FIRESTARTER Backdoor: Persistent Threat to Cisco Firepower & Secure Firewall

The Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom National Cyber Security Centre (NCSC) have issued a joint advisory detailing the FIRESTARTER backdoor, a sophisticated malware employed by APT actors. This threat specifically targets publicly accessible Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. The most concerning aspect of FIRESTARTER is its ability to maintain persistence even after affected devices have been patched, enabling threat actors to regain remote access and control without re-exploiting initial vulnerabilities.

According to CISA and the United Kingdom National Cyber Security Centre (NCSC), the analysis of a FIRESTARTER sample from a forensic investigation revealed its design as a Linux Executable and Linkable File (ELF) to operate as a C2 channel. This advisory supplements CISA’s Emergency Directive (ED) 25-03, emphasizing that while patches addressed the initial vulnerabilities, they did not remove FIRESTARTER, highlighting the need for specific, aggressive remediation actions.

Technical Analysis of FIRESTARTER Operations

Initial Compromise and LINE VIPER Deployment

APT actors are assessed to have gained initial access by exploiting vulnerabilities such as CVE-2025-20333 (Missing Authorization) and/or CVE-2025-20362 (Classic Buffer Overflow). While the exact date of initial exploitation is unconfirmed, CISA assesses it occurred in early September 2025, before the agency implemented patches. Following initial access, threat actors deployed LINE VIPER, identified as a post-exploitation implant. This allowed the establishment of illegitimate Virtual Private Network (VPN) sessions, bypassing authentication policies and leveraging valid but inactive user accounts. LINE VIPER then enabled access to critical configuration elements, including administrative credentials, certificates, and private keys. These TTPs align with MITRE ATT&CK techniques such as Exploit Public-Facing Application (T1190), External Remote Services (T1133), and Valid Accounts (T1078).

FIRESTARTER Persistence Mechanisms

FIRESTARTER’s primary function is to establish and maintain persistence. It was deployed on Firepower devices before September 25, 2025, allowing it to survive firmware updates and device reboots. The malware registers a callback function to automatically trigger upon receiving termination signals (e.g., SIGTERM, SIGINT, SIGQUIT, SIGABRT, SIGHUP, SIGTSTP), a method classified under Event Triggered Execution: Unix Shell Configuration Modification (T1546.004). Upon activation, it checks for and creates a specific log directory (/opt/cisco/platform/logs/var/log/) with full permissions, a Privilege Escalation and Defense Evasion technique (T1222).

The malware then copies itself to svc_samcore.log within this reboot-persistent directory. To ensure execution on startup, FIRESTARTER modifies the CSP_MOUNT_LIST file. It appends a script that moves the backdoor from svc_samcore.log to /usr/bin/lina_cs, makes it executable, and runs it in the background. This effectively ensures persistent execution, even through system reboots, and is a key technique for Boot or Logon Autostart Execution (T1547). The malware also employs anti-forensic techniques by deleting original files and modifying timestamps (T1070.004, T1070.006) and redirects stderr to /dev/null to hide its activities (T1564).

Memory Manipulation and Shellcode Injection

FIRESTARTER actively manipulates the device’s core engine, LINA. It enumerates LINA’s virtual memory map to locate writable segments, specifically targeting the XML Handler element table. It then injects shellcode 0x200 bytes before the end of the libstdc++.so library’s text segment, establishing a detour for the XML element handler (Process Injection, T1055). This injected shellcode is triggered by WebVPN requests containing specific XML tags and hard-coded victim IDs. Upon successful verification, the malware loads its next stage by copying it into LINA’s memory and invoking mprotect to enable execution (Create or Modify System Process, T1543), allowing for continued remote access and control.

Detection and Incident Response for FIRESTARTER backdoor Cisco Firepower detection

Effective detection of FIRESTARTER primarily relies on memory analysis, as the malware is designed to be stealthy and not generate observable log events in standard monitoring platforms.

YARA Rule-Based Detection

For most organizations, CISA and NCSC recommend utilizing CISA-provided YARA rules. These rules are crucial for detecting FIRESTARTER against either a disk image or a core dump from a potentially compromised device. Acquiring these forensic artifacts requires specific procedures; for disk images, opening a Cisco Technical Assistance Center (TAC) case is advised. For core dumps, CISA’s Supplemental Direction for ED 25-03 provides detailed instructions. This method is vital for identifying Cisco ASA CVE-2025-20333 persistence and similar compromises.

Incident Response Protocol and Remove FIRESTARTER malware persistence

If FIRESTARTER malware is detected, prompt incident response is critical. For U.S. Federal Civilian Executive Branch (FCEB) agencies, the process involves collecting core dumps, submitting them to CISA’s Malware Next Generation (MNG) platform, and reporting findings to CISA’s 24/7 Operations Center. Crucially, FCEB agencies must not take further action, especially a hard power cycle, without CISA guidance to preserve forensic evidence.

For other U.S. and U.K. organizations, if FIRESTARTER is confirmed, the recommended remediation to remove FIRESTARTER malware persistence is a physical power cycle. This involves:

• Locating the physical device and unplugging it from all power sources (including redundant ones) while it is still powered on.
• Leaving the device completely disconnected for one minute.
• Reconnecting the device to its power source and allowing it to reboot.

This physical disconnection is assessed to be the only method to fully remove FIRESTARTER’s persistence. Organizations must also activate internal incident response plans to assess potential Lateral Movement and impact, and report findings to CISA or NCSC.

Proactive Mitigations for Cisco Devices

To enhance cybersecurity posture and defend against threats like FIRESTARTER, CISA and NCSC recommend the following mitigations, aligning with Cross-Sector Cybersecurity Performance Goals 2.0 (CPG 2.0):

• Regular Patching: Maintain all systems and software with the latest security patches, prioritizing vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) Catalog. While patching helps prevent initial access, specialized guidance (like Cisco’s Security Advisory) is needed for post-compromise remediation of persistent malware.
• Device Inventory and Monitoring: Maintain a comprehensive inventory of all network edge devices, especially Cisco devices. Continuously monitor these devices for suspicious network connections that correlate with known TTPs of APT actors.
• Privileged Account Security: Monitor and audit activity for all accounts with elevated privileges (network administrators, service accounts) to detect unauthorized use or anomalous behavior. Implement the principle of least privilege, restricting service accounts to only necessary permissions.
• Password Rotation: Regularly rotate passwords for privileged accounts. This invalidates compromised credentials and increases the likelihood of detecting threat actor attempts to re-establish access.
• Modernized Administrative Access: Implement TACACS+ over TLS 1.3 for administrative access controls. This encrypts Authentication, Authorization, and Accounting traffic, safeguarding credentials and reducing interception risks.