30APR

CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed

3 min read

08:16UTC

Unit 42 confirmed state-sponsored cluster CL-STA-1132 has been inside PAN-OS firewalls since 16 April, running the same service-account enumeration and forensic-log destruction doctrine that CISA and the NCSC named against Cisco two weeks ago.

← Back to FIRESTARTER puts Cisco below the patch line Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Three state clusters used the same log-destruction and service-account playbook across three firewall vendors in two weeks.

Unit 42, Palo Alto Networks' threat-research arm, confirmed that state-sponsored cluster CL-STA-1132 has exploited CVE-2026-0300 since 16 April, a 20-day window of access before any advisory existed.¹ Post-exploitation tradecraft recorded by Unit 42 includes shellcode injected into the nginx worker process, Active Directory (AD) enumeration via the firewall's own service account, lateral movement using open-source tunnelling tools EarthWorm and ReverseSocks5, and methodical destruction of crash logs, kernel messages and ptrace evidence.² Two devices are confirmed compromised; that figure represents the floor, not the ceiling.

The tradecraft is substantively identical to UAT-4356 running FIRESTARTER on Cisco ASA and Firepower firewalls , and to UNC5221 running BRICKSTORM on VMware appliances , where 393 days of dwell time passed before the cluster was detected. In each case: perimeter device as initial access, the device's own service account for internal enumeration, deliberate log destruction to eliminate forensic visibility. A defender who follows standard guidance (no exposed credentials, segmented zones) still faces a firewall whose logs are gone before the alert fires, with lateral movement arriving from a service account the Security Operations Centre treats as trusted.

The sixteen-agency IOC advisory named the shared doctrine across Cisco infrastructure. CL-STA-1132 extends it to a third vendor in the same fortnight. The pattern no longer belongs to a single nation-state programme. Multiple offensive units have adopted the same playbook, which means defenders cannot calibrate their response to a specific country attribution; they must treat the doctrine itself as the threat model.

Deep Analysis

In plain English

A state-sponsored hacking group called CL-STA-1132 broke into Palo Alto Networks firewall devices starting on 16 April, roughly three weeks before this was publicly revealed. These firewalls are the devices businesses and government agencies use to protect their networks from outside attackers. Once inside, the group did something important: they deleted the logs that would normally tell a security team what happened. They also used the firewall's own user accounts to move around the internal network, because those accounts are trusted by other systems. This tradecraft, the combination of using a trusted device's own credentials and destroying the evidence afterwards, has now been seen in attacks on three different firewall vendors within two weeks. Security researchers say the technique has spread across multiple hacking programmes.

Deep Analysis

Root Causes

The convergence on firewall perimeter devices as entry points reflects a structural reality: next-generation firewalls occupy a position in the network where they have authenticated access to internal systems via service accounts, and where defenders rarely deploy endpoint detection agents. EDR tools are licensed for servers and workstations; the firewall runs a proprietary OS that sits outside standard EDR telemetry.

Active Directory enumeration via the firewall's own service account is exploitable precisely because network segmentation designs give firewalls legitimate, trusted access to directory services for user-identity resolution. The attacker abuses a function that must exist for the firewall to operate correctly.

The 20-day gap between first exploitation on 16 April and the advisory on 6 May reflects the time required to confirm exploitation with forensic confidence, not necessarily the time Unit 42 required to detect it. Perimeter-device forensics require specialised tooling and typically a physical or out-of-band management connection that disrupts production traffic during collection.

What could happen next?

Risk
Defenders on PAN-OS have a 20-day window of potentially unobserved lateral movement from a trusted service account that standard SOC tooling would not have flagged.
Immediate · 0.85
Consequence
The proliferation of log-destruction doctrine across CL-STA-1132, UAT-4356, and UNC5221 means defenders must now treat absence-of-logs as a positive indicator of compromise, not just an inconvenience.
Short term · 0.9
Precedent
Unit 42's public attribution of CL-STA-1132 with specific tradecraft documentation (shellcode in nginx worker, service-account enumeration) accelerates detection rule development for organisations still exposed.
Short term · 0.8

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: In 2014, the Equation Group's post-exploitation framework DOUBLEFANTASY included a module explicitly designed to clear Linux auth logs and bash history files, documented by Kaspersky Lab in 2015.

The technique was later observed in WannaCry post-infection cleanup, having spread from the NSA toolset via the Shadow Brokers dump in 2017. The pattern from 2014 to 2017 was: elite programme develops technique, technique proliferates through dump or training transfer, non-state actors adopt it.

