7JUN

CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed

3 min read

10:08UTC

Unit 42 confirmed state-sponsored cluster CL-STA-1132 has been inside PAN-OS firewalls since 16 April, running the same service-account enumeration and forensic-log destruction doctrine that CISA and the NCSC named against Cisco two weeks ago.

← Back to The 2024 patch that is breaking now Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Three state clusters used the same log-destruction and service-account playbook across three firewall vendors in two weeks.

Unit 42, Palo Alto Networks' threat-research arm, confirmed that state-sponsored cluster CL-STA-1132 has exploited CVE-2026-0300 since 16 April, a 20-day window of access before any advisory existed.¹ Post-exploitation tradecraft recorded by Unit 42 includes shellcode injected into the nginx worker process, Active Directory (AD) enumeration via the firewall's own service account, lateral movement using open-source tunnelling tools EarthWorm and ReverseSocks5, and methodical destruction of crash logs, kernel messages and ptrace evidence.² Two devices are confirmed compromised; that figure represents the floor, not the ceiling.

The tradecraft is substantively identical to UAT-4356 running FIRESTARTER on Cisco ASA and Firepower firewalls , and to UNC5221 running BRICKSTORM on VMware appliances , where 393 days of dwell time passed before the cluster was detected. In each case: perimeter device as initial access, the device's own service account for internal enumeration, deliberate log destruction to eliminate forensic visibility. A defender who follows standard guidance (no exposed credentials, segmented zones) still faces a firewall whose logs are gone before the alert fires, with lateral movement arriving from a service account the security operations centre treats as trusted.

The sixteen-agency IOC advisory named the shared doctrine across Cisco infrastructure. CL-STA-1132 extends it to a third vendor in the same fortnight. The pattern no longer belongs to a single nation-state programme. Multiple offensive units have adopted the same playbook, which means defenders cannot calibrate their response to a specific country attribution; they must treat the doctrine itself as the threat model.

Deep Analysis

In plain English

A state-sponsored hacking group called CL-STA-1132 broke into Palo Alto Networks firewall devices starting on 16 April, roughly three weeks before this was publicly revealed. These firewalls are the devices businesses and government agencies use to protect their networks from outside attackers. Once inside, the group did something important: they deleted the logs that would normally tell a security team what happened. They also used the firewall's own user accounts to move around the internal network, because those accounts are trusted by other systems. This tradecraft, the combination of using a trusted device's own credentials and destroying the evidence afterwards, has now been seen in attacks on three different firewall vendors within two weeks. Security researchers say the technique has spread across multiple hacking programmes.

Deep Analysis

Root Causes

The convergence on firewall perimeter devices as entry points reflects a structural reality: next-generation firewalls occupy a position in the network where they have authenticated access to internal systems via service accounts, and where defenders rarely deploy endpoint detection agents. EDR tools are licensed for servers and workstations; the firewall runs a proprietary OS that sits outside standard EDR telemetry.

Active Directory enumeration via the firewall's own service account is exploitable precisely because network segmentation designs give firewalls legitimate, trusted access to directory services for user-identity resolution. The attacker abuses a function that must exist for the firewall to operate correctly.

The 20-day gap between first exploitation on 16 April and the advisory on 6 May reflects the time required to confirm exploitation with forensic confidence, not necessarily the time Unit 42 required to detect it. Perimeter-device forensics require specialised tooling and typically a physical or out-of-band management connection that disrupts production traffic during collection.

What could happen next?

Risk
Defenders on PAN-OS have a 20-day window of potentially unobserved lateral movement from a trusted service account that standard SOC tooling would not have flagged.
Immediate · 0.85
Consequence
The proliferation of log-destruction doctrine across CL-STA-1132, UAT-4356, and UNC5221 means defenders must now treat absence-of-logs as a positive indicator of compromise, not just an inconvenience.
Short term · 0.9
Precedent
Unit 42's public attribution of CL-STA-1132 with specific tradecraft documentation (shellcode in nginx worker, service-account enumeration) accelerates detection rule development for organisations still exposed.
Short term · 0.8

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: In 2014, the Equation Group's post-exploitation framework DOUBLEFANTASY included a module explicitly designed to clear Linux auth logs and bash history files, documented by Kaspersky Lab in 2015.

The technique was later observed in WannaCry post-infection cleanup, having spread from the NSA toolset via the Shadow Brokers dump in 2017. The pattern from 2014 to 2017 was: elite programme develops technique, technique proliferates through dump or training transfer, non-state actors adopt it.

Counter-parallel: The 2022 Sandworm Cyclops Blink disclosure showed that even when post-exploitation modules include forensic-wipe capabilities, defenders who identify the initial compromise vector can reconstruct the timeline using firmware memory dumps rather than logs. The log-wipe doctrine creates a blind-log condition, but it does not eliminate all forensic surface.

