Full Report
Investigators found the malware, dubbed Firestarter, on a federal agency's network in a campaign dating back to at least September 2025. The post US, UK agencies warn hackers were hiding on Cisco firewalls long after patches were applied appeared first on CyberScoop.
Analysis Summary
# Incident Report: Campaign "ArcaneDoor" - Firestarter Malware Persistence
## Executive Summary
A sophisticated state-sponsored threat actor (UAT-4356) targeted Cisco firewall devices at a U.S. federal civilian agency and other critical infrastructure. The attackers deployed "Firestarter," a custom backdoor capable of surviving firmware updates and standard software reboots by manipulating boot-sequence configuration files. Despite the application of security patches in September 2025, the malware remained resident, allowing the actors to maintain long-term access and redeploy additional tools months later.
## Incident Details
- **Discovery Date:** Approximately March 2026 (following redeployment of secondary tools)
- **Incident Date:** September 2025 – April 2026 (ongoing)
- **Affected Organization:** U.S. Federal Civilian Agency (unnamed); various critical infrastructure
- **Sector:** Government / Critical Infrastructure
- **Geography:** United States, United Kingdom
## Timeline of Events
### Initial Access
- **Date/Time:** September 2025
- **Vector:** Exploitation of two zero-day vulnerabilities in Cisco devices.
- **Details:** Attackers exploited CVE-2025-20333 (RCE in VPN web server) and CVE-2025-20362 (unauthorized access) to gain entry.
### Lateral Movement
- **Details:** Attackers deployed "Line Viper" to access device configurations, credentials, and encryption keys. This facilitated the maintenance of control over the perimeter environment.
### Data Exfiltration/Impact
- **Details:** Compromise of device configurations and encryption keys; long-term unauthorized access to federal network traffic via VPN request interception.
### Detection & Response
- **Discovery:** Identified by CISA through continuous network monitoring after observing suspicious connections.
- **Response Actions:** CISA issued an updated emergency directive (v1-ED-25-03) requiring federal agencies to audit Cisco infrastructure and submit memory snapshots for analysis.
## Attack Methodology
- **Initial Access:** Zero-day exploitation (CVE-2025-20333/CVE-2025-20362).
- **Persistence:** Manipulation of the Cisco Service Platform mount list; malware survives reboots and firmware patches.
- **Privilege Escalation:** Exploitation of firewall core software components.
- **Defense Evasion:** Deployment of shellcode into "LINA" (core networking code); malware remains dormant until triggered by specific hidden sequences in VPN requests.
- **Credential Access:** Stole device configurations and encryption keys using "Line Viper" implant.
- **Discovery:** Reconnaissance of network perimeter and device internals.
- **Lateral Movement:** Not explicitly detailed within the firewall, but used as a gateway for broader network access.
- **Collection:** Interception of network requests.
- **Impact:** Persistent, undetected backdoor in critical security infrastructure.
## Impact Assessment
- **Financial:** High (associated with incident response and mandatory federal audits).
- **Data Breach:** Exposure of encryption keys and configuration data.
- **Operational:** Disruption of secure communications; requirement for "hard" (physical) reboots of critical hardware.
- **Reputational:** High-profile compromise of a federal agency and failure of standard patching to remediate the threat.
## Indicators of Compromise
- **Behavioral indicators:**
- Unauthorized modifications to Cisco Service Platform mount lists.
- Suspicious connections to known UAT-4356 infrastructure.
- Specific hidden VPN request trigger sequences.
- **Malware Names:** Firestarter, Line Viper, RayInitiator.
## Response Actions
- **Containment:** Requirement for a **hard reboot** (physical power disconnection) to clear persistence from memory.
- **Eradication:** Memory snapshots submitted to CISA for forensic analysis to ensure no resident shellcode remains.
- **Recovery:** Restoration of devices from known-clean states and application of patches *only* after ensuring malicious artifacts are removed from the boot sequence.
## Lessons Learned
- **Patching is Not Enough:** If a device is compromised *prior* to patching, advanced malware can hide in areas of the OS that existing update processes do not overwrite.
- **The Physical Factor:** In cases of advanced persistence, software-level commands (soft reboots) are insufficient; physical power cycling may be required to clear volatile memory manipulation.
- **Visibility:** Continuous network monitoring was the primary driver for detection, rather than endpoint security on the firewall itself.
## Recommendations
- **Audit Configuration:** Regularly verify the integrity of Cisco Service Platform mount lists and startup configurations.
- **Memory Forensics:** Incorporate memory snapshot analysis into standard incident response for network appliances.
- **Zero-Trust for Edge Devices:** Treat network perimeter devices as high-risk and monitor their outbound traffic for anomalies, assuming they may be compromised regardless of patch status.