Introduction
On April 23, 2026, CISA released Analysis Report AR26-113A, detailing a sophisticated persistent threat involving a malware family dubbed FIRESTARTER. This unauthorized access mechanism is currently being leveraged by APT actors to establish persistence on publicly accessible network edge devices—specifically Cisco Firepower and Secure Firewall appliances running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD).
For defenders, this is a critical escalation. When an edge device is compromised, the adversary essentially owns the perimeter. They can intercept, modify, or drop traffic; pivot into the internal network; and establish covert command-and-control (C2) channels that bypass standard internal monitoring. Immediate action is required to detect the presence of FIRESTARTER and eradicate it from the environment.
Technical Analysis
- Affected Products: Cisco Firepower Threat Defense (FTD) and Cisco Adaptive Security Appliance (ASA) software.
- Affected Platforms: Cisco Firepower appliances and Secure Firewalls.
- Threat Actor: Advanced Persistent Threat (APT) groups, specifically targeting high-value networks.
- Mechanism: FIRESTARTER functions as an unauthorized access mechanism. While the full technical IoCs (hashes, specific file paths) are contained in the classified/full report (AR26-113A), the behavior involves modifying the device operating environment to maintain persistence. This typically alters the boot process or injects code into memory/disk that survives reboots.
- Exploitation Status: Confirmed active exploitation. CISA obtained this sample from a live forensic investigation, indicating the threat is not theoretical.
Detection & Response
The following detection mechanisms are designed to hunt for indicators of compromise associated with FIRESTARTER and the unauthorized access patterns it facilitates. Since these devices often forward logs to a SIEM (like Microsoft Sentinel), we focus on Syslog and behavioral anomalies.
Sigma Rules
---
title: Potential FIRESTARTER Implant Activity - CISA AR26-113A
id: 89a0b123-456c-78d9-e0f1-234567890abc
status: experimental
description: Detects potential indicators of the FIRESTARTER malware or associated unauthorized access mechanisms on Cisco ASA/FTD devices based on suspicious process names or keywords in logs.
references:
- https://www.cisa.gov/news-events/analysis-reports/ar26-113a
author: Security Arsenal
date: 2026/04/23
tags:
- attack.persistence
- attack.t1543.001
logsource:
product: firewall
category: firewall
detection:
selection_keywords:
Message|contains:
- 'FIRESTARTER'
- 'unauthorized access mechanism'
selection_anomaly:
|count: 10
DeviceProduct|contains:
- 'Cisco'
- 'Firepower'
Message|contains:
- 'Executed command'
- 'System initialization'
condition: 1 of selection_*
falsepositives:
- Legitimate administrative scripts using similar naming (unlikely)
level: critical
---
title: Suspicious File Modification on Cisco FTD Linux Shell
id: 12c3d456-789e-01f2-3456-789012345678
status: experimental
description: Detects modifications to critical system binaries or startup scripts on the underlying Linux OS of FTD devices, indicative of implant persistence.
references:
- https://www.cisa.gov/news-events/analysis-reports/ar26-113a
author: Security Arsenal
date: 2026/04/23
tags:
- attack.defense_evasion
- attack.t1014
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
path|startswith:
- '/usr/local/bin/'
- '/etc/rc.d/'
- '/var/sf/detection_engine/'
name|endswith:
- '.so'
- '.sh'
- '.py'
exit: '-1'
falsepositives:
- Official software updates or patches
level: high
KQL (Microsoft Sentinel)
This query hunts for suspicious administrative commands or anomalies often associated with implant activity on Cisco devices forwarded via Syslog or CEF.
// Hunt for FIRESTARTER related anomalies in Cisco ASA/FTD logs
Syslog
| where Facility in ("Cisco", "firepower")
| where SyslogMessage has_any ("Executed", "System", "Configuration", "Flash")
// Look for specific keywords associated with unauthorized persistence or the malware name
| where SyslogMessage has "FIRESTARTER"
or SyslogMessage matches regex @"(Executed command|startup-config|boot:).*unknown"
// Filter out known administrative hosts if necessary, but here we want to see *all* execution
| project TimeGenerated, ComputerIP, ProcessName, SyslogMessage, SeverityLevel
| order by TimeGenerated desc
Velociraptor VQL
Use this artifact on the management server or if you have endpoint visibility on the underlying Linux container of the FTD device to hunt for the persistence mechanisms described in CISA AR26-113A.
-- Hunt for FIRESTARTER persistence artifacts on Linux-based management hosts
SELECT FullPath, Size, Mtime, Mode, User
FROM glob(globs='/**/*starter*', root='/')
WHERE NOT User =~ 'root'
OR Mode =~ '.*x.*'
-- Check for recently modified startup scripts or suspicious libraries
UNION SELECT FullPath, Size, Mtime, Mode, User
FROM glob(globs='/etc/rc.d/*', root='/')
WHERE Mtime > now() - 7d
UNION SELECT FullPath, Size, Mtime, Mode, User
FROM glob(globs='/usr/local/bin/*', root='/')
WHERE Mtime > now() - 30d
Remediation Script (Bash)
This script assists in verifying the integrity of the configuration and checking for obvious signs of persistence (Note: Full remediation requires factory reset or vendor-supported recovery per CISA guidelines for this type of firmware compromise).
#!/bin/bash
# Verification Script for FIRESTARTER Indicators on Cisco FTD/ASA Management Environment
# Reference: CISA AR26-113A
echo "[*] Starting check for FIRESTARTER persistence mechanisms..."
# Check for suspicious processes (if run on the underlying Linux shell)
echo "[*] Checking for suspicious processes..."
ps aux | grep -E '(FIRESTARTER|unknown|/tmp/.*\.sh)' | grep -v grep
# Check for unexpected startup scripts in common locations
if [ -d "/etc/rc.d" ]; then
echo "[*] Checking startup scripts modified in the last 30 days..."
find /etc/rc.d -type f -mtime -30 -ls
fi
# Check for hidden files in web root or temp directories (common for web shells)
if [ -d "/var/sf" ]; then
echo "[*] Scanning /var/sf for hidden files..."
find /var/sf -name ".*" -ls
fi
echo "[*] Verification complete. If anomalies are found, initiate Incident Response protocols immediately."
echo "[*] Official Remediation: Isolate device, backup logs, and coordinate with Cisco PSIRT/TAC."
Remediation
Based on the severity of firmware-level compromise by APT actors using FIRESTARTER, standard "cleaning" is often insufficient. The following steps are mandatory:
- Immediate Isolation: Disconnect affected Cisco Firepower or ASA devices from the network (management plane only) if possible, or place them in a restricted VLAN to stop lateral movement while preserving logs.
- Preserve Forensic Artifacts: Before rebooting or wiping, capture a full memory dump and disk image if forensic capabilities exist. Export all current logs, including the boot configuration and running configuration.
- Credential Reset: Assume all administrative credentials for these devices and potentially associated AAA servers (Active Directory, TACACS+) are compromised. Rotate credentials immediately.
- Factory Reset / Re-image: CISA generally advises that devices compromised by this type of persistent malware cannot be trusted. Perform a factory reset to wipe the configuration and OS, then re-image the device from a known-good ISO directly from Cisco.
- Patch and Upgrade: After re-imaging, immediately apply the latest software updates. Refer to the official Cisco advisory associated with CISA AR26-113A for specific patched versions of ASA and FTD software.
- Audit Configuration: Review the restored configuration for any unauthorized changes, such as strange static routes, unauthorized access lists, or modified SNMP community strings.
Official Vendor Advisory: Cisco Security Advisory CISA Report: AR26-113A
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.