New Cisco Firewall Malware Requires Drastic Measures for Removal

Cisco Firewall Malware Impervious to Software Removal Methods

A sophisticated piece of malware, dubbed Firestarter, has been discovered by security researchers to infiltrate Cisco Firepower and Secure Firewall devices by exploiting previously patched vulnerabilities.

• The malware establishes persistence by manipulating the device’s boot sequence and lays dormant until activated by a specific trigger.
• The persistence mechanism involves embedding itself into the device’s startup configuration list, ensuring automatic reactivation upon normal restarts.
• This allows the threat actors to maintain post-patching persistence and re-access compromised devices without re-exploiting vulnerabilities.

Attribution and Response

The Firestarter malware is attributed to a group previously linked to the 2024 ArcaneDoor campaign, which targeted Cisco ASA devices via two zero-day exploits.

• In response to the discovery, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance for US federal civilian agencies to identify and address potentially affected devices.
• The steps include identifying public-facing Cisco ASA platforms, collecting device artifacts and core dumps, submitting core dumps to CISA’s Malware Next Generation (MNG) platform, applying patches for the exploited vulnerabilities, conducting further threat hunting as necessary, and avoiding changes to the system that could affect volatile artifacts.

Indicators of Compromise

The presence of Firestarter can be indicated by the existence of a malicious process called lina_cs, along with specific files on the device’s disk.

However, threat actors can easily manipulate these indicators, making detection challenging without deep memory forensics or packet-level inspection.

About Author

Vaibhav

See author's posts