Cisco Firestarter Malware Persists Through Updates

/MEDIUM
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-inteldata-breachmalwarevulnerability
Cisco Firestarter Malware Persists Through Updates

Cybersecurity agencies in the U.S. and U.K. are sounding the alarm on Firestarter, a custom malware exhibiting troubling persistence on Cisco Firepower and Secure Firewall devices. BleepingComputer reports that this malware is designed to survive updates and security patches, affecting devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software.

This isn’t just another piece of malware; its ability to withstand patching cycles means it establishes a deep foothold. Attackers leveraging Firestarter can maintain persistent access and control over critical network perimeters, effectively negating defenders’ efforts to clean up compromised systems through standard update procedures. This signals a sophisticated adversary who understands network infrastructure intimately.

For defenders, this persistence is a nightmare. A typical patch-and-reboot cycle, which usually remediates vulnerabilities and removes most malware, is insufficient here. Organizations must assume deeper compromise and initiate more rigorous forensic analysis and potential re-imaging or factory resets for affected devices to truly eradicate Firestarter.

What This Means For You

  • If your organization uses Cisco Firepower or Secure Firewall devices running ASA or FTD, patching alone is not enough. You must actively hunt for Firestarter malware and consider a more aggressive remediation strategy, potentially including device re-imaging, rather than relying solely on updates to remove the threat. This is a critical infrastructure play; assume persistence and act accordingly.

Related ATT&CK Techniques

T1098 Account Manipulation Persistence T1543.003 Create or Modify System Process: Windows Service Persistence T1543.004 Create or Modify System Process: Linux Service Persistence

Indicators of Compromise

IDTypeIndicator
Firestarter-Malware Malware Persistence Cisco Firepower devices
Firestarter-Malware Malware Persistence Cisco Secure Firewall devices
Firestarter-Malware Malware Persistence Cisco Adaptive Security Appliance (ASA) software
Firestarter-Malware Malware Persistence Cisco Firepower Threat Defense (FTD) software
Firestarter-Malware Malware Name Firestarter

Written by SCW Vulnerability Desk

Take action on this incident
πŸ“‘ Monitor cisco.com Free Β· 1 watchlist slot Β· instant alerts on new breaches πŸ” Threat intel on Cisco All breaches, IOCs & vendor exposure

Related coverage on Cisco

npm Supply Chain Evolves: Wormable Malware, CI/CD Persistence Detected

Palo Alto Unit 42 reports a significant evolution in npm supply chain attacks following the "Shai Hulud" incident. Their analysis reveals increasingly sophisticated tactics, including...

threat-intelAPTmalwareresearch
/SCW Research /MEDIUM /⚙ 3 Sigma

TGR-STA-1030: Persistent Threat to Central and South America

Palo Alto Unit 42 reports that TGR-STA-1030 remains an active and persistent threat actor, with a specific focus on organizations within Central and South America....

threat-intelAPTmalwareresearchmicrosoft
/SCW Research /MEDIUM

Microsoft Windows Update Gets New Controls to Reduce Forced Restarts

Microsoft is rolling out significant improvements to Windows Update, aiming to give users more granular control over how updates are installed. BleepingComputer reports these changes...

threat-inteldata-breachmalwaremicrosoft
/SCW Research /MEDIUM