| Date | Development | Impact to State Government |
|---|---|---|
| Apr 16 | SonicWall Gen6 SSL-VPN reaches end-of-life | CVE-2024-12802 unmitigated; no further patches |
| May 20 | Drupal emergency patch — CVE-2026-9082 (CVSS 9.8) | SQL injection; 15,000+ attacks in 48 hrs, 6,000 sites, 65 countries |
| May 21 | CISA publishes 5 ICS advisories (ABB, Hitachi, Siemens) | Water/wastewater SCADA and building automation affected |
| May 22 | CISA adds CVE-2026-9082 to KEV catalog | Federal deadline May 27 — tomorrow |
| May 22–25 | TrapDoor: 34+ packages, 380+ versions on npm/PyPI/Crates.io | AI coding tool configs (.cursorrules, CLAUDE.md) poisoned |
| May 25 | FBI PSA: Kali365 phishing-as-a-service confirmed | Device code auth bypasses MFA on M365 / GCC tenants |
| May 25 | Check Point: Nimbus Manticore (IRGC) analysis published | AI-assisted malware; SEO poisoning via fake software sites |
| May 26 | Microsoft dismantles Fox Tempest code-signing operation | Temporary disruption to Rhysida / Lumma Stealer delivery |
Unauthenticated SQL injection in Drupal Core on PostgreSQL backends. Within 48 hours of the May 20 patch: 15,000+ exploitation attempts across 6,000 sites in 65 countries. State agencies operating citizen portals on Drupal/PostgreSQL face unauthenticated access to citizen PII. CISA BOD 22-01 deadline: May 27 — tomorrow.
FBI May 25 PSA confirms Kali365 exploits OAuth device code authentication — completely bypassing MFA. Attacker captures the OAuth token after MFA completes — full mailbox, SharePoint access, persistent app registration, no failure alert. Targets include GCC tenants. $200/month on Telegram. Device code auth is enabled by default in Entra ID.
CVE-2024-12802 bypasses MFA on Gen6 SSL-VPN. Active exploitation Feb–Mar 2026; full domain compromise within 40 minutes. Firmware patch alone insufficient — six manual LDAP steps required. Gen6 reached EOL April 16. No further patches ever.
IRGC-affiliated Nimbus Manticore (UNC1549). Three waves Feb–Apr 2026. Wave 3: SEO poisoning via getsqldeveloper[.]com delivering MiniFast RAT — any employee searching for SQL Developer may be targeted. Email security irrelevant; proxy/DNS-layer detection required.
34+ malicious packages across 380+ versions on npm, PyPI, Crates.io. Poisons AI coding assistant configs (.cursorrules, CLAUDE.md) to exfiltrate secrets. Persistence via git hooks, systemd, cron, SSH key injection. Azure Government / AWS GovCloud credentials at risk.
| P | What to Monitor | ATT&CK |
|---|---|---|
| P1 | Alert on authenticationProtocol=="deviceCode" in Entra sign-in logs for non-approved devices | T1528 |
| P1 | WAF rules for UNION-based and blind SQLi against Drupal endpoints; unexpected PostgreSQL queries | T1190 |
| P1 | Gen6 VPN auth followed by rapid lateral movement (<60 min to DC) | T1133 |
| P2 | Unexpected web.config/.config modifications loading unsigned assemblies | T1574.014 |
| P2 | Block and alert on any resolution of getsqldeveloper[.]com | T1608.006 |
| P2 | Scan repos for .cursorrules and CLAUDE.md outside known AI configs; npm/pip logs May 22–25 | T1195.001 |
IOC Blocking — DNS / Web Proxy:
getsqldeveloper[.]comcalendly[.]livepicktime[.]liveaes-secure[.]netazureglobalaccelerator[.]com
+ 14 SHA-256, 2 MD5 (VICE SPIDER BubbleLoader/SocksShell), 1 SHA-1 — full list via Anomali ThreatStream
Hunting Hypotheses:
HUNT 01 · T1528
Has device code phishing already succeeded?
Query Entra ID 30 days for
authenticationProtocol=="deviceCode". Any successful auth from non-approved device = potential compromise.HUNT 02 · T1190
Are Drupal instances already compromised?
POST requests with SQL metacharacters to Drupal form endpoints. New DB users or unexpected privilege escalation in PostgreSQL audit logs.
HUNT 03 · T1195.001
Did any developer install a TrapDoor package?
Search
package-lock.json, Pipfile.lock, Cargo.lock for packages updated May 22–25. Look for trap-core.js, unexpected .cursorrules or CLAUDE.md.HUNT 04 · T1133
Is a SonicWall Gen6 the entry point?
VPN auth from Gen6 → multiple LDAP queries → service account usage within 60 minutes = active exploitation indicator.
