Back to Intelligence

Firestarter Malware on Cisco Firepower/ASA/FTD — Detection, Persistence Analysis & Emergency Remediation

SA
Security Arsenal Team
April 24, 2026
12 min read

Introduction

US and UK cybersecurity agencies have issued a joint warning about a sophisticated custom malware strain dubbed Firestarter that targets Cisco perimeter defense infrastructure. Unlike typical malware that can be purged with standard patching cycles, Firestarter exhibits alarming persistence capabilities — surviving security updates and firmware reimages on Cisco Firepower and Secure Firewall appliances running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.

This threat represents a critical escalation in adversarial capability against network edge infrastructure. If your organization manages Cisco firewalls, you are directly in the crosshairs of an actively exploited threat that can maintain footholds through conventional remediation procedures. The malware's ability to survive patch cycles suggests deep compromise of the underlying filesystem or boot components, requiring forensics-grade response protocols rather than standard patch management.

Technical Analysis

Affected Products and Platforms

Product LineAffected SoftwareKey Vulnerability Vector
Cisco Firepower Threat DefenseFTD Software (specific versions under investigation)Malicious code injection into boot/persistence mechanisms
Cisco Adaptive Security ApplianceASA Software (specific versions under investigation)Filesystem-level persistence outside standard patch paths
Cisco Secure FirewallBoth ASA and FTD deploymentsExploitation of management interface or upgrade processes

Malware Characteristics and Persistence Mechanism

Firestarter represents a custom-developed malware framework specifically engineered for Cisco's firewall operating systems. The malware's defining characteristic is its upgrade-surviving persistence, achieved through:

  1. Non-standard filesystem implants: Firestarter likely implants itself in filesystem partitions not touched by standard Cisco patch/update mechanisms (e.g., recovery partitions, boot loader areas, or dedicated diagnostic partitions).

  2. Configuration-level persistence: The malware may inject malicious commands into startup-config or other configuration files that survive reboots and reimages.

  3. Hardware-resident persistence: Preliminary analysis suggests potential compromise of peripheral firmware or expansion modules that maintain state across OS reinstalls.

Exploitation Status

  • Active Exploitation: Confirmed in-the-wild activity targeting critical infrastructure and enterprise networks
  • CISA KEV: Threat is expected to be added to CISA's Known Exploited Vulnerabilities catalog given the severity and agency warnings
  • Threat Actor Attribution: Initial intelligence suggests state-aligned or sophisticated criminal actors with dedicated resources for Cisco-specific exploitation

Attack Chain Overview

Initial Access → Privilege Escalation → Persistence Implant → C2 Establishment → Lateral Movement → Data Exfiltration

Initial access vectors likely include exploitation of known CVEs in management interfaces (SSH, HTTPS, ASDM/FTDM), credential compromise, or supply-chain compromise of firmware images. Once established, Firestarter creates a persistent foothold that survives conventional patch cycles, enabling long-term surveillance and data theft from the network edge.

Detection & Response

The following detection rules and hunt procedures are designed to identify Firestarter activity on Cisco devices. Deploy these immediately across your SIEM, EDR, and network monitoring infrastructure.

