Zero-Day Buried in Plain Sight: PAN-OS, ShinyHunters, and the Mislabeled Threat

27:5210 scenes7 speakersBriefing

01 Cold Open: The Mislabeled Zero-Day

Chapters

01Cold Open: The Mislabeled Zero-Day

02Sponsor — Blue Cortex AI

03CVE-2026-0300: Four Weeks In, Already Blind

04Forensic Survival: What Evidence Is Left After Root

05Attribution: China-Nexus or Wishful Pattern-Matching?

06ShinyHunters Escalates: From Theft to Disruption

07Vulnerability or Credential Reuse? The Canvas Attack Vector

08The Regulatory Patchwork: FERPA, State Law, and the SEC Clock

09The Fracturing Strategy: Why Individual Ransom Demands Are Worse

10Synthesis: What to Do in the Next 24 Hours

Speakers

HalilAlexLenaJamesRafaelPierreDr.

▶01Cold Open: The Mislabeled Zero-Day00:00

HalilA briefing entry mislabeled as a known Ivanti CVE was actually hiding a brand-new PAN-OS zero-day — unauthenticated root access on Palo Alto firewalls, no patch, four weeks of active exploitation already in progress.

HalilWelcome to CyberDaily Threatcast. I'm Halil Öztürkci. Let's get into it.

HalilWe have two live threads today, and both of them have clocks running. First: CVE-2026-0300 — that's the real CVE, not the CVE-2026-6973 label slapped on it in this afternoon's briefing. CVSS nine point three. Unauthenticated root RCE on PAN-OS firewalls. No patch until May 13 at the earliest. And according to Unit42, exploitation started around April 9. That's not a future threat. That's a four-week head start for the attackers.

HalilSecond thread: ShinyHunters. We covered them earlier this week — the Instructure breach, the nine thousand institutions, the data theft play. What's new today is different. They've moved to active disruption. Three hundred thirty Canvas login portals defaced. Per-institution ransom demands. A May 12 deadline. And a fracturing strategy designed to make coordinated response impossible.

HalilWe are not relitigating this week's prior Canvas coverage. We are covering today's delta. Let's go.

▶02Sponsor — Blue Cortex AI01:49

HalilThis episode is brought to you by Blue Cortex AI and Tarhy — their autonomous SOC platform. Here's what Tarhy does: it pulls alerts from your EDR stack — Defender, CrowdStrike, Cortex XDR, SentinelOne — and its AI agents triage every single one, around the clock. Not just pattern matching. Multi-step reasoning, cross-event correlation, MITRE ATT&CK mapping, and a confidence-scored verdict — all in about three minutes. And here's the thing that matters: their Neural Timeline shows you exactly how the AI reached each decision. No black box. The results speak for themselves — sixty to seventy percent fewer false positives, eighty percent faster time to verdict. If your SOC is drowning in five thousand alerts a day, Tarhy can save twenty-five hundred analyst hours a month. Check them out at bluecortex.ai.

▶03CVE-2026-0300: Four Weeks In, Already Blind02:58

HalilAlex, Lena — let's establish the basics. What exactly is CVE-2026-0300, and why did it almost get missed?

AlexSo the briefing labeled it CVE-2026-6973 — that's an Ivanti vulnerability we already covered. Different product, different attack surface, different everything. The body of the finding described something completely distinct.

LenaPAN-OS User-ID Authentication Portal. CVSS nine point three. Pre-auth. An unauthenticated attacker gets root RCE on the firewall itself.

AlexRight. And here's what makes this one genuinely alarming — not just the CVSS. It's that Unit42 is saying exploitation started around April 9. We are now at week four.

HalilSo this is not a patch-ahead-of-exploitation conversation.

AlexNot even close. This is detection and response for a campaign that's already been running. The patch doesn't exist until May 13 at the earliest. And you may already be compromised.

LenaThe threat cluster Unit42 designated CL-STA-1132 — that's a brand-new designation with no prior public ties to established APT groups. The temporary label signals assessed state-nexus activity without full attribution.

HalilWhat's the post-exploitation picture look like?

LenaClassic firewall-as-pivot. Root RCE on the perimeter device, credential harvest from firewall config — LDAP bind credentials, known-user lists — then Active Directory enumeration, then lateral movement inward. And throughout: systematic log destruction.

