RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: state-sponsored (2 articles)Clear
vulnerability
CVE-2026-0300
2026-05-06

Palo Alto Networks firewalls have a critical hole that lets attackers run code as root - hackers are already using it, no patch until May 13 (CVE-2026-0300)

Palo Alto Networks confirmed Wednesday that attackers are exploiting a zero-day in its firewall login portal to run code as root on PA-Series and VM-Series firewalls. CVE-2026-0300 (CVSS 9.3) is a buffer overflow in the User-ID Authentication Portal (Captive Portal) that lets unauthenticated attackers send crafted packets and execute code without any login. Palo Alto Unit 42 attributed the activity to CL-STA-1132, a likely state-sponsored cluster that started probing on April 9 and achieved RCE a week later. Attackers deploy tunneling tools and enumerate Active Directory using the firewall's service account. First patches arrive May 13. Shadowserver counts 5,800+ exposed VM-Series firewalls.

palo-altopan-oscaptive-portaluser-id-authentication-portalzero-dayactively-exploitedcl-sta-1132unit-42earthwormreversesocks5state-sponsoredroot-rceunpatched
Check
Inventory Palo Alto PA-Series and VM-Series firewalls. Check whether the User-ID Authentication Portal is enabled and reachable from untrusted IPs. Hunt nginx crash logs for evidence of clearing since April 9.
Affected
PA-Series and VM-Series firewalls running PAN-OS with the User-ID Authentication Portal exposed to public internet or untrusted IPs. CVE-2026-0300, CVSS 9.3 (8.7 if portal restricted to internal IPs). Prisma Access, Cloud NGFW, and Panorama are NOT affected. Shadowserver tracks 5,800+ exposed VM-Series instances; thousands more likely sit behind load balancers.
Fix
Restrict the User-ID Authentication Portal to trusted internal networks - this is the primary mitigation until patches arrive. Disable the portal entirely if not strictly required. Block ports 6081 and 6082 from untrusted IPs. Stage May 13 patches: 12.1.4-h5, 11.2.7-h13, 11.1.4-h33, 10.2.10-h36. Treat any compromised firewall as a domain-wide breach starting point - rotate firewall service account credentials.
threat
2026-04-22

Lotus Wiper destroys Venezuelan energy and utility systems in apparent state-sponsored attack

Kaspersky has documented a previously undocumented data wiper, dubbed Lotus Wiper, used in destructive attacks on the Venezuelan energy and utilities sector at the end of 2025 and into 2026. The malware has no ransom note, no payment instructions, and no recovery mechanism - this is pure destruction, consistent with state-aligned or geopolitically-motivated sabotage rather than cybercrime. The attack begins with two batch scripts that prepare the environment: one checks for a NETLOGON share (the Active Directory login-scripts share) to confirm the machine is domain-joined, then fetches a remote XML file and runs a second script. The second script disables cached logins, logs off active sessions, kills network interfaces, runs 'diskpart clean all' to wipe all logical drives, uses robocopy to recursively overwrite or delete folders, and uses fsutil to fill remaining free space. Once the environment is prepped, the Lotus Wiper binary deletes restore points, zeros out physical sectors, clears NTFS journal USN records, and erases every file on every mounted volume. Kaspersky notes one script tries to stop the Windows UI0Detect service, a feature removed after Windows 10 version 1803 - meaning the attackers knew they would hit legacy Windows systems and had deep prior knowledge of the target environment, implying long-running domain compromise before the destructive payload fired. The sample was uploaded to a public malware-sharing platform from Venezuela in mid-December 2025, weeks before the U.S. military action in the country in early January 2026.

lotus-wipervenezuelacritical-infrastructureenergy-sectordestructive-malwarestate-sponsoredkasperskyliving-off-the-land
Check
Regardless of geography, hunt for the living-off-the-land pattern this wiper uses: 'diskpart clean all', fsutil filling free space, robocopy recursively mirroring empty directories, and attempts to stop UI0Detect on any Windows host.
Affected
Windows environments with long-running Active Directory compromise, particularly those still running pre-Windows 10 1803 builds where the UI0Detect service exists. Operational-technology organisations in energy, utilities, and critical infrastructure - especially in Venezuela but globally given the playbook is reusable.
Fix
Alert on any process chain matching: cmd.exe spawning 'diskpart.exe /s' with 'clean all', fsutil.exe creating zero-sized fill files, or robocopy.exe with /MIR into an empty source. Watch NETLOGON share for new or modified .xml and .bat files arriving on domain controllers. Enforce immutable offline backups - this wiper explicitly destroys restore points, shadow copies, and USN journals, so any backup reachable from the domain is at risk. Review privileged AD admin activity for the past 90 days. Monitor for unauthorized scripts pushed via GPO or scheduled tasks across the domain.