Firestarter Malware Survives Cisco Firewall Updates and Security Patches

Advisory Overview

The US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC), along with partner agencies, have issued a joint advisory warning about Firestarter — a sophisticated custom malware implant observed persisting on Cisco Firepower and Cisco Secure Firewall devices. The implant survives standard firmware updates and security patches, making remediation significantly more difficult than conventional malware infections.

Firestarter targets devices running Cisco's Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software — two of the most widely deployed enterprise firewall platforms in the world.

What Is Firestarter?

Firestarter is a custom, purpose-built implant designed to establish persistent unauthorized access on Cisco Firepower and Secure Firewall appliances. Key characteristics distinguishing it from commodity malware:

The implant's ability to survive firmware updates suggests it achieves persistence at a level below the normal firmware update mechanism — potentially in flash storage regions, boot loader areas, or via modification of update verification processes to allow re-infection.

Attack Scope

Cisco Firepower and Secure Firewall devices are deployed at the network perimeter of enterprises, government agencies, critical infrastructure operators, and managed service providers. A persistent implant on these devices gives attackers:

• Full visibility into all network traffic passing through the firewall
• Ability to intercept encrypted sessions if TLS inspection is enabled
• Access to network routing and policy configurations
• A persistent foothold for lateral movement into the protected network
• The ability to exfiltrate data through an already-trusted network device

The targeting of edge security devices is a hallmark of nation-state APT groups that prioritize long-term, stealthy access over immediate destructive impact.

Technical Details

Persistence Mechanism

Firestarter's most notable feature is its persistence across firmware updates. Standard Cisco firmware updates overwrite the operating system and application firmware, but they do not necessarily overwrite all regions of a device's non-volatile storage. Sophisticated implants can persist in:

• Bootloader-adjacent storage not overwritten by standard image flashing procedures
• Management plane firmware regions separate from the main OS image
• Re-infection via modified update verification — the implant intercepts or corrupts the update validation chain, allowing it to reinfect the updated system
• Persistence in hardware management chips (BMC, CPLD) if the implant has achieved deep enough access

Capabilities Observed

While the joint advisory does not fully detail all Firestarter capabilities, implants of this class on firewall devices typically include:

- Backdoor shell access (persistent command execution)
- Traffic interception and packet capture
- Credential harvesting from passing network sessions
- Configuration modification and exfiltration
- Pivoting to internal network segments
- Lateral movement facilitation
- Covert command-and-control channel establishment

Affected Platforms

Organizations should consult Cisco's official security advisory for the definitive list of affected software versions and hardware models.

Agency Guidance

CISA and NCSC recommend organizations operating affected Cisco devices take the following immediate actions:

Immediate Response

1. Audit all Cisco ASA/FTD devices for signs of unauthorized access or modification
2. Check Cisco's published IoCs against firewall logs and device configurations
3. Verify firmware integrity using Cisco's Secure Boot attestation features where available
4. Review management access logs for unusual authentication patterns or configuration changes
5. Isolate potentially compromised devices from sensitive network segments pending investigation

Detection Guidance

# Check Cisco ASA configuration for unexpected changes
show running-config | include username
show running-config | include crypto
 
# Review active management connections
show vpn-sessiondb
show conn
 
# Inspect for unexpected persistent processes (FTD)
show processes
expert
# Then examine /proc and running services
 
# Verify image integrity against Cisco's published hashes
verify /sha-512 disk0:/asa*.bin

Remediation Considerations

Standard firmware re-flashing may not fully remove Firestarter due to its persistence mechanism. Agencies recommend:

• Contact Cisco TAC directly if infection is suspected — standard firmware updates may be insufficient
• Consider hardware replacement if deep persistence in management hardware is confirmed
• Engage CISA or NCSC if your organization is a critical infrastructure operator
• Preserve forensic evidence before attempting remediation — do not immediately wipe devices

Threat Actor Context

The sophistication of Firestarter — particularly its ability to survive updates — is consistent with nation-state APT tooling. Targeting network edge devices is a known tactic of several advanced persistent threat groups, including:

• Chinese APT clusters (UNC3886, Volt Typhoon, Silk Typhoon) that have previously targeted Cisco, Fortinet, and Ivanti edge devices
• Russian APT groups (Sandworm, Cozy Bear) with documented interest in network infrastructure
• Iranian actors that have increasingly targeted network appliances for long-term persistence

The joint US-UK advisory indicates this is an active threat being tracked by Western intelligence agencies.

Defensive Recommendations

References

• BleepingComputer — Firestarter malware survives Cisco firewall updates, security patches
• CISA — Joint Advisory on Cisco Device Targeting
• Cisco Security Advisories
• NCSC — Advisory on Network Device Targeting