AlexThat log destruction piece is the critical gap. If attackers have root, they can wipe local PAN-OS logs before any of it forwards to Panorama or your SIEM. The firewall cannot report on itself anymore. It's blind.

LenaWhich means organizations relying solely on firewall-local logs may have zero surviving evidence of the initial compromise.

HalilSo we'll need James on the forensic survival question. But first — the CISA KEV deadline. What's the actual deadline?

AlexThe briefing said May 10. That's wrong too. Actual CISA KEV deadline is May 27. But look — the patch doesn't exist until May 13. So the deadline is almost academic. The question right now isn't when to patch. It's when did you get hit.

▶04Forensic Survival: What Evidence Is Left After Root05:42

HalilJames, you've done PAN-OS incident response before. CL-STA-1132 has root and is wiping logs. What's actually left?

JamesOkay, so — there are three layers where you still find evidence even when local logs are gone. First: disk-level artifacts. Tech Support File pulls from pre-compromise backup snapshots. Not the current logs — those are unreliable. You want TSFs from before April 9.

AlexAnd if you didn't take snapshots before April 9, those are just gone.

JamesCorrect. Which is why the second layer is your primary survivable source — network-level evidence from upstream devices. Switches, routers, netflow collectors. The firewall cannot wipe those. It doesn't have access.

HalilWhat are you hunting for in that netflow data?

JamesOutbound TCP from nginx worker processes. That's the tell. Nginx on a firewall should not be initiating outbound connections. Ever. If you see it, that's your smoking gun. Also look for SOCKS5 traffic patterns and non-standard port behavior consistent with EarthWorm and ReverseSocks5 tunneling.

LenaAnd on the AD side — look for authentication anomalies on downstream domain controllers. Failed auth bursts from firewall-originating IPs, or successful binds from service accounts that have no business authenticating from a firewall management interface.

JamesExactly. And the third layer — memory. If you haven't rebooted the device, capture memory before you touch anything. Root access means kernel modules could be loaded. Reboot kills that evidence permanently.

HalilSo the remediation scope extends well past the firewall itself.

JamesWay past. Four weeks of root access means you should assume domain credential compromise. Force reset all service accounts the firewall had access to. Every account that authenticated through it in the last four weeks. Not 'consider it' — do it today.

AlexAnd Palo Alto released Threat Prevention signature ID 510019 on May 6 — that's content version 9097-10022. But that's only for supported versions. PAN-OS 10.2 operators may not have signatures available yet.

JamesRight. If you're on 10.2, internet-exposed, and cannot disable or restrict the portal — your only real option is blocking portal ports at your upstream edge and accepting the auth degradation. I'd take the operational hit over a month of undetected state-nexus dwell time.

HalilHmm. That's a hard call for teams running that portal for critical auth flows.

JamesIt is. But the risk calculus shifted the moment Unit42 published that April 9 timeline. This isn't theoretical anymore.

▶05Attribution: China-Nexus or Wishful Pattern-Matching?08:45

HalilLena, you flagged EarthWorm and ReverseSocks5 as tooling with Chinese-nexus associations — specifically Volt Typhoon. I want to push on that. EarthWorm is open-source. Anyone can download it. How solid is that linkage?

LenaValid. EarthWorm alone is single-factor attribution — that's weak, I'll grant you that immediately.

HalilSo what elevates it?

LenaThe combination. EarthWorm plus ReverseSocks5, deployed alongside systematic AD enumeration and log destruction, immediately following zero-day RCE on edge infrastructure. That specific TTP chain appears repeatedly in Chinese-nexus operations per Sygnia and Unit42 reporting.

AlexI'd push back slightly on the Volt Typhoon framing specifically. G1017's — that's MITRE's designation for Volt Typhoon — their documented tradecraft leans heavily on built-in utilities. Netsh port proxy, living-off-the-land. They don't typically reach for third-party tunneling tools as heavily as CL-STA-1132 appears to.

LenaYou're right. And I want to correct my earlier framing on that. CL-STA-1132's reliance on third-party tools actually diverges from pure Volt Typhoon patterns. It looks closer to APT27 or Gelsemium tradecraft based on the reporting.

