🎯Basically, FIRESTARTER is a malware that helps hackers control Cisco devices secretly.
What Happened
The Cybersecurity and Infrastructure Security Agency (CISA) has released an analysis of the FIRESTARTER malware, revealing its use by advanced persistent threat (APT) actors. This malware specifically targets Cisco Firepower and Secure Firewall devices, allowing attackers to maintain persistent access even after vulnerabilities are patched.
Who's Being Targeted
FIRESTARTER primarily affects organizations using Cisco Firepower devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. The malware has been observed in the wild, emphasizing the need for immediate attention from organizations in the government and critical infrastructure sectors.
Signs of Infection
Organizations should be vigilant for signs of FIRESTARTER infection, which may include unusual network traffic or unauthorized access attempts on Cisco devices. CISA recommends using YARA rules to detect this malware in disk images or core dumps of affected devices.
How to Protect Yourself
To mitigate the risks associated with FIRESTARTER, organizations should:
Detection
- 1.Collect and submit core dumps to CISA’s Malware Next Generation platform.
- 2.Report any findings to CISA or the NCSC.
Removal
Threat Actor Activity
CISA assesses that APT actors gained initial access to Cisco devices by exploiting vulnerabilities CVE-2025-20333 and CVE-2025-20362. These vulnerabilities allowed attackers to deploy FIRESTARTER as a backdoor, enabling them to regain access without needing to exploit the original vulnerabilities again.
Malware Functionality
FIRESTARTER is designed to run on Linux-based Cisco devices, functioning as a command and control (C2) channel. It achieves persistence by relaunching itself upon termination and can survive firmware updates. The malware also installs hooks within the device's core engine, allowing it to execute arbitrary commands from the attackers.
Key Actions for Organizations
CISA has outlined specific actions for U.S. Federal Civilian Executive Branch agencies and other organizations to take in response to this threat. These include using detection rules, reporting findings, and following guidance from CISA for remediation.
Organizations must remain proactive in monitoring their networks and implementing the necessary security measures to protect against FIRESTARTER and similar threats.
🔒 Pro insight: The persistence mechanism of FIRESTARTER highlights the need for continuous monitoring and rapid response to APT threats in critical infrastructure.
.webp)
