Ethical Hacking News
A persistent backdoor discovered on Cisco Firepower and Secure Firewall devices has been linked to a sophisticated cyber attack campaign targeting organizations worldwide. The FIRESTARTER backdoor allows attackers to gain remote access and control over compromised devices, making it a significant threat to organizations relying on these systems for security and network management.
Cybersecurity experts have identified a persistent backdoor on Cisco Firepower and Secure Firewall devices known as FIRESTARTER. The backdoor, linked to a sophisticated attack campaign, allows attackers to gain remote access and control over compromised devices. Timely patching and monitoring are crucial in preventing and responding to this threat, as current fixes may not remove FIRESTARTER persistence. FIRESTARTER is a Linux ELF malware targeting Cisco Firepower and Secure Firewall devices, acting as a command-and-control backdoor for remote access. The malware attempts to install a hook within the device's core engine, enabling execution of arbitrary shell code and deployment of additional payloads. Organizations are urged to follow baseline cybersecurity practices, including rapid patching of known vulnerabilities and monitoring for suspicious activity. To mitigate the risk associated with FIRESTARTER, organizations can initiate a TAC request for Cisco support or reimagine affected devices through full power cycles.
Cybersecurity experts have sounded the alarm over a persistent backdoor discovered on Cisco Firepower and Secure Firewall devices, which has been linked to a sophisticated cyber attack campaign targeting organizations worldwide. The FIRESTARTER backdoor, identified by CISA (Cybersecurity and Infrastructure Security Agency) and the UK National Cyber Security Centre (NCSC), allows attackers to gain remote access and control over compromised devices, making it a significant threat to organizations relying on these systems for security and network management.
The discovery was made in September 2025, when a U.S. federal civilian agency's Cisco Firepower device running ASA software was found to be infected with the FIRESTARTER backdoor. The malware reportedly persisted even after security patches were applied, showcasing strong stealth and resilience against detection and remediation efforts. This incident highlights the importance of timely patching and monitoring for known vulnerabilities, as current fixes may not remove FIRESTARTER persistence.
FIRESTARTER is a Linux ELF malware targeting Cisco Firepower and Secure Firewall devices, acting as a command-and-control backdoor for remote access. It maintains persistence by intercepting termination signals and automatically relaunching, allowing it to survive reboots and even firmware updates unless a full power cycle is performed. The malware embeds itself in the LINA network processing engine by installing a hook that intercepts normal XML handling functions, enabling execution of attacker-supplied shellcode and deployment of additional payloads like LINE VIPER.
According to CISA, FIRESTARTER attempts to install a hook within LINA, the device's core engine for network processing and security functions. This hook enables the execution of arbitrary shell code provided by the attackers, including the deployment of LINE VIPER. Upon execution, FIRESTARTER loads itself from disk into memory, registers handlers for multiple termination signals, and performs cleanup and self-reinstallation routines. It manipulates system files to restore modified components, deletes traces, and re-establishes itself under a new persistent path.
The use of LINE VIPER as a post-exploitation implant before deploying FIRESTARTER highlights the sophisticated nature of the attack campaign. The fact that attackers used a 12-year-old bug, Pack2TheRoot, to gain root privileges on Linux systems also underscores the vulnerability of outdated software and the importance of regular patching.
CISA and the NCSC urge organizations to follow baseline cybersecurity practices aligned with CPG 2.0, including rapid patching of known vulnerabilities, inventorying network edge devices, especially Cisco systems, monitoring for suspicious activity, auditing privileged accounts, enforcing least privilege, rotating passwords regularly, and modernizing access controls using secure protocols like TACACS+ over TLS 1.3 to reduce credential exposure and improve detection.
To mitigate the risk associated with FIRESTARTER, organizations can initiate a TAC request for Cisco support or reimagine affected devices. For Cisco FTD software that is not in lockdown mode, killing the lina_cs process and reloading the device can also help eliminate the malware. However, it is essential to note that full power cycles are required to ensure complete removal of FIRESTARTER.
The discovery of FIRESTARTER highlights the need for organizations to prioritize cybersecurity and stay vigilant against emerging threats. As CISA and the NCSC emphasize, timely patching, monitoring, and incident response are crucial in preventing and responding to such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Cisco-ASA-Device-Backdoor-A-Persistent-Threat-to-Cybersecurity-ehn.shtml
https://securityaffairs.com/191241/hacking/cisa-reports-persistent-firestarter-backdoor-on-cisco-asa-device-in-federal-network.html
https://www.cisa.gov/news-events/news/cisa-warns-firestarter-malware-targeting-cisco-asa-including-firepower-and-secure-firewall-products
https://thehackernews.com/2026/04/firestarter-backdoor-hit-federal-cisco.html
Published: Fri Apr 24 20:56:28 2026 by llama3.2 3B Q4_K_M