HalilSo you're walking back the Volt Typhoon comparison.

LenaI'm narrowing it. Broader China-nexus tooling cluster — yes. Specific Volt Typhoon attribution — no, that was imprecise. I should not have led with that name.

AlexThat distinction matters operationally. Volt Typhoon's focus has been critical infrastructure pre-positioning. APT27 is much more promiscuous — financial, government, defense, academia.

LenaCorrect. And without C2 infrastructure pivot data linking CL-STA-1132 to known APT infrastructure, without victimology showing regional targeting patterns — I'm staying at low confidence on China-nexus specifically. Moderate confidence on state-sponsored based on campaign discipline and duration. That's my honest calibration.

HalilWhat would actually move you to high confidence?

LenaC2 domain pivots to known APT infrastructure. Code signing certificates shared with tracked groups. Or victim targeting that shows deliberate geographic or sector selection consistent with a named group's known objectives. None of that is in hand right now.

AlexSo for now — sophisticated, state-adjacent, China-tooling-cluster, unknown specific actor. That's where the evidence actually puts us.

LenaThat's where the evidence puts us.

▶06ShinyHunters Escalates: From Theft to Disruption11:39

HalilWe covered the ShinyHunters Instructure breach earlier this week — the data theft, the nine thousand institutions, the initial extortion play. What's materially new today is different. Rafael, walk us through what actually happened to those Canvas login portals.

RafaelSo — roughly three hundred thirty Canvas login portals defaced. BleepingComputer sourced that count directly, not from forum chatter, so it's a solid number. Students at Colorado Springs reported login pages replaced with ShinyHunters branding and payment instructions around one PM local time.

HalilAnd the ransom structure has changed.

RafaelThat's the critical shift. Previously ShinyHunters demanded from Instructure — one negotiation, one entity with legal and IR resources. Now they're demanding from individual institutions. Three hundred thirty separate decision-makers who mostly lack the legal counsel and incident response capacity to handle this.

PierreThat's — look, from a risk architecture standpoint, that's actually quite clever. You fragment the response. You prevent coordinated counteraction. And you target the weakest negotiators.

RafaelKrebs confirmed Penn got hit with a one million dollar demand back in February — before this escalation. The per-school pricing in this round isn't publicly specified in the defacement messages I captured, but the logic probably scales with institution size. Smaller colleges might see fifty thousand. Major research universities could see seven figures.

HalilPierre, put a number on the aggregate exposure.

PierreOkay — I want to be honest about where my numbers are solid and where they're not. The finals-week disruption at NSHE and CCSD in Nevada is confirmed by the Review-Journal. But dollar figures like one hundred fifty to two hundred fifty million for instructional disruption? I cannot cite those. That's speculation without benchmarking data.

HalilHmm. What can you say with confidence?

PierreDirectionally — billions, not hundreds of millions, for the full breach scope across eight thousand eight hundred institutions and two hundred seventy-five million individuals affected. My modeled estimate is two point eight billion aggregate. But I'm flagging every component of that as scenario-weighted assumption, not verified incident-cost analogue.

RafaelAnd one more thing worth flagging — Krebs reports ShinyHunters has now removed Instructure from their leak site and pulled down data samples. Could signal a negotiating posture shift. Or they're compartmentalizing for a larger drop.

HalilClassic pressure mechanics. Keep the deadline, remove the public evidence, maximize uncertainty.

RafaelExactly. And the named-institution list is still circulating publicly — I confirmed the RansomwareLive mirror is live. So institutions on that list are being targeted whether or not they've confirmed their own exposure.

▶07Vulnerability or Credential Reuse? The Canvas Attack Vector15:08

HalilRafael, you flagged something in the BleepingComputer reporting that changes the picture significantly. The source didn't describe credential reuse — they said 'exploiting a vulnerability.' But there's no CVE. Walk us through what you found and where the gaps are.

RafaelRight. So BleepingComputer's source was unambiguous — 'exploiting a vulnerability.' Not credential stuffing, not session hijacking. A vulnerability. But I ran targeted searches across NVD, CVE.org, and Instructure's own advisory channels. Nothing. No matching CVE.

