14JUN

CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed

3 min read

11:51UTC

Unit 42 confirmed state-sponsored cluster CL-STA-1132 has been inside PAN-OS firewalls since 16 April, running the same service-account enumeration and forensic-log destruction doctrine that CISA and the NCSC named against Cisco two weeks ago.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Three state clusters used the same log-destruction and service-account playbook across three firewall vendors in two weeks.

Unit 42, Palo Alto Networks' threat-research arm, confirmed that state-sponsored cluster CL-STA-1132 has exploited CVE-2026-0300 since 16 April, a 20-day window of access before any advisory existed.¹ Post-exploitation tradecraft recorded by Unit 42 includes shellcode injected into the nginx worker process, Active Directory (AD) enumeration via the firewall's own service account, lateral movement using open-source tunnelling tools EarthWorm and ReverseSocks5, and methodical destruction of crash logs, kernel messages and ptrace evidence.² Two devices are confirmed compromised; that figure represents the floor, not the ceiling.

The tradecraft is substantively identical to UAT-4356 running FIRESTARTER on Cisco ASA and Firepower firewalls , and to UNC5221 running BRICKSTORM on VMware appliances , where 393 days of dwell time passed before the cluster was detected. In each case: perimeter device as initial access, the device's own service account for internal enumeration, deliberate log destruction to eliminate forensic visibility. A defender who follows standard guidance (no exposed credentials, segmented zones) still faces a firewall whose logs are gone before the alert fires, with lateral movement arriving from a service account the security operations centre treats as trusted.

The sixteen-agency IOC advisory named the shared doctrine across Cisco infrastructure. CL-STA-1132 extends it to a third vendor in the same fortnight. The pattern no longer belongs to a single nation-state programme. Multiple offensive units have adopted the same playbook, which means defenders cannot calibrate their response to a specific country attribution; they must treat the doctrine itself as the threat model.

Deep Analysis

In plain English

A state-sponsored hacking group called CL-STA-1132 broke into Palo Alto Networks firewall devices starting on 16 April, roughly three weeks before this was publicly revealed. These firewalls are the devices businesses and government agencies use to protect their networks from outside attackers. Once inside, the group did something important: they deleted the logs that would normally tell a security team what happened. They also used the firewall's own user accounts to move around the internal network, because those accounts are trusted by other systems. This tradecraft, the combination of using a trusted device's own credentials and destroying the evidence afterwards, has now been seen in attacks on three different firewall vendors within two weeks. Security researchers say the technique has spread across multiple hacking programmes.

Deep Analysis

Root Causes

The convergence on firewall perimeter devices as entry points reflects a structural reality: next-generation firewalls occupy a position in the network where they have authenticated access to internal systems via service accounts, and where defenders rarely deploy endpoint detection agents. EDR tools are licensed for servers and workstations; the firewall runs a proprietary OS that sits outside standard EDR telemetry.

Active Directory enumeration via the firewall's own service account is exploitable precisely because network segmentation designs give firewalls legitimate, trusted access to directory services for user-identity resolution. The attacker abuses a function that must exist for the firewall to operate correctly.

The 20-day gap between first exploitation on 16 April and the advisory on 6 May reflects the time required to confirm exploitation with forensic confidence, not necessarily the time Unit 42 required to detect it. Perimeter-device forensics require specialised tooling and typically a physical or out-of-band management connection that disrupts production traffic during collection.

What could happen next?

Risk
Defenders on PAN-OS have a 20-day window of potentially unobserved lateral movement from a trusted service account that standard SOC tooling would not have flagged.
Immediate · 0.85
Consequence
The proliferation of log-destruction doctrine across CL-STA-1132, UAT-4356, and UNC5221 means defenders must now treat absence-of-logs as a positive indicator of compromise, not just an inconvenience.
Short term · 0.9
Precedent
Unit 42's public attribution of CL-STA-1132 with specific tradecraft documentation (shellcode in nginx worker, service-account enumeration) accelerates detection rule development for organisations still exposed.
Short term · 0.8

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: In 2014, the Equation Group's post-exploitation framework DOUBLEFANTASY included a module explicitly designed to clear Linux auth logs and bash history files, documented by Kaspersky Lab in 2015.

The technique was later observed in WannaCry post-infection cleanup, having spread from the NSA toolset via the Shadow Brokers dump in 2017. The pattern from 2014 to 2017 was: elite programme develops technique, technique proliferates through dump or training transfer, non-state actors adopt it.

Counter-parallel: The 2022 Sandworm Cyclops Blink disclosure showed that even when post-exploitation modules include forensic-wipe capabilities, defenders who identify the initial compromise vector can reconstruct the timeline using firmware memory dumps rather than logs. The log-wipe doctrine creates a blind-log condition, but it does not eliminate all forensic surface.

The two confirmed compromised devices represent a disclosed floor. The remediation cost per device is disproportionate to the device count: each affected PAN-OS unit requires a full forensic acquisition, log reconstruction against a baseline of known-destroyed artefacts, credential rotation for every service account the firewall held, and re-certification of any internal systems the firewall's service account accessed during the 20-day window.

For US federal agencies, that work scope triggers a formal incident response under OMB Memorandum M-21-31, which requires 72-hour notification to CISA and a 30-day closure report. The per-device compliance cost in engineering hours and third-party IR fees runs to six figures in the US federal market.

Consensus view: Recorded Future's Insikt Group and RUSI both assess the forensic-log destruction pattern as a deliberate operational security discipline, not opportunism: the systematic deletion of crash logs, kernel messages, and ptrace artefacts requires pre-prepared tooling and a threat actor who rehearsed the post-exploitation phase before the operation, indicating a mature offensive programme with institutional memory.

Counter-view: Citizen Lab's Senior Researcher Bill Marczak argues the tradecraft consistency across CL-STA-1132, UAT-4356, and UNC5221 may reflect shared training infrastructure or tooling marketplaces rather than a single programme proliferating, citing the way commercially-developed offensive frameworks such as Cobalt Strike spread across unrelated state actors before attribution could be made.

Key tension: Whether three clusters running substantively identical log-destruction doctrine against three different firewall vendors represents a single shared playbook circulating among allied state programmes, or independent convergence on the same obvious operational security technique.

First Reported In

Update #3 · CISA's deadline outruns Palo Alto's patch

Palo Alto Networks PSIRT· 8 May 2026

Read original →

Causes and effects

This Event

CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed

Three state-nexus clusters in two weeks have used the same post-exploitation playbook across three firewall vendors, confirming the doctrine has proliferated to the point where defenders should treat log absence as an intrusion indicator rather than a systems-management gap.

Led to

FIRESTARTER implant survives every Cisco firewall patch

CL-STA-1132 on PAN-OS runs identical post-exploitation doctrine to UAT-4356 FIRESTARTER on Cisco ASA and Firepower: service-account abuse, log destruction, open-source lateral movement tooling.

Occurred 24 Apr 2026

Read story →

BRICKSTORM dwell hits 393 days, Mandiant

CL-STA-1132 is the third state-nexus cluster in two updates using the same perimeter-device doctrine as UNC5221 BRICKSTORM on VMware.

Occurred 1 Mar 2026

Read story →

VPN zero-day open a month pre-patch

PAN-OS exploitation running 20 days before any advisory is the direct precedent for the Check Point VPN flaw being exploited for approximately one month before the hotfix shipped.

Occurred 8 Jun 2026

Read story →

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.