Critical Malware Targeting Cisco Firewalls

Suspected state-sponsored attackers have deployed a custom backdoor called Firestarter to persistently compromise Cisco security devices, including both Firepower and Secure Firewall appliances. The joint advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) on Thursday underscores the severity of the threat.

According to CISA, the malware has been successfully implanted on a Cisco Firepower device running ASA software. The agency has also released specific threat hunting rules for U.S. federal civilian agencies to detect signs of compromise within their networks.

How the Attack Works

The group behind these attacks, tracked as UAT-4356 by Cisco Talos, initially gains access to internet-facing vulnerable devices by exploiting two critical vulnerabilities: CVE-2025-20333 and CVE-2025-20362. These flaws were patched by Cisco in late September 2025 after the attacks were first discovered.

Once inside, the threat actors deploy a post-exploitation implant called Line Viper, which enables them to establish VPN sessions that bypass all authentication policies. Finally, they install the Firestarter backdoor to ensure long-term persistence.

Cisco Talos researchers explain that Firestarter embeds itself into the device's boot sequence by manipulating a startup configuration list. This ensures the malware automatically reactivates every time the device restarts normally. It remains dormant until triggered by a specially crafted WebVPN authentication request containing a secret "magic packet" sequence. When the implant recognizes the prefix bytes, it executes the accompanying shellcode directly in memory, creating an on-demand execution channel that is exceptionally difficult to detect without deep memory forensics or packet-level inspection.

Exceptional Persistence Mechanism

The resilience of Firestarter lies in its survival routine. Each time the device is gracefully shut down or rebooted, the malware uses that window to back itself up and rewrite the startup instructions before the device goes offline. This means that standard software restarts or patching do not remove the infection.

The only foolproof method to eliminate Firestarter is a hard power cycle — physically disconnecting the device from its power source. Cutting power abruptly prevents the malware from executing its survival routine, thus removing the persistent implant.

Detection and Remediation

CISA and the NCSC assess that Firestarter can persist as an active threat on devices running ASA or Firepower Threat Defense (FTD) software, maintaining post-patching persistence. This allows attackers to re-access compromised devices without needing to re-exploit the original vulnerabilities.

The advisory orders U.S. federal civilian agencies to:

• Identify all public-facing Cisco ASA platforms they manage
• Collect device artifacts and core dumps
• Submit core dumps to CISA's Malware Next Generation (MNG) platform
• Apply patches for CVE-2025-20333 and CVE-2025-20362
• Conduct further threat hunting as necessary

CISA warns agencies not to take further action without prior consultation, to preserve volatile evidence. Hard power cycles and other changes should be avoided before evidence collection.

According to Cisco, the primary indicator of compromise is the presence of a malicious process named lina_cs. Additional files on disk — /usr/bin/lina_cs and /opt/cisco/platform/logs/var/log/svc_samcore.log — may also indicate Firestarter, though attackers can rename these files. Cisco strongly recommends reimaging and upgrading the device to a fixed software release after a cold restart removes the malware.

Attribution and History

Cisco Talos attributes the Firestarter malware to UAT-4356, a group previously linked to the 2024 ArcaneDoor campaign. That campaign involved compromising Cisco ASA devices using two zero-day vulnerabilities. The emergence of Firestarter suggests the same threat actor continues to target Cisco infrastructure with sophisticated, persistent backdoors.

The ongoing threat highlights the importance of proactive threat hunting and strict adherence to patching schedules, even for security appliances designed to defend networks. Organizations using Cisco firewalls are urged to review their devices for signs of compromise and to coordinate with CISA or their national cybersecurity authority before taking remediation steps.

Source: Help Net Security News