Firestarter malware survives Cisco firewall updates, security patches

Source: BleepingComputer

Author: Bill Toulas

URL: https://www.bleepingcomputer.com/news/security/firestarter-malware-survives-cisco-firewall-updates-security-patches/

ONE SENTENCE SUMMARY:

CISA and NCSC warn Firestarter backdoor persists on Cisco Firepower/ASA/FTD devices after exploits, enabling espionage, remote access, and resilient persistence.

MAIN POINTS:

1. U.S. and U.K. agencies issued alerts about custom Firestarter malware on Cisco firewall platforms.
2. Cisco Talos attributes Firestarter to UAT-4356, linked to cyberespionage and ArcaneDoor.
3. Initial access likely exploited CVE-2025-20333 authorization flaw and/or CVE-2025-20362 overflow.
4. CISA saw Line Viper deployed first, followed by Firestarter for long-term persistence.
5. Compromise likely occurred early September 2025, before ED 25-03 patching timelines.
6. Line Viper establishes VPN sessions and extracts configs, admin credentials, certificates, and keys.
7. Firestarter persists through reboots, firmware updates, and patches; relaunches when terminated.
8. Persistence hooks LINA using signal handlers and boot/mount modifications for startup execution.
9. Backdoor enables remote access and in-memory shellcode execution via crafted WebVPN requests.
10. Cisco advises reimage and upgrade fixed releases; detection includes show kernel process | include lina_cs.

TAKEAWAYS:

1. Patch both cited CVEs urgently to reduce initial exploitation risk on ASA/FTD deployments.
2. Treat any lina_cs process evidence as a compromise requiring incident response actions.
3. Prioritize reimaging plus upgrading, since patching alone may not remove persistence.
4. Use CISA-provided YARA rules on disk images/core dumps to hunt Firestarter artifacts.
5. Avoid relying on cold restarts except as last resort due to corruption and boot-failure risks.