Counter-parallel: The 2022 Sandworm Cyclops Blink disclosure showed that even when post-exploitation modules include forensic-wipe capabilities, defenders who identify the initial compromise vector can reconstruct the timeline using firmware memory dumps rather than logs. The log-wipe doctrine creates a blind-log condition, but it does not eliminate all forensic surface.

The two confirmed compromised devices represent a disclosed floor. The remediation cost per device is disproportionate to the device count: each affected PAN-OS unit requires a full forensic acquisition, log reconstruction against a baseline of known-destroyed artefacts, credential rotation for every service account the firewall held, and re-certification of any internal systems the firewall's service account accessed during the 20-day window.

For US federal agencies, that work scope triggers a formal incident response under OMB Memorandum M-21-31, which requires 72-hour notification to CISA and a 30-day closure report. The per-device compliance cost in engineering hours and third-party IR fees runs to six figures in the US federal market.

Consensus view: Recorded Future's Insikt Group and RUSI both assess the forensic-log destruction pattern as a deliberate operational security discipline, not opportunism: the systematic deletion of crash logs, kernel messages, and ptrace artefacts requires pre-prepared tooling and a threat actor who rehearsed the post-exploitation phase before the operation, indicating a mature offensive programme with institutional memory.

Counter-view: Citizen Lab's Senior Researcher Bill Marczak argues the tradecraft consistency across CL-STA-1132, UAT-4356, and UNC5221 may reflect shared training infrastructure or tooling marketplaces rather than a single programme proliferating, citing the way commercially-developed offensive frameworks such as Cobalt Strike spread across unrelated state actors before attribution could be made.

Key tension: Whether three clusters running substantively identical log-destruction doctrine against three different firewall vendors represents a single shared playbook circulating among allied state programmes, or independent convergence on the same obvious operational security technique.

First Reported In

Update #3 · CISA's deadline outruns Palo Alto's patch

Palo Alto Networks PSIRT· 8 May 2026

Read original →

Causes and effects

This Event

CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed

Three state-nexus clusters in two weeks have used the same post-exploitation playbook across three firewall vendors, confirming the doctrine has proliferated to the point where defenders should treat log absence as an intrusion indicator rather than a systems-management gap.

Led to

BRICKSTORM dwell hits 393 days, Mandiant

CL-STA-1132 is the third state-nexus cluster in two updates using the same perimeter-device doctrine as UNC5221 BRICKSTORM on VMware.

Occurred 1 Mar 2026

Read story →

FIRESTARTER implant survives every Cisco firewall patch

CL-STA-1132 on PAN-OS runs identical post-exploitation doctrine to UAT-4356 FIRESTARTER on Cisco ASA and Firepower: service-account abuse, log destruction, open-source lateral movement tooling.

Occurred 24 Apr 2026

Read story →

Different Perspectives

Norwegian Security and Service Organisation

NSSO was a prior victim of Ivanti EPMM zero-days and now faces CVE-2026-6973 in the same product line. Ivanti's position that on-premises EPMM is the only affected tier provides limited reassurance to a government body that has already been compromised twice via the same vendor's MDM infrastructure.

ENISA and EU CNA Ecosystem

ENISA onboarded four new CVE Numbering Authorities under ENISA Root on 6 May, expanding EU-sovereign vulnerability disclosure infrastructure in the same week three critical CVEs entered the CISA KEV catalogue. Greater CNA coverage inside the EU reduces dependence on US-anchored MITRE for European-sourced vulnerability identifiers.

German Federal Office for Information Security (BSI)

BSI rated CVE-2026-41940 in cPanel 'very high', reflecting Germany's exposure across shared-hosting infrastructure for Mittelstand businesses. The 65-day zero-day window and the amplification effect of cPanel's multi-tenancy model mean the BSI rating applies to thousands of German SME websites hosted on affected servers.

Republic of Korea National Intelligence Service

South Korea's NIS tracks UNC1069's tooling evolution; the CSIS paper argues the ROK's intelligence on DPRK cyber operations should feed joint US-ROK situational awareness rather than bilateral channels that move too slowly for real-time supply-chain response.

Democratic People's Republic of Korea

UNC1069's Axios operation scales North Korea's supply-chain access from niche Python packages to the most downloaded HTTP client in the JavaScript ecosystem. WAVESHAPER.V2 provides persistent access to development environments where cryptocurrency wallets and API keys are stored, serving the sanctions-evasion funding logic behind earlier DPRK toolchain operations.

WatchTowr Labs

WatchTowr Labs disclosed CVE-2026-41940 after the 28 April patch shipped, providing the 65-day exploitation timeline from KnownHost telemetry. The disclosure is textbook; the open question is why WebPros did not catch the cpsrvd CRLF class flaw before external researchers found it under active exploitation.