Skip to content
.ca
sign in
5 mincritical

FIRESTARTER Backdoor

CISA and NCSC identified FIRESTARTER, a persistent Linux ELF backdoor deployed by APT actors on Cisco Firepower and Secure Firewall devices. The malware hooks into the LINA engine, survives firmware updates and soft reboots, and facilitates the deployment of secondary payloads like LINE VIPER to establish unauthorized VPN sessions.

Sens:ImmediateConf:highAnalyzed:2026-04-23reports

Authors: CISA, NCSC, Cisco

ActorsUnnamed APTLINE VIPERFIRESTARTER
BackdoorLINE VIPERCisco ASACVE-2025-20333FIRESTARTER

Source:CISA

IOCs · 3

Key Takeaways

  • FIRESTARTER is a persistent Linux ELF backdoor targeting Cisco Firepower and Secure Firewall devices running ASA or FTD software.
  • The malware survives firmware updates and standard reboots; a hard power cycle (unplugging for 1 minute) is required to remove persistence.
  • Initial access is likely achieved via CVE-2025-20333 and/or CVE-2025-20362, followed by LINE VIPER deployment for illegitimate VPN sessions.
  • FIRESTARTER hooks into the LINA engine by injecting shellcode into libstdc++.so and modifying CSP_MOUNT_LIST for boot persistence.

Affected Systems

  • Cisco Firepower devices
  • Cisco Secure Firewall devices
  • Adaptive Security Appliance (ASA) software
  • Firepower Threat Defense (FTD) software

Vulnerabilities (CVEs)

  • CVE-2025-20333
  • CVE-2025-20362

Attack Chain

APT actors likely exploit CVE-2025-20333 or CVE-2025-20362 to gain initial access to Cisco ASA/FTD devices. They deploy LINE VIPER to establish illegitimate VPN sessions and access configuration elements. FIRESTARTER is then deployed as a persistent backdoor, hooking into the LINA engine and modifying boot scripts (CSP_MOUNT_LIST) to survive reboots and firmware updates. The malware intercepts WebVPN requests to load further stages and maintain C2 access.

Detection Availability

  • YARA Rules: Yes
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: CISA

CISA provided YARA rules to detect FIRESTARTER in disk images or core dumps. Sigma rules are noted as ineffective due to a lack of observable log events.

Detection Engineering Assessment

EDR Visibility: None — Malware operates on Cisco network appliances (ASA/FTD) which typically do not support standard EDR agents. Network Visibility: Medium — Malware intercepts WebVPN requests and establishes C2, but traffic is likely encrypted or blended with legitimate VPN traffic. Detection Difficulty: Very Hard — Malware resides in memory on closed-box network appliances, survives reboots, and actively hides its execution and errors. Requires memory forensics (core dumps) to detect.

Required Log Sources

  • Cisco ASA/FTD Core Dumps
  • VPN Authentication Logs
  • Device Configuration Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unauthorized or anomalous VPN sessions originating from inactive or former employee accounts.VPN Authentication LogsPrivilege Escalation / Defense EvasionLow
Identify unexpected modifications or timestomping on the CSP_MOUNT_LIST file on Cisco devices.File Integrity Monitoring / Core DumpsPersistenceLow
Detect the presence of the lina_cs process or svc_samcore.log file in unexpected directories.Core Dumps / Device CLI output (show tech-support)Execution / PersistenceLow

Control Gaps

  • Lack of EDR visibility on network appliances
  • Firmware updates do not clear persistent malware in this specific attack chain

Key Behavioral Indicators

  • Presence of /usr/bin/lina_cs
  • Modifications to /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST
  • Creation of /opt/cisco/platform/logs/var/log/svc_samcore.log

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Generate a core dump from affected Cisco devices and submit to CISA.
  • If compromised, physically unplug the device from all power sources for one minute to clear memory and remove persistence.

Infrastructure Hardening

  • Apply latest security patches for CVE-2025-20333 and CVE-2025-20362.
  • Implement TACACS+ over TLS 1.3 to encrypt device administration traffic.

User Protection

  • Audit and disable inactive or former employee accounts.
  • Regularly rotate passwords for privileged and service accounts.

Security Awareness

  • Ensure incident responders understand that soft reboots do not clear FIRESTARTER persistence; a hard power cycle is required.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1059 - Command and Scripting Interpreter
  • T1543 - Create or Modify System Process
  • T1546.004 - Event Triggered Execution: Unix Shell Configuration Modification
  • T1547 - Boot or Logon Autostart Execution
  • T1133 - External Remote Services
  • T1078 - Valid Accounts
  • T1222 - File and Directory Permissions Modification
  • T1564 - Hide Artifacts
  • T1070.004 - Indicator Removal on Host: File Deletion
  • T1070.006 - Indicator Removal on Host: Timestomp
  • T1036.005 - Masquerading: Match Legitimate Resource Name or Location
  • T1055 - Process Injection
  • T1057 - Process Discovery
  • T1082 - System Information Discovery
  • T1219 - Remote Access Tools

Additional IOCs

  • File Paths:
    • /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp - Temporary file created during the modification of the CSP_MOUNT_LIST persistence mechanism.
  • Command Lines:
    • Purpose: Delete modified CSP_MOUNT_LIST and restore original file with matching timestamps and permissions | Tools: rm, cp, chmod, chown, touch | Stage: Defense Evasion | rm /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST 2>/dev/null
    • Purpose: Establish persistence by moving staging file to binary location and executing in the background | Tools: mv, chmod, lina_cs | Stage: Persistence | mv /opt/cisco/platform/logs/var/log/svc_samcore.log /usr/bin/lina_cs
  • Other:
    • libstdc++.so - Target library for shellcode injection to install the detour for the XML element handler.

Related