The two confirmed compromised devices represent a disclosed floor. The remediation cost per device is disproportionate to the device count: each affected PAN-OS unit requires a full forensic acquisition, log reconstruction against a baseline of known-destroyed artefacts, credential rotation for every service account the firewall held, and re-certification of any internal systems the firewall's service account accessed during the 20-day window.

For US federal agencies, that work scope triggers a formal incident response under OMB Memorandum M-21-31, which requires 72-hour notification to CISA and a 30-day closure report. The per-device compliance cost in engineering hours and third-party IR fees runs to six figures in the US federal market.

Consensus view: Recorded Future's Insikt Group and RUSI both assess the forensic-log destruction pattern as a deliberate operational security discipline, not opportunism: the systematic deletion of crash logs, kernel messages, and ptrace artefacts requires pre-prepared tooling and a threat actor who rehearsed the post-exploitation phase before the operation, indicating a mature offensive programme with institutional memory.

Counter-view: Citizen Lab's Senior Researcher Bill Marczak argues the tradecraft consistency across CL-STA-1132, UAT-4356, and UNC5221 may reflect shared training infrastructure or tooling marketplaces rather than a single programme proliferating, citing the way commercially-developed offensive frameworks such as Cobalt Strike spread across unrelated state actors before attribution could be made.

Key tension: Whether three clusters running substantively identical log-destruction doctrine against three different firewall vendors represents a single shared playbook circulating among allied state programmes, or independent convergence on the same obvious operational security technique.

First Reported In

Update #3 · CISA's deadline outruns Palo Alto's patch

Palo Alto Networks PSIRT· 8 May 2026

Read original →

Causes and effects

This Event

CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed

Three state-nexus clusters in two weeks have used the same post-exploitation playbook across three firewall vendors, confirming the doctrine has proliferated to the point where defenders should treat log absence as an intrusion indicator rather than a systems-management gap.

Led to

FIRESTARTER implant survives every Cisco firewall patch

CL-STA-1132 on PAN-OS runs identical post-exploitation doctrine to UAT-4356 FIRESTARTER on Cisco ASA and Firepower: service-account abuse, log destruction, open-source lateral movement tooling.

Occurred 24 Apr 2026

Read story →

BRICKSTORM dwell hits 393 days, Mandiant

CL-STA-1132 is the third state-nexus cluster in two updates using the same perimeter-device doctrine as UNC5221 BRICKSTORM on VMware.

Occurred 1 Mar 2026

Read story →

Different Perspectives

Australian Cyber Security Centre (ACSC)

Australia's 18 of 95 May ransomware victims, nearly 19 per cent of global disclosed attacks against 0.3 per cent of global GDP, reflects end-of-life Windows Server concentration in healthcare, under-resourced national incident-response capacity, and time-zone isolation that slows vendor-assisted containment during peak attack windows.

Europol / international law enforcement

Operation Saffron's 27-country coordination set a new geographic breadth record for criminal-infrastructure seizure. The absence of an arrest alongside the server seizures limits durable impact: VPNLab.net and DoubleVPN precedents show gangs reconstitute on alternative hosts within two to four weeks.

UK Parliament (Cyber Security and Resilience Bill)

The Bill reaches Commons Report Stage on 10 June with penalties up to 4 per cent of global turnover. Qilin's NHS Synnovis attack in June 2024 and INC_RANSOM's Stuga Machinery posting on 5 June give the legislation a domestic evidence base connecting KEV-class exposure directly to UK CNI and supply-chain targeting.

German BSI / EU enterprise operator perspective

The 17-month lag between Oracle's January 2024 WebLogic patch and active exploitation confirms that CVSS 7.5 keeps a flaw below emergency-patch thresholds in most programmes, even when T3/IIOP exploitation is a documented recurring chain. BSI's T3/IIOP disablement guidance offers a network-layer mitigation that survives Oracle's quarterly patch cycle without requiring unscheduled downtime.

ENISA / EU cybersecurity regulator

NIS360's risk-zone designations for water and rail, following NCAF 2.0 in April, give member-state authorities a documented enforcement basis under NIS2. Fine ceilings at EUR 10 million cover essential entities; sub-threshold municipal water operators fall outside that scope, so designation without sector-level funding creates a perverse incentive to defer rather than remediate.

US federal CISO (FCEB agency)

Four staggered June deadlines covered WebLogic middleware, Linux containers, Android device fleets and Magento storefronts in a single fortnight, forcing triage that exposes whichever stack ranks lowest. CISA's proposed $707 million budget cut alongside this enforcement acceleration creates a direct credibility gap: the mandate grows while the capacity to sustain it shrinks.