FIRESTARTER Backdoor: Critical Threat to Cisco Firewalls Uncovered

1053 words, ~5 min read

---
title: "FIRESTARTER Backdoor: Critical Threat to Cisco Firewalls Uncovered"
short_title: "FIRESTARTER backdoor targets Cisco firewalls"
description: "CISA and NCSC warn of FIRESTARTER malware targeting Cisco Firepower and Secure Firewall devices. Learn how to detect, mitigate, and respond to this persistent backdoor threat."
author: "Vitus"
date: 2024-10-22
categories: [Cybersecurity, Malware]
tags: [firestarter, cisco, malware, apt, cve-2025-20333]
score: 0.92
cve_ids: [CVE-2025-20333, CVE-2025-20362]
---

## TL;DR
CISA and the UK’s NCSC have identified FIRESTARTER, a sophisticated backdoor malware targeting Cisco Firepower and Secure Firewall devices. This malware exploits vulnerabilities CVE-2025-20333 and CVE-2025-20362 to maintain persistence, even after patching, and enables remote access for advanced persistent threat (APT) actors. Organizations must act now to detect, mitigate, and report this critical threat.

Main Content

### Introduction
The Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom National Cyber Security Centre (NCSC) have issued an urgent advisory about FIRESTARTER, a newly discovered backdoor malware targeting Cisco Firepower and Secure Firewall devices. This malware, linked to APT actors, exploits critical vulnerabilities to establish persistence, allowing threat actors to maintain access to compromised devices even after patches are applied. The discovery underscores the evolving tactics of cyber adversaries and the need for proactive defense measures.

### Key Points
- Targeted Systems: FIRESTARTER specifically targets Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software.
- Exploitation of Vulnerabilities: The malware exploits CVE-2025-20333 (Missing Authorization) and CVE-2025-20362 (Classic Buffer Overflow) to gain initial access.
- Persistence Mechanism: FIRESTARTER survives firmware updates and reboots, making it a long-term threat unless physically power-cycled.
- Detection and Response: CISA and NCSC provide YARA rules for detection and urge organizations to report findings immediately.
- Impact: APT actors can regain access to compromised devices without re-exploiting vulnerabilities, posing severe risks to government and critical infrastructure sectors.

Technical Details

#### How FIRESTARTER Works
FIRESTARTER is a Linux Executable and Linkable File (ELF) designed to execute on Cisco Firepower and Secure Firewall devices. It operates as a command and control (C2) channel, allowing remote access and control for threat actors. Here’s a breakdown of its functionality:

1. Initialization:
- Upon execution, FIRESTARTER accesses its binary located at /usr/bin/lina_cs and copies its contents into memory.
- It registers a callback function triggered by termination signals (e.g., SIGTERM, SIGINT, SIGHUP), ensuring it persists through shutdowns.

2. Persistence:
- The malware creates a reboot-persistent directory (/opt/cisco/platform/logs/var/log/) and writes a copy of itself to svc_samcore.log.
- It modifies the CSP_MOUNT_LIST file to ensure it executes during system startup, even after firmware updates.

3. Memory Scanning and Hook Installation:
- FIRESTARTER scans the device’s memory to locate the LINA engine, the core component for network processing and security functions.
- It installs a hook within LINA to execute arbitrary shellcode, enabling the deployment of additional malware like LINE VIPER.

4. Shellcode Injection:
- The malware injects shellcode into the libstdc++.so library, allowing it to intercept and modify WebVPN requests.
- It verifies victim-specific IDs embedded in WebVPN requests to load the next stage of the attack.

### Impact Assessment
FIRESTARTER poses a severe threat to organizations relying on Cisco Firepower and Secure Firewall devices. Key implications include:

  • Long-Term Compromise: The malware’s ability to persist through patches and reboots means compromised devices remain vulnerable indefinitely unless physically power-cycled.
  • Remote Access: APT actors can regain access to compromised devices without re-exploiting vulnerabilities, enabling lateral movement and data exfiltration.
  • Targeted Sectors: Government and critical infrastructure organizations are primary targets, with potential risks to national security and public safety.
  • Evasion Techniques: FIRESTARTER employs anti-forensic techniques, such as redirecting error messages to /dev/null and modifying file timestamps, to evade detection.

### Attack Vector
APT actors gain initial access by exploiting CVE-2025-20333 and/or CVE-2025-20362, two critical vulnerabilities in Cisco ASA and FTD software. Once inside, they deploy LINE VIPER, a post-exploitation implant, followed by FIRESTARTER to maintain persistence. The malware’s ability to survive firmware updates makes it particularly dangerous, as it allows threat actors to re-access compromised devices without re-exploiting vulnerabilities.

### Mitigation Steps
CISA and NCSC recommend the following actions to mitigate the threat posed by FIRESTARTER:

#### For U.S. Federal Civilian Executive Branch (FCEB) Agencies:
1. Collect and Submit Core Dumps: Generate core dumps from affected Cisco devices and submit them to CISA’s Malware Next Generation (MNG) platform.
2. Report Immediately: Notify CISA’s 24/7 Operations Center of any submissions related to FIRESTARTER.
3. Follow CISA Guidance: Do not take further action until directed by CISA to preserve evidence.

#### For All Other Organizations:
1. Deploy YARA Rules: Use the provided YARA rules to detect FIRESTARTER in disk images or core dumps.
2. Report Findings: Notify CISA or NCSC if FIRESTARTER is detected.
3. Incident Response: If compromise is confirmed, physically unplug the device from power to remove the malware’s persistence, then follow incident response protocols.

#### General Mitigations:
- Patch Management: Prioritize patching vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog, including CVE-2025-20333 and CVE-2025-20362.
- Monitor Network Edge Devices: Inventory and monitor Cisco Firepower and Secure Firewall devices for suspicious activity.
- Apply Least Privilege: Restrict administrative and service account permissions to minimize potential damage.
- Rotate Credentials: Regularly update passwords for privileged accounts to invalidate compromised credentials.
- Modernize Access Controls: Implement TACACS+ over TLS 1.3 to encrypt administrative traffic and protect credentials.

## Conclusion
The discovery of FIRESTARTER highlights the evolving sophistication of APT actors and the critical importance of proactive cybersecurity measures. Organizations must act swiftly to detect, mitigate, and report this threat to prevent long-term compromise. By following CISA and NCSC guidelines—including patching vulnerabilities, deploying YARA rules, and physically removing infected devices from power—organizations can reduce their risk and protect critical infrastructure from this persistent backdoor.

For more details, refer to CISA’s Malware Analysis Report (MAR) and Cisco’s Security Advisory.

## References
[^1]: CISA. "AR26-113A: FIRESTARTER Backdoor". Retrieved 2024-10-22.
[^2]: NCSC. "LINE VIPER Malware Analysis Report". Retrieved 2024-10-22.
[^3]: Cisco. "Security Advisory: Cisco ASA and FTD Software Persistence Vulnerabilities". Retrieved 2024-10-22.
[^4]: MITRE ATT&CK. "MITRE ATT&CK Framework". Retrieved 2024-10-22.

Related CVEs