Full Report
Cybersecurity agencies in the U.S. and U.K. are warning about a custom malware called Firestarter persisting on Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. [...]
Analysis Summary
# Tool/Technique: Firestarter
## Overview
Firestarter is a sophisticated custom backdoor (ELF binary) designed to target Cisco networking equipment. It is specifically engineered to maintain persistence on Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. Its primary purpose is to provide long-term, out-of-band remote access for cyberespionage, remaining resilient even through firmware updates, security patches, and soft reboots.
## Technical Details
- **Type:** Malware (Backdoor / Implant)
- **Platform:** Cisco ASA and FTD (Cisco Firepower/Secure Firewall)
- **Capabilities:** Persistence, shellcode execution, process hooking/injection.
- **First Seen:** September 2025 (assessed)
## MITRE ATT&CK Mapping
- **[TA0003 - Persistence]**
- [T1542.004 - Pre-OS Boot: ROMMON Kit] (Conceptual similarity in targeting firmware-level persistence)
- [T1133 - External Remote Services]
- **[TA0004 - Privilege Escalation]**
- [T1055 - Process Injection]
- **[TA0005 - Defense Evasion]**
- [T1562.001 - Impair Defenses: Disable or Modify Tools]
- **[TA0011 - Command and Control]**
- [T1105 - Ingress Tool Transfer]
## Functionality
### Core Capabilities
- **Sophisticated Persistence:** Modifies the `CSP_MOUNT_LIST` boot/mount file to ensure it executes automatically on device startup.
- **Resilience:** The malware survives security patches and firmware updates. It also features an auto-restart routine; if the process is terminated, it relaunches immediately.
- **Process Hooking:** Hooks into **LINA** (the core Cisco ASA process) by modifying XML handlers.
- **Shellcode Execution:** Injects shellcode into memory to create a controlled execution path for attacker-provided payloads.
### Advanced Features
- **In-Memory Payloads:** Triggers shellcode via specially crafted WebVPN requests. It validates a hardcoded identifier before loading payloads directly into memory to avoid disk-based detection.
- **Recovery Mechanism:** Stores a backup copy of itself hidden in log directories (`/opt/cisco/platform/logs/var/log/svc_samcore.log`) to restore the primary binary (`/usr/bin/lina_cs`) if deleted.
- **Signal Handling:** Uses specific signal handlers triggered during "graceful reboots" to initiate reinstallation routines.
## Indicators of Compromise
- **File Names:**
- `/usr/bin/lina_cs` (Active backdoor binary)
- `/opt/cisco/platform/logs/var/log/svc_samcore.log` (Hidden backup copy)
- `/etc/csp_mount_list` (Modified boot file)
- **Network Indicators:**
- Specially crafted WebVPN requests (Incoming to the device).
- **Behavioral Indicators:**
- Presence of the process `lina_cs`.
- Modification of LINA core process hooks.
## Associated Threat Actors
- **UAT-4356 (Cisco Talos)**: Also linked to the **ArcaneDoor** campaign. This group is known for high-level cyberespionage against government entities.
## Detection Methods
- **Manual Command:** Execute `show kernel process | include lina_cs` on the Cisco device. Any returned output indicates a compromise.
- **YARA Rules:** CISA has provided specific YARA rules targeting the ELF headers and unique strings within the Firestarter backdoor for use on disk images or core dumps.
- **Log Analysis:** Monitoring for unauthorized modifications to systemic mount files or unusual files within the `/opt/cisco/` path.
## Mitigation Strategies
- **Patching:** While the malware survives patches once installed, organizations must patch **CVE-2025-20333** and **CVE-2025-20362** immediately to prevent the initial infection.
- **Device Reimaging:** Cisco recommends a full reimage and upgrade of the device using fixed releases to ensure the environment is clean.
- **Cold Restart:** Disconnecting the physical power (Cold Boot) can remove the malware from memory/process state, though Cisco warns this may cause disk corruption and is a secondary resort compared to reimaging.
- **Hardening:** Disable unused WebVPN/VPN features if not required to reduce the attack surface.
## Related Tools/Techniques
- **Line Viper:** A user-mode shellcode loader used as a first-stage tool to access configurations and administrative credentials before deploying Firestarter.
- **ArcaneDoor:** The broader espionage campaign utilizing these tools.