AlexThat leaves three possibilities. One: Instructure knows about a zero-day and is sitting on disclosure. Two: there's a known flaw they're not publicly naming. Three: the source is mischaracterizing credential abuse as exploitation.

RafaelMy read on actor profile leans toward option three. ShinyHunters are access brokers. They monetize stolen credentials — that's their business model. They are not typically sitting on LMS zero-days.

PierreBut the defacements only lasted about thirty minutes, yeah? If they had a reliable exploit, you'd expect longer persistence.

RafaelThat's what I noticed too. Thirty minutes suggests either rapid detection and response by Instructure, or limited persistence capability. Both of those point more toward credential-based access than a robust zero-day.

AlexI'd agree with that operational read. But here's the thing — threat actors evolve. Purchased exploits are a real market. We can't collapse the uncertainty just because credential abuse fits the profile better.

HalilAnd the remediation implications are completely different depending on which it is.

AlexCompletely different. If it's credentials — forced resets, MFA enforcement, credential monitoring. That's an identity-layer response. If it's a Canvas vulnerability — you need a patch or mitigation from Instructure, and until that exists, you're exposed regardless of credential hygiene.

RafaelAnd Instructure has not clarified. No advisory, no CVE. That ambiguity is itself a risk factor that institutions cannot afford to ignore.

HalilSo the prudent move is treat both vectors as live until Instructure says otherwise.

AlexTreat both as live. Don't wait for a CVE to act.

▶08The Regulatory Patchwork: FERPA, State Law, and the SEC Clock17:48

HalilSofia, two separate regulatory questions here. First: do the Canvas portal defacements trigger FERPA? And second: what does a four-week undetected PAN-OS compromise mean for SEC disclosure timelines?

Dr.On FERPA first. FERPA itself contains no explicit breach notification requirements. The Department of Education's own data breach response checklist states that directly. What FERPA requires is recordation of disclosures from education records under Section 99.32.

HalilSo portal defacement with ransom messaging — standing alone — doesn't trigger FERPA.

Dr.Standing alone, without confirmed unauthorized access to education records — correct, it does not trigger FERPA's recordation obligations. But that is not the end of the analysis.

HalilState law.

Dr.State law. Many jurisdictions — California Civil Code 1798.82 is a clear example — treat extortion demands as presumptive breaches. The threshold is unauthorized access, not confirmed exfiltration. And here's the exposure that institutions are underestimating: the publicly circulating named-institution list may create a constructive knowledge clock.

HalilMeaning — once an institution can be said to have known they were on the list—

Dr.The notification clock may already be running under states with 'knowledge or reasonable belief' standards. Institutions that treat this as 'not our problem until we confirm exfiltration' risk non-compliance.

PierreHmm. So just being on a publicly circulating victim list could be enough to start the clock.

Dr.In some jurisdictions, yes. That is a gray area, but regulators have been aggressive about constructive knowledge arguments. I would not advise waiting.

HalilAnd the PAN-OS situation — SEC disclosure.

Dr.This is the more acute exposure for publicly traded entities. SEC Item 1.05 of Form 8-K requires disclosure four business days after a registrant determines that a cybersecurity incident is material. The clock runs from materiality determination — not from discovery, not from occurrence.

HalilBut there's a separate state-law discovery problem.

Dr.Exactly. State breach notification clocks run from discovery. And regulators may argue that reasonable security monitoring should have detected exploitation earlier — potentially moving the discovery date back to April 9 or close to it. The forensic question of when an organization first had knowledge is now a legal question.

Dr.Bottom line: document the precise date when exploitation evidence was first identified. That date controls state notification clocks. And begin state law mapping immediately — FERPA is silent, but the patchwork of state statutes is not.

▶09The Fracturing Strategy: Why Individual Ransom Demands Are Worse20:56

HalilI want to spend a moment on the TTP shift itself, because I don't think the fracturing strategy has gotten enough attention. Rafael, Lena — why does demanding from individual institutions matter beyond just affecting more targets?

RafaelSo — traditional extortion at scale targets the vendor. One negotiation, one decision-maker, one legal team. If Instructure refuses or pays, that's the outcome. The fracturing model changes that entirely.

LenaYou're turning eight thousand eight hundred institutions into eight thousand eight hundred independent decision points. Most of them are K-12 districts or small colleges with no incident response capability and no playbook for this.

