U.S. and U.K. authorities disclosed that a state-sponsored group implanted a custom backdoor called Firestarter on Cisco network security devices that can survive firmware updates and standard reboots, enabling long-term persistence. The discovery, linked by Cisco Talos to threat actor UAT-4356 and related to earlier ArcaneDoor activity, prompted an emergency CISA directive requiring federal audits and memory snapshots of affected appliances. #Firestarter #UAT-4356
Keypoints
- CISA and the U.K. NCSC identified the persistent backdoor, code-named Firestarter, on Cisco Firepower and Secure Firewall devices.
- Firestarter achieves persistence by rewriting the Service Platform mount list and copying itself so it survives software patches and standard reboots.
- The implant injects shellcode into LINA to intercept specific VPN authentication requests and execute attacker-supplied code when triggered.
- Attackers exploited CVE-2025-20333 and CVE-2025-20362 for initial access and used a separate implant, Line Viper, to harvest credentials and keys.
- CISA issued an emergency directive requiring federal agencies to audit devices and submit memory snapshots; Cisco advises reimaging suspected devices and offers technical assistance.
Read More: https://cyberscoop.com/cisco-firestarter-malware-cisa-warning/