Emerging ThreatsMalware & Ransomware

Firestarter Malware Evades Cisco Firewall Updates, Persists Across Reboots

Analyst 207||Source: BleepingComputer
Cisco firewall device on a network equipment rack in a dimly lit data center.

“CISA has not confirmed the exact date of initial exploitation but assesses the compromise occurred in early September 2025, and before the agency implemented patches in accordance with ED 25-03,” the agency wrote — a short sentence that frames a complex intrusion: a custom backdoor, Firestarter, that can survive routine firmware updates and security patches on Cisco Firepower and Secure Firewall devices.

Who is behind Firestarter and how initial access occurred

U.S. and U.K. cybersecurity agencies attribute the backdoor to a threat actor Cisco Talos tracks internally as UAT-4356, an actor linked to cyberespionage campaigns including one called ArcaneDoor. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K. National Cyber Security Center (NCSC) say the adversary likely obtained initial access by exploiting a missing authorization issue (CVE-2025-20333) and/or a buffer overflow bug (CVE-2025-20362).

The attack sequence observed in a federal civilian executive branch agency

In the incident analyzed by CISA, the intruders used a two-stage approach. First, they deployed Line Viper, described as a user-mode shellcode loader that established VPN sessions and harvested configuration details — including administrative credentials, certificates, and private keys — from the compromised Firepower device. After that, operators installed the ELF binary known as Firestarter to provide persistent remote access.

CISA explicitly notes it has not released details on the specific payloads that were executed after Firestarter was in place.

How Firestarter survives updates, reboots, and process termination

Firestarter’s persistence is the central technical finding in the joint malware analysis released by CISA and the NCSC and in Cisco Talos’ write-up.

  • Persistence is implemented by hooking into LINA, the core Cisco ASA process, and installing signal handlers that trigger reinstallation routines when the process receives termination signals (including a graceful reboot).
  • The implant modifies the CSP_MOUNT_LIST boot/mount file to ensure it runs on startup, stores a copy of itself in /opt/cisco/platform/logs/var/log/svc_samcore.log, and restores an executable to /usr/bin/lina_cs to run in the background.
  • Cisco Talos observed the persistence mechanism is triggered when a process termination signal is received and documented that the backdoor relaunches automatically if terminated.
  • At runtime, Firestarter creates a controlled execution path by modifying an XML handler in LINA and injecting shellcode into memory. That shellcode is activated by a specially crafted WebVPN request which validates a hardcoded identifier before loading attacker-supplied payloads directly into memory.

Because the implant lives in the device’s boot and execution flow and re-establishes itself across reboots, firmware updates, and security patches, simply applying a patch without removing the persistence mechanism is insufficient to guarantee a clean device.

Vendor and agency remediation steps and detection guidance

Cisco published a security advisory with mitigations, workarounds for removing the persistence mechanism, and indicators of compromise. The vendor “strongly recommends reimaging and upgrading the device using the fixed releases,” and that guidance covers both devices that are known to be compromised and those presumed not compromised.

For quick detection, administrators are advised to run the command:

show kernel process | include lina_cs

Any output from that command should be treated as confirmation the device is compromised. Cisco notes that a cold restart (disconnecting the device power) can remove the malware if reimaging is not immediately possible, but warns that this alternative carries the risk of database or disk corruption and can lead to boot problems, so it is not recommended.

CISA has also published two YARA rules intended to detect the Firestarter backdoor when scanned against a disk image or a core dump from a device.

What this means for technologists, procurement leads, and affected agencies

  • Technologists and security teams: Verify devices with the suggested kernel-process command, apply the fixed releases, and follow Cisco’s advisory to reimage devices identified as compromised; temporary workarounds like cold restarts may remove the implant but carry operational risk.
  • Procurement and operations leaders in organizations using Cisco Firepower or Secure Firewall with ASA/FTD: Expect vendor guidance to prioritize reimaging and upgrades; devices in production that cannot be immediately reimaged should be handled cautiously because the implant persists across normal patch cycles.
  • Affected federal civilian agencies: CISA’s assessment places at least one compromise in early September 2025 prior to ED 25-03 patching; agencies following that timeline will need to confirm remediation actions and validate device integrity using the provided IoCs and YARA rules.

Firestarter is notable not just for what it does — act as a memory-resident backdoor triggered by a crafted WebVPN request — but for how it behaves: it hides inside the vendor’s own control process and is written to survive the very updates meant to stop it. The joint CISA–NCSC analysis, Cisco Talos’ technical reporting, Cisco’s advisory, and the practical detection and remediation steps now in circulation give operators a specific playbook to follow, even as questions remain about what attacker payloads were used in the wild. The immediate next step for any team responsible for ASA or FTD devices is straightforward: run the diagnostic command, treat any positive output as a compromise, and reimage using the fixed releases Cisco has provided.

Source: BleepingComputer — Firestarter malware survives Cisco firewall updates, security patches

CisaEmerging ThreatsNation-StateNcscAPTFirestarter MalwareCisco FirewallUAT-4356ArcanedoorCyberespionage
Related Intelligence

Continue Reading

Server room with open cabinet and empty rack space, showing security access panel.

Japanese Utility Exposes 10.9 Million Client Records in Data Loss Incident

A shocking data loss incident has hit Japanese utility company Kyushu Electric Power Co., Inc., with a staggering 10.9 million client records exposed after an external storage device went missing. The device, last seen on April 27, was found to be missing on May 26, sparking a frantic investigation.

Analyst 207
Laptop screen displays data breach notice in government office setting.

Maine Breach Portal Exposed to Fake Data Breach Disclosures

A fake data breach notice was recently submitted to Maine's breach disclosure portal using VRChat's name, but the company quickly reassured fans that their data and systems are safe. The incident highlights a vulnerability in the portal's submission process, which allows anyone to post a breach notice without verification.

Analyst 207
University campus scene with administrative building, people walking, and laptop on a table.

ShinyHunters Exploits Oracle PeopleSoft Vulnerability in Education Sector Attacks

ShinyHunters hackers have exploited a critical Oracle PeopleSoft vulnerability, CVE-2026-35273, to launch targeted attacks on US organizations, particularly in the higher education sector. The attacks, which involved data theft and extortion, hit a whopping 68% of US higher education institutions.

Analyst 207
University server room with exposed networking equipment, hinting at a cyber breach.

ShinyHunters Breaches Universities via Oracle PeopleSoft Zero-Day Exploit

Hackers have struck 68% of breached organizations in the higher education sector, with a whopping majority being US universities, by exploiting a critical zero-day vulnerability in Oracle PeopleSoft. This severe flaw, rated 9.8/10, allows for remote code execution with no login or user interaction required.

Analyst 207