RafaelRight. And from ShinyHunters' perspective, even a five percent payment rate across eight thousand eight hundred institutions at an average of, say, seventy-five thousand dollars per school — that's thirty-three million dollars. More than any single Instructure payout would likely produce.

PierreAnd it prevents coordinated legal response. If Instructure is the defendant, you have one lawsuit, one regulatory action. If three hundred thirty institutions each face individual demands, the legal fragmentation protects the attacker.

HalilSo what's the right response for an institution that gets an individual demand?

RafaelDo not pay. Full stop. Paying an individual demand validates the fracturing model and funds the next campaign. It also doesn't guarantee data deletion — ShinyHunters have a track record of not honoring payment agreements.

LenaAnd paying one institution doesn't protect any of the others. The data is shared infrastructure. One payment buys nothing systemic.

HalilNevada schools are in the hardest spot right now — finals week, portals down, deadline in four days.

RafaelYeah, the operational disruption during finals is real and the timing is deliberate. ShinyHunters picked the most painful possible moment. But even that doesn't change the calculus. Pay now, and you've just demonstrated that timing-based pressure works. Every threat actor learns from that.

PierreThe board language here is straightforward: paying individual ransom demands is not a risk mitigation strategy. It is a funding mechanism for the next attack.

▶10Synthesis: What to Do in the Next 24 Hours23:33

HalilLet me pull the threads together, because we have two live operational situations with different clocks and different response requirements.

HalilOn CVE-2026-0300 — the real CVE, not the mislabeled briefing entry. If you have internet-exposed PAN-OS User-ID Authentication Portal, your first question is not when to patch. It's whether you were already hit around April 9. Begin compromise assessment now. Pull upstream netflow and switch logs. Look for outbound TCP from nginx worker processes — that's your clearest out-of-band signal. Hunt for SOCKS5 tunneling patterns and anomalous authentication from firewall-originating IPs against internal domain controllers. If you haven't rebooted the device, capture memory before you do anything else.

HalilJames's force-reset guidance stands: every service account the firewall touched, every account that authenticated through it in the last four weeks. Reset them all today. If you're on PAN-OS 10.2 with an exposed portal and no available signatures — restrict or take offline. Accept the auth degradation. The CISA KEV deadline is May 27, but the threat is four weeks old.

HalilOn ShinyHunters and Canvas. Don't pay individual ransom demands. The fracturing strategy is designed to make you feel like an isolated decision-maker — you're not. Communicate to students that Canvas-branded login pages and emails should be treated as untrusted through at least May 15. If your institution is on the publicly circulating victim list, consult state-specific breach notification counsel immediately. The constructive knowledge clock may already be running.

HalilInstructure needs to clarify the attack vector — vulnerability or credential reuse. Until they do, treat both as live. Credential rotation is not sufficient if there's an unpatched Canvas vulnerability in play. Audit Canvas admin account access and monitor for unauthorized configuration changes.

HalilAttribution for CL-STA-1132 remains preliminary. Lena corrected her earlier framing — this is a China-nexus tooling cluster, moderate confidence state-sponsored, but the specific Volt Typhoon comparison doesn't hold under scrutiny. That distinction matters for how organizations assess the long-term threat posture, not the immediate response.

HalilWhat we'll be watching tomorrow: whether Instructure discloses a Canvas CVE before the May 12 deadline, whether any PAN-OS 10.2 signature availability is confirmed, and whether the May 12 deadline passes without payments — or doesn't.

HalilThat's it for today's CyberDaily Threatcast. Stay safe. See you tomorrow. Thanks to Blue Cortex AI for sponsoring today's episode. Autonomous SOC, real reasoning, no black box. bluecortex.ai.

Episodes

Wed20May

Exploitation Overtakes Credentials: The DBIR Inflection Point

34:4711 sc

Tue19May

pgcrypto's Twenty-Year Debt, Storm-2949's Invisible Breach, and the @antv Worm

33:4910 sc

Mon18May

47 Zero-Days, No Patches: Pwn2Own Berlin's Reckoning

30:2910 sc

Sun17May

TOTP Secrets, Silent Patches, and a 2005 Malware That Rewrites History