural, not tactical, problem. </p> </td> </tr> <tr> <td> <p> 12 </p> </td> <td> <p> CISO / CIO </p> </td> <td> <p> Evaluate defense-in-depth posture assuming EDR bypass. If ransomware operators can weaponize EDR binaries, what compensating controls exist? (Network segmentation, immutable backups, application control beyond allowlisting) </p> </td> </tr> <tr> <td> <p> 13 </p> </td> <td> <p> IT Ops / Facilities </p> </td> <td> <p> Assess network segmentation for all ICS/OT systems including non-traditional assets: EV charging, digital signage, IP cameras, medical imaging. </p> </td> </tr> </tbody> </table> <h3> <strong> Executive / IR Preparedness </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Action </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Validate incident response playbook for "silent cloud compromise" scenario &mdash; attacker in M365 with no audit trail </p> </td> <td> <p> CISO / IR Team </p> </td> <td> <p> 7 days </p> </td> </tr> <tr> <td> <p> Confirm ransomware response readiness for fiscal year-end weekend (30 Jun) &mdash; verify backup integrity, IR retainer availability, communication plan </p> </td> <td> <p> CISO / CIO </p> </td> <td> <p> Immediate </p> </td> </tr> <tr> <td> <p> Brief Governor's office / agency heads on Russian messaging threat &mdash; non-technical, actionable guidance </p> </td> <td> <p> CISO / Communications </p> </td> <td> <p> 7 days </p> </td> </tr> <tr> <td> <p> Tabletop exercise: Exchange hybrid compromise &rarr; cloud tenant takeover &rarr; data exfiltration with no cloud logs </p> </td> <td> <p> CISO / IR Team </p> </td> <td> <p> 30 days </p> </td> </tr> </tbody> </table> <h2> <strong> IOC Blocking Guidance </strong> </h2> <p> The following indicators were collected from active campaigns relevant to state government infrastructure. Validate against your environment before blocking. </p> <h3> <strong> Network Indicators </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Type </strong> </p> </th> <th> <p> <strong> Value </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> IPv4 </p> </td> <td> <p> 45.63.85[.]74 </p> </td> <td> <p> APT infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 69.61.36[.]170 </p> </td> <td> <p> APT infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 162.0.235[.]21 </p> </td> <td> <p> APT infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 104.168.249[.]10 </p> </td> <td> <p> APT infrastructure </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 104.168.174[.]80 </p> </td> <td> <p> APT infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> docs.nynovation[.]com </p> </td> <td> <p> C2/staging infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> download.romeropizza[.]com </p> </td> <td> <p> C2/staging infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> publication.garyjobeferguson[.]com </p> </td> <td> <p> C2/staging infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> images.therunningink[.]com </p> </td> <td> <p> C2/staging infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> trust.scriptobject[.]com </p> </td> <td> <p> C2/staging infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> source.scriptsafedata[.]com </p> </td> <td> <p> C2/staging infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> mgmt.studerandson[.]us </p> </td> <td> <p> C2/staging infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> virtual.urban-orthodontics[.]com </p> </td> <td> <p> C2/staging infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> billing.roofnrack[.]us </p> </td> <td> <p> C2/staging infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> customer.thewayofmoney[.]us </p> </td> <td> <p> C2/staging infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> searchgear[.]pro </p> </td> <td> <p> C2/staging infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> rapiddevapi[.]com </p> </td> <td> <p> C2/staging infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> cp.envisionfonddulac[.]biz </p> </td> <td> <p> C2/staging infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> s3wct4p1.viewdns[.]net </p> </td> <td> <p> Dynamic DNS &mdash; C2 </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> doinamagicclasses[.]com </p> </td> <td> <p> Malicious infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> cloud.tptf[.]ltd </p> </td> <td> <p> C2/staging infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> globiscapital[.]co </p> </td> <td> <p> Spoofed financial domain (TA444/Bluenoroff) </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> archax[.]co </p> </td> <td> <p> Spoofed financial domain (TA444/Bluenoroff) </p> </td> </tr> </tbody> </table> <h3> <strong> File Indicators (SHA-256) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Hash </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> c825119392361b939764435bc23fbf7f0e9f808a59273d59b2389095e0f8ef81 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> 230991626dd5d40c095c08f6bcee2c0d615f9875e5ea348ec20bde5ed4d61528 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> d7a26dedd2d0e4974e48fb5ffd83b00a980788d3ea83a15b93833b6b9b6a12b4 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> 9cbcd2e13845b07d35428dee93e110d3afe855dc92b8f18e1d974007b647f554 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> 8e65e1db8dbe2dbe1522081b6618b2790c068ef6232df90164873e7a046521f2 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> e2ea4800b60202d99f1446ec6170a30b774c14ddb427b62daaf63ec1f2f35f25 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> 0a526f3c1dc8e67da88c14daab20c45594baef3e63f7cc03ec0ad7aee0afa53e </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> 0ff5fb56258d36693d2f6d2cd932a2e0016ef55778316500c6da7a7320f19ec9 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> 9381b03de271d1dd35480de3bd2d1ae15afcea485dc82135584e24b976673817 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> df9e0583b687095a5a587d6922901f86e6788f285874fcbeb015632bc40f8df9 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> 80bfbbbdce8bf083c61bd6380b2d69d61a6ecdddbb6f3e26344ba8d6f5a6e83e </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> 3b66cd66065d05bf024eb8c73860d8d537ef0e1bd66b27fb7b77510b0b31b68b </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> 06090af988079ad6c10c8f110b39b67a115d043ec59e7adc10bcf059e7d3c8d9 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> c28af20a3d8ccbe0529a130c091da5efe2e7269b1883d9162f7058940ca597f7 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> eec62239300741bc71e5ed083386e6c5e44a31e90064d63664bd95b656a10aa3 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> 25f90700d8c663550f5b2c8488c131ccf97c0ee972db0f6fb87ca8cceacd7ee9 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> 1ae2a81d2761c6aece751a238daf81f29bf28ac5537ab2b987e58fd65b2c9bd9 </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> 42a840a79b9d722fed5fb589f035b5206542b1308b2836195b678310d276ad2f </p> </td> <td> <p> Malware sample </p> </td> </tr> <tr> <td> <p> 5b2b90f47686b8fc13a322371349d8d71d16698e6e11672b9f218b777f13eb98 </p> </td> <td> <p> Malware sample </p> </td> </tr> </tbody> </table> <p> Additional IOCs available via Anomali ThreatStream Next-Gen and partner feeds. </p> <h2> <strong> Closing </strong> </h2> <p> Tomorrow is June 30 &mdash; fiscal year-end. Historically, ransomware operators exploit periods when IT teams are distracted by administrative deadlines. DragonForce, Akira, and AiLock have all confirmed government as a target vertical. Cephalus has demonstrated the ability to bypass EDR. The Exchange hybrid vulnerability means a single compromised on-premises server could give an attacker silent, undetectable access to your entire M365 environment. </p> <p> The convergence is real: nation-states are in your messaging apps, ransomware operators are weaponizing your security tools, and your hybrid identity architecture has become the primary attack surface &mdash; not the perimeter. </p> <p> <strong> Three decisions needed today: </strong> </p> <ol> <li> <strong> Patch Exchange hybrid infrastructure (CVE-2025-53786). </strong> If you cannot patch within 24 hours, implement compensating controls on the Entra Connect server and begin monitoring for S2S token anomalies. </li> <li> <strong> Confirm your EDR posture. </strong> If you run SentinelOne, engage your vendor on Cephalus mitigation immediately. Regardless of vendor, assume EDR can be bypassed and validate your defense-in-depth. </li> <li> <strong> Ensure ransomware readiness for the fiscal year-end weekend. </strong> Verify backup integrity, confirm IR retainer availability, and ensure your communication plan doesn't depend on systems that could be encrypted. </li> </ol> <p> The threat actors are not taking the holiday weekend off. Neither should your defenses. </p> <p> <em> Published 29 June 2026 | Anomali CTI Desk </em> </p> <p> <em> For questions or additional context, contact your Anomali intelligence team. </em> </p> <p> <em> IOC feeds updated in Anomali ThreatStream Next-Gen &mdash; automated blocking available for integrated customers. </em> </p>