Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
4JUL

CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed

3 min read
11:00UTC

Unit 42 confirmed state-sponsored cluster CL-STA-1132 has been inside PAN-OS firewalls since 16 April, running the same service-account enumeration and forensic-log destruction doctrine that CISA and the NCSC named against Cisco two weeks ago.

TechnologyDeveloping
Key takeaway

Three state clusters used the same log-destruction and service-account playbook across three firewall vendors in two weeks.

Unit 42, Palo Alto Networks' threat-research arm, confirmed that state-sponsored cluster CL-STA-1132 has exploited CVE-2026-0300 since 16 April, a 20-day window of access before any advisory existed.1 Post-exploitation tradecraft recorded by Unit 42 includes shellcode injected into the nginx worker process, Active Directory (AD) enumeration via the firewall's own service account, lateral movement using open-source tunnelling tools EarthWorm and ReverseSocks5, and methodical destruction of crash logs, kernel messages and ptrace evidence.2 Two devices are confirmed compromised; that figure represents the floor, not the ceiling.

The tradecraft is substantively identical to UAT-4356 running FIRESTARTER on Cisco ASA and Firepower firewalls , and to UNC5221 running BRICKSTORM on VMware appliances , where 393 days of dwell time passed before the cluster was detected. In each case: perimeter device as initial access, the device's own service account for internal enumeration, deliberate log destruction to eliminate forensic visibility. A defender who follows standard guidance (no exposed credentials, segmented zones) still faces a firewall whose logs are gone before the alert fires, with lateral movement arriving from a service account the security operations centre treats as trusted.

The sixteen-agency IOC advisory named the shared doctrine across Cisco infrastructure. CL-STA-1132 extends it to a third vendor in the same fortnight. The pattern no longer belongs to a single nation-state programme. Multiple offensive units have adopted the same playbook, which means defenders cannot calibrate their response to a specific country attribution; they must treat the doctrine itself as the threat model.

Deep Analysis

In plain English

A state-sponsored hacking group called CL-STA-1132 broke into Palo Alto Networks firewall devices starting on 16 April, roughly three weeks before this was publicly revealed. These firewalls are the devices businesses and government agencies use to protect their networks from outside attackers. Once inside, the group did something important: they deleted the logs that would normally tell a security team what happened. They also used the firewall's own user accounts to move around the internal network, because those accounts are trusted by other systems. This tradecraft, the combination of using a trusted device's own credentials and destroying the evidence afterwards, has now been seen in attacks on three different firewall vendors within two weeks. Security researchers say the technique has spread across multiple hacking programmes.

Deep Analysis
Root Causes

The convergence on firewall perimeter devices as entry points reflects a structural reality: next-generation firewalls occupy a position in the network where they have authenticated access to internal systems via service accounts, and where defenders rarely deploy endpoint detection agents. EDR tools are licensed for servers and workstations; the firewall runs a proprietary OS that sits outside standard EDR telemetry.

Active Directory enumeration via the firewall's own service account is exploitable precisely because network segmentation designs give firewalls legitimate, trusted access to directory services for user-identity resolution. The attacker abuses a function that must exist for the firewall to operate correctly.

The 20-day gap between first exploitation on 16 April and the advisory on 6 May reflects the time required to confirm exploitation with forensic confidence, not necessarily the time Unit 42 required to detect it. Perimeter-device forensics require specialised tooling and typically a physical or out-of-band management connection that disrupts production traffic during collection.

What could happen next?
  • Risk

    Defenders on PAN-OS have a 20-day window of potentially unobserved lateral movement from a trusted service account that standard SOC tooling would not have flagged.

    Immediate · 0.85
  • Consequence

    The proliferation of log-destruction doctrine across CL-STA-1132, UAT-4356, and UNC5221 means defenders must now treat absence-of-logs as a positive indicator of compromise, not just an inconvenience.

    Short term · 0.9
  • Precedent

    Unit 42's public attribution of CL-STA-1132 with specific tradecraft documentation (shellcode in nginx worker, service-account enumeration) accelerates detection rule development for organisations still exposed.

    Short term · 0.8
First Reported In

Update #3 · CISA's deadline outruns Palo Alto's patch

Palo Alto Networks PSIRT· 8 May 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.