CP
cyberpings

Cisco Firepower Devices Targeted by UAT-4356 - Alert

UAT-4356 is actively exploiting vulnerabilities in Cisco Firepower devices, deploying the FIRESTARTER backdoor. This poses a significant risk of unauthorized access. Immediate mitigation is necessary.

Malware & RansomwareHIGHUpdated: Published:
Featured image for Cisco Firepower Devices Targeted by UAT-4356 - Alert

Original Reporting

TACisco Talos Intelligence·Cisco Talos

AI Summary

CyberPings AI·Reviewed by Rohit Rana

🎯Basically, a hacker group is using weaknesses in Cisco devices to take control of them.

What Happened

Cisco Talos has reported that the threat actor group UAT-4356 is actively targeting Cisco Firepower devices, specifically exploiting vulnerabilities in the Firepower eXtensible Operating System (FXOS). They leveraged n-day vulnerabilities, including CVE-2025-20333 and CVE-2025-20362, to gain unauthorized access to these devices. Once inside, UAT-4356 deployed a custom backdoor known as FIRESTARTER that allows them to control the devices remotely.

How It Works

FIRESTARTER is a sophisticated backdoor that integrates itself into the LINA process, a critical component of Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) systems. This backdoor can execute arbitrary code and is designed to maintain persistence on compromised devices. It achieves this by manipulating the CSP_MOUNT_LIST, ensuring that it can execute upon device reboots.

Persistence Mechanism

The persistence mechanism of FIRESTARTER is particularly concerning. It triggers during a graceful reboot, allowing it to restore itself and execute again. If a device undergoes a hard reboot, the backdoor can be removed, but it is crucial for organizations to act quickly to mitigate this threat.

Detection Guidance

Organizations should be vigilant for the presence of specific artifacts that may indicate a FIRESTARTER infection. Look for:

  • Filenames such as lina_cs and svc_samcore.log.
  • Command outputs from: show kernel process | include lina_cs.

These indicators can help in identifying compromised devices. For comprehensive detection guidance, Cisco's Security Advisory provides further insights and recommendations.

Mitigation Steps

To mitigate the impact of FIRESTARTER, Cisco customers are advised to follow the recommended steps in Cisco's advisory. Key actions include:

  • Reimaging affected devices to eliminate the backdoor.
  • For devices not in lockdown mode, killing the lina_cs process and reloading the device can temporarily mitigate the threat.
  • Keeping security systems updated with the latest Snort rules and ClamAV signatures to detect related threats.

Conclusion

The ongoing targeting of Cisco Firepower devices by UAT-4356 highlights the importance of vigilance in cybersecurity practices. Organizations are urged to implement the recommended mitigation strategies promptly to protect their network perimeter devices from this sophisticated threat.

🔒 Pro Insight

🔒 Pro insight: The persistence mechanism utilized by FIRESTARTER is a sophisticated method that could inspire similar tactics in future malware campaigns.

TACisco Talos Intelligence· Cisco Talos
Read Original

Share

Related Pings

Preview image for Malicious pgserve & automagik Tools Found in npm Registry
Malware & Ransomware
HIGH

Malicious pgserve & automagik Tools Found in npm Registry

Malicious versions of pgserve and automagik have been found in the npm registry, posing serious risks to developers. These tools can steal sensitive data and credentials. Immediate action is required to secure your systems.

CSCSO Online
Read PingRead Source
Preview image for Everest Ransomware - Major Breaches at Citizens and Frost Bank
Malware & Ransomware
HIGH

Everest Ransomware - Major Breaches at Citizens and Frost Bank

Major breaches at Citizens Financial Group and Frost Bank have been linked to Everest ransomware, exposing millions of customer records. Customers should take immediate action to protect their data.

SCSC Media
Read PingRead Source
Preview image for Fake GitHub Repositories - Delivering SmartLoader and StealC
Malware & Ransomware
HIGH

Fake GitHub Repositories - Delivering SmartLoader and StealC

A large-scale malware campaign has been uncovered involving 109 fake GitHub repositories. Users were tricked into downloading SmartLoader and StealC malware. This poses serious risks for developers and security professionals alike. Immediate protective measures are essential.

CSCyber Security News
Read PingRead Source
Preview image for Auraboros RAT - Exposes Keylogging and Cookie Hijacking
Malware & Ransomware
HIGH

Auraboros RAT - Exposes Keylogging and Cookie Hijacking

A new RAT called Auraboros exposes serious vulnerabilities, including keylogging and cookie hijacking. This malware operates without any security measures, putting users at risk. Immediate action is needed to secure systems against this threat.

CSCyber Security News
Read PingRead Source
Preview image for DinDoor Backdoor - Abusing Deno Runtime for Stealthy Attacks
Malware & Ransomware
HIGH

DinDoor Backdoor - Abusing Deno Runtime for Stealthy Attacks

DinDoor backdoor exploits Deno runtime to bypass security. This stealthy malware targets systems, making detection difficult. Organizations must enhance monitoring and controls.

CSCyber Security News
Read PingRead Source
Preview image for Malicious Trading Website Drops Browser Hijacking Malware
Malware & Ransomware
HIGH

Malicious Trading Website Drops Browser Hijacking Malware

Be cautious of fake trading tools like TradingClaw, which deliver Needle Stealer malware to hijack browsers and steal sensitive information.

MWMalwarebytes Labs+1 more
Read PingRead Source