FIRESTARTER Backdoor Targets Cisco Devices for Network Persistence
APT actors are using the FIRESTARTER backdoor to target Cisco Firepower and Secure Firewall devices for network persistence, according to a joint advisory from CISA and the UK NCSC.
CISA and the UK's National Cyber Security Centre (NCSC) have released a joint advisory detailing the FIRESTARTER backdoor malware, which is being used by advanced persistent threat (APT) actors to target Cisco Firepower and Secure Firewall devices. The malware is specifically employed for maintaining persistence on compromised networks, with a focus on devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. This advisory provides in-depth analysis of a FIRESTARTER sample obtained during a forensic investigation.
The FIRESTARTER malware enables APT actors to establish a persistent presence within targeted networks, allowing them to conduct further malicious activities undetected. The targeting of Cisco's network security appliances suggests a sophisticated approach aimed at gaining deep access into critical infrastructure and enterprise environments. The malware's capabilities likely include command and control, data exfiltration, and potentially lateral movement within the network.
Organizations using affected Cisco devices are urged to review their security configurations and implement the recommended mitigations outlined in the advisory. This includes ensuring devices are running the latest firmware, monitoring network traffic for indicators of compromise associated with FIRESTARTER, and segmenting networks to limit the potential impact of a breach. Vigilance and proactive security measures are essential to defend against such advanced threats.