Post

FIRESTARTER Backdoor Malware Analysis

Posted
By ictsec.pl
1 min read
FIRESTARTER Backdoor Malware Analysis

FIRESTARTER Backdoor Malware Analysis 🚨

The Cybersecurity and Infrastructure Security Agency (CISA) has conducted an analysis of a sample of FIRESTARTER malware obtained from a forensic investigation. CISA, along with the United Kingdom National Cyber Security Centre (NCSC), has determined that advanced persistent threat (APT) actors are utilizing FIRESTARTER malware for persistence, specifically targeting publicly accessible Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software.

CISA and NCSC are releasing this Malware Analysis Report to share insights on a FIRESTARTER malware sample operating as a backdoor and to urge organizations to take essential response actions. Notably, CISA has only observed a successful implant of the malware in the wild on a Cisco Firepower device running ASA software.

Key Findings 🔍

  • FIRESTARTER is a backdoor that allows remote access and control, forming part of a widespread campaign that grants APT actors initial access to Cisco Adaptive Security Appliance (ASA) firmware by exploiting vulnerabilities such as CVE-2025-20333 and CVE-2025-20362.
  • This malware can persist as an active threat on Cisco devices running ASA or FTD software, maintaining post-patching persistence and enabling threat actors to re-access compromised devices without needing to re-exploit vulnerabilities.
  • APT actors initially deployed LINE VIPER as a post-exploitation implant and subsequently used FIRESTARTER to maintain continued access to the compromised device.

Technical Details 💻

FIRESTARTER is a Linux Executable and Linkable File (ELF) designed to execute on Cisco Firepower and Secure Firewall devices. It serves as a command and control (C2) channel for remote access and control. The malware achieves persistence by detecting termination signals and relaunching itself, surviving firmware updates and device reboots unless a hard power cycle occurs.

CISA and NCSC recommend that U.S. and U.K. organizations utilize YARA rules to detect FIRESTARTER malware against a disk image or core dump of a device and report any findings to CISA or NCSC. If compromise is confirmed, it is crucial to conduct incident response actions.

For further details, please read the complete article: Read full article

CYBERSECURITY
MALWARE CYBERSECURITY FIRESTARTER CISA
This post is licensed under CC BY 4.0 by the author.