Financial Services
State Treasury, Revenue, Benefits Systems
Primary threat
CVE-2026-9082 exploitation of Drupal-based tax and benefits portals containing citizen financial data
Secondary threat
Kali365 credential theft targeting finance staff with access to payment systems
Actions
- Immediately verify Drupal patch status on all revenue-facing applications
- Implement transaction monitoring for anomalous database queries
- Enforce Conditional Access restrictions on finance department M365 accounts as priority cohort
Energy
State-Regulated Utilities, Grid Operations
Primary threat
ICS advisories affecting ABB B&R (building automation, substation control) and Siemens RUGGEDCOM (utility network switches)
Secondary threat
Volt Typhoon pre-positioning — absence of new indicators does NOT indicate reduced risk
Actions
- Conduct asset inventory of ABB and Siemens equipment in state-regulated facilities
- Verify network segmentation between IT and OT environments
- Evaluate ICS advisory patches (icsa-26-141-01 through -05) for applicability within 7 days
Healthcare
State Health Agencies, Medicaid Systems
Primary threat
Ransomware groups (Play, SafePay, LockBit5) actively targeting public services — healthcare data is highest-value extortion target
Secondary threat
Drupal exploitation of health portal systems containing protected health information (PHI)
Actions
- Validate offline backup integrity for Medicaid and health information exchange systems
- Ensure ransomware playbook includes HIPAA breach notification timelines
- Prioritize Drupal patching on any system handling protected health information
Government
Executive Branch, Legislature, Courts
Primary threat
Kali365 device code phishing targeting M365 GCC tenants — government email compromise enables espionage and lateral movement
Secondary threat
SonicWall Gen6 exploitation providing initial access to agency networks
Actions
- Deploy Conditional Access policy blocking device code auth today
- Inventory all SonicWall Gen6 appliances across agencies and establish emergency migration timeline
- Brief agency heads on the FBI Kali365 warning with specific guidance on recognising device code phishing attempts
Aviation / Logistics
State DOT, Airport Authorities, Port Operations
Primary threat
Nimbus Manticore (IRGC) — Operation Epic Fury specifically targeted aviation sector with fake career offers and trojanised tools
Secondary threat
Supply chain compromise via TrapDoor affecting logistics software development
Actions
- Alert aviation and transportation IT staff to the SEO poisoning vector — block
getsqldeveloper[.]com - Review any recent hiring-related file attachments for AppDomain hijacking indicators
- Audit development dependencies in transportation management systems
No sector cards match the selected filters.
Patch all Drupal instances for CVE-2026-9082 before the May 27 CISA BOD deadline. Prioritize PostgreSQL-backed citizen portals. Verify via version check AND SQLi response testing.
Incident Response
Block device code authentication in Microsoft Entra ID via Conditional Access. Exempt only approved IoT/conference devices. Monitor for
DeviceCodeFlow events.Identity & Access
Identify all SonicWall Gen6 SSL-VPN appliances. Verify 6 LDAP reconfiguration steps completed. Initiate emergency migration to supported platform.
Incident ResponseCISO / Exec
Block at DNS and web proxy:
getsqldeveloper[.]com calendly[.]live picktime[.]live aes-secure[.]net azureglobalaccelerator[.]comSOC Analyst
No immediate actions for the selected roles.
Audit all npm, PyPI, Cargo dependencies for packages updated May 22–25. Search for
.cursorrules and CLAUDE.md. Rotate GitHub tokens, cloud keys, SSH keys on any affected machine.Threat Hunter
Deploy MiniFast/MiniJunk detection — EDR behavioral rules for AppDomainManager injection, YARA signatures. Hunt PowerShell execution spawned by
w3wp.exe.SOC AnalystThreat Hunter
Review ICS asset inventory for ABB B&R, Hitachi Energy GMS600, Siemens RUGGEDCOM per CISA advisories icsa-26-141-01 through -05.
ICS / OT
Retroactive device code hunt — query 30 days of Entra sign-in logs for device code auth from non-approved devices.
Threat HunterSOC Analyst
No 7-day actions for the selected roles.
Develop AI coding assistant security policy — TrapDoor's poisoning of
.cursorrules/CLAUDE.md establishes AI tool configs as an attack surface requiring integrity monitoring.CISO / Exec
Complete SonicWall Gen6 migration. EOL — no future patches. Budget and procure Gen7/Gen8 or alternative.
Incident ResponseCISO / Exec
Brief agency CIOs on convergence of identity infrastructure attacks. Request emergency budget for VPN migration and enhanced identity monitoring.
CISO / Exec
Update incident response playbooks for device code phishing (token revocation), supply chain compromise (dependency audit), and Drupal exploitation (PostgreSQL forensics).
Incident Response
No 30-day actions for the selected roles.
Bottom Line
The threat this week is defined by one theme: the erosion of trust boundaries. Drupal portals probed by automated scanners right now. MFA bypassed for $200/month on Telegram. VPN appliances used as entry points for domain compromise. The federal remediation deadline for CVE-2026-9082 is tomorrow, May 27.
→ Confirm Drupal patch status across all agencies before the May 27 deadline.
→ Approve the Conditional Access policy change to block device code authentication.
→ Authorize emergency SonicWall Gen6 migration — these devices cannot be secured.
