CISA reported that a U.S. federal agency was breached via vulnerabilities in Cisco ASA/Firepower devices and infected with malware named FIRESTARTER, which allowed attackers to maintain persistence and later regain access without re-exploiting the original flaws. CISA issued updated advisories and an emergency directive requiring agencies to check for infection, inventory devices, and follow remediation steps while warning that attackers also deployed Line Viper to bypass VPN authentication. #FIRESTARTER #LineViper
Keypoints
- CISA detected FIRESTARTER on a U.S. federal agencyβs Cisco Firepower device after identifying suspicious connections.
- FIRESTARTER provides persistence, enabling attackers to regain access without re-exploiting CVE-2025-30333 and CVE-2025-20362.
- Threat actors also used Line Viper to establish illegitimate VPN sessions that bypass authentication and steal credentials, certificates, and keys.
- CISA and the U.K. NCSC issued updated advisories and directed federal agencies to perform specific malware checks, inventory devices, and report findings.
- The campaign is linked to previously identified state-aligned activity (ArcaneDoor, Volt Typhoon, Flax Typhoon), and patched systems may still harbor persistence.
Read More: https://therecord.media/cisa-us-agency-breached-cisco-vulnerability-backdoor