{"id":7945,"date":"2026-04-28T01:31:48","date_gmt":"2026-04-28T01:31:48","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7945"},"modified":"2026-04-28T01:31:48","modified_gmt":"2026-04-28T01:31:48","slug":"infected-cisco-firewalls-need-cold-start-to-clear-persistent-firestarter-backdoor","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7945","title":{"rendered":"Infected Cisco firewalls need cold start to clear persistent Firestarter backdoor"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Security researchers have discovered a chilling backdoor aimed at Cisco System firewalls that exploits unpatched vulnerabilities to maintain persistence, even after patching. This means that attackers can continue to access compromised devices without re-exploiting the holes.<\/p>\n

At risk are devices running Cisco ASA or Firepower software, including certain Firepower and Secure Firewall devices.\u00a0So far, however, the US Cybersecurity and Infrastructure Security Agency (CISA) has only seen a successful implant of the malware, dubbed Firestarter, in the wild on a Cisco Firepower device running ASA software.<\/p>\n

In a joint warning<\/a>, CISA and the UK\u2019s National Cyber Security Centre urge organizations to look for signs of compromise. To do so, generate a core dump and use recommended YARA rules to detect Firestarter malware. The YARA rules can also be run against a disk image.<\/p>\n

If there is a compromise, unplug the device from all power sources, including backup power, for one minute, reconnect power, and reboot.<\/p>\n

\u201cIt is not sufficient to power the device off or reboot it,\u201d said the joint advisory. \u201cThe device must be entirely removed from all power sources, including duplicate power sources created for redundancy.\u201d<\/p>\n

A Firestarter infection may also be erased by reimaging the devices, it said.\u00a0<\/p>\n

In a separate advisory, Cisco\u2019s Talos threat intelligence service said a group it calls UAT-4356 is behind Firestarter, as part of its continued targeting of Firepower devices. Other researchers call the group Storm-1849, and identify the campaign targeting networking devices from Cisco and other vendors as ArcaneDoor, dating back to 2023.<\/p>\n

Critical failure in \u2018patch and forget\u2019 mentality<\/h2>\n

CISA believes threat actors compromised Cisco firewalls by exploiting CVE-2025-20333<\/a> and\/or CVE-2025-20362<\/a> early last September, before patches to plug these holes were released.<\/p>\n

In the example analyzed by the CISA, the hacker then deployed the LineViper shellcode loader to install a VPN that the threat actor could use to access all configuration elements of the compromised Firepower device, including administrative credentials and certificates and private keys. Then the Firestarter backdoor was added and used to link to a command and control server, which allowed the backdoor to persist even after patching. All this happened before patches to the two vulnerabilities were issued.<\/p>\n

Firestarter achieves persistence by detecting termination signals and relaunching itself, which is how it can survive firmware updates and device reboots unless a hard power cycle occurs.<\/p>\n

\u201cThe Firestarter malware represents a critical failure in the \u2018patch and forget\u2019 mentality of modern network security,\u201d said IT analyst Rob Enderle<\/a> of the Enderle Group.<\/p>\n

\u201cWhat makes this attack particularly unusual is its technical resilience and anti-forensic capabilities,\u201d he said. \u201cThe malware registers callback functions for termination signals like SIGTERM or SIGHUP, which allows it to automatically relaunch if an admin tries to kill the process. It deep-dives into the LINA engine\u2019s virtual memory to hook the C++ standard library, intercepting WebVPN requests to trigger its payload. By using \u2018time stomping\u2019 to mask its file presence and redirecting errors to \/dev\/null, it remains nearly invisible to traditional discovery tools.\u201d<\/p>\n

He underscored the CISA and Cisco advice that to mitigate damage, an infected device must be physically disconnected from all power sources, including redundant ones, for at least one minute. This \u2018cold start\u2019 clears the volatile memory where the malware resides and disrupts its boot-time persistence. <\/p>\n

In addition, Enderle said, network admins should modernize administrative controls by using the TACACS+<\/a> (Terminal Access Controller Access-Control System) protocol over TLS 1.3 \u00a0for access control and authentication of users to network devices like routers, switches, and firewalls.<\/p>\n

TACACS+ generally uses a dedicated TCP port, Enderle said, so any firewall rules will need to be updated to take that into account. Cisco devices will probably need the ISE 3.4 patch (or later) to assure that Identity Services Engine supports this protocol. Similarly, other vendors\u2019 guidance should be consulted before switching to TACACS+ to assure interoperability.<\/p>\n

Admins should also strictly audit legacy accounts, which he said are often the path of least resistance for threat actors, to prevent lateral movement.<\/p>\n

Cisco devices affected by the Firestarter malware include the Firepower 1000, 2100, 4100, 9300, 1200, 3100 and 4200 Series firewalls, as well as the Secure Firewall 1200, 3100 and 4200 series.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Security researchers have discovered a chilling backdoor aimed at Cisco System firewalls that exploits unpatched vulnerabilities to maintain persistence, even after patching. This means that attackers can continue to access compromised devices without re-exploiting the holes. At risk are devices running Cisco ASA or Firepower software, including certain Firepower and Secure Firewall devices.\u00a0So far, however, […]<\/p>\n","protected":false},"author":0,"featured_media":7946,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7945","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7945"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7945"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7945\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7946"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7945"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7945"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7945"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}