SIGMA Rules

YAML
---
title: Potential Firestarter Malware - Suspicious Cisco Configuration Modification
id: 8d4f2a1e-7b3c-4d5e-9f0a-1b2c3d4e5f6a
status: experimental
description: Detects suspicious configuration modifications on Cisco ASA/FTD devices indicative of Firestarter persistence mechanisms, including modifications to boot variables, startup-config, or hidden filesystem access.
references:
  - https://www.cisa.gov/news-events/cybersecurity-advisories
  - https://bleepingcomputer.com/news/security/firestarter-malware-survives-cisco-firewall-updates-security-patches/
author: Security Arsenal
date: 2024/12/19
tags:
  - attack.persistence
  - attack.t1543.003
  - cisco
  - firewall
logsource:
  category: process_creation
  product: linux
detection:
  selection_cisco_commands:
    Image|contains:
      - 'ssh'
      - 'telnet'
      - 'python'
    CommandLine|contains:
      - 'write memory'
      - 'copy running-config startup-config'
      - 'configure terminal'
  selection_suspicious_params:
    CommandLine|contains:
      - 'boot system'
      - 'format flash:'
      - 'fsck'
      - 'debug platform packet-trace'
      - 'more flash:/'
      - 'dir disk0:'
  condition: selection_cisco_commands and selection_suspicious_params
falsepositives:
  - Legitimate administrator firmware updates or system recovery operations
level: high
---
title: Potential Firestarter C2 Traffic - Anomalous Network Patterns from Cisco Devices
id: 3e7d9c2a-8f1b-4e6a-a5d9-c2b3e4f5a6b7
status: experimental
description: Detects anomalous outbound network connections from Cisco firewall management interfaces indicative of Firestarter command-and-control activity, including connections to non-standard ports or unexpected destinations.
references:
  - https://attack.mitre.org/techniques/T1071/
  - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2024/12/19
tags:
  - attack.command_and_control
  - attack.t1071
  - cisco
  - firewall
logsource:
  category: network_connection
  product: linux
detection:
  selection_cisco_src:
    SourceImage|contains:
      - 'lina'
      - 'luDN'
      - 'snort'
  selection_suspicious_dst:
    DestinationPort|notin:
      - 22
      - 443
      - 8305
      - 8306
  selection_outbound:
    Initiated: 'true'
  condition: all of selection_*
falsepositives:
  - Legitimate API calls to cloud management services or monitoring platforms
level: high
---
title: Potential Firestarter Filesystem Access - Hidden Directory Exploration
id: 6a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects attempts to access hidden or restricted filesystem areas on Cisco ASA/FTD devices where Firestarter implants its persistence mechanisms, including access to hidden directories, diagnostic partitions, or backup filesystems.
references:
  - https://attack.mitre.org/techniques/T1005/
author: Security Arsenal
date: 2024/12/19
tags:
  - attack.discovery
  - attack.t1005
  - cisco
  - firewall
logsource:
  category: process_creation
  product: linux
detection:
  selection_hidden_paths:
    CommandLine|contains:
      - '/.hidden'
      - '/.cache/'
      - '/tmp/.hidden'
      - 'hidden_partition'
      - 'diag_partition'
  selection_file_commands:
    CommandLine|contains:
      - 'cat '
      - 'less '
      - 'more '
      - 'vi '
      - 'nano '
      - 'chmod '
      - 'chown '
  condition: all of selection_*
falsepositives:
  - Authorized forensic analysis or vendor support troubleshooting
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for Firestarter malware indicators in Cisco firewall logs
// This query targets suspicious configuration changes and C2 patterns
let TimeRange = ago(7d);
// Cisco ASA/FTD Syslog analysis for suspicious activity
Syslog
| where TimeGenerated > TimeRange
| where ProcessName contains_any ("ssh", "telnet", "https") 
   or SyslogMessage contains_any ("configure terminal", "write memory", "copy running-config")
| where SyslogMessage matches regex @"(boot system|format flash:|fsck|debug platform|more flash:|dir disk0:)"
| extend SourceIP = extract(@"SRC=([\d.]+)", 1, SyslogMessage),
         Username = extract(@"user\s+(\w+)", 1, SyslogMessage),
         Command = extract(@"Cmd\s+(.+)$", 1, SyslogMessage)
| project TimeGenerated, ComputerIP, SourceIP, Username, Command, SyslogMessage, SeverityLevel
| order by TimeGenerated desc

// Network connection analysis for potential C2 activity
DeviceNetworkEvents
| where TimeGenerated > TimeRange
| where DeviceName matches regex @"(firepower|asa|ftd|cisco)"
| where InitiatingProcessFileName in~ ("lina", "luDN", "snort", "ssh", "telnet")
| where RemotePort !in (22, 443, 8305, 8306, 161, 162) // Filter standard management ports
| where RemoteIPType == "Public"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl, 
          InitiatingProcessAccountName, BytesSent, BytesReceived
| order by TimeGenerated desc

// File access patterns indicating hidden filesystem exploration
DeviceFileEvents
| where TimeGenerated > TimeRange
| where DeviceName matches regex @"(firepower|asa|ftd|cisco)"
| where FilePath contains @"." and (FilePath contains @"/hidden" or FilePath contains @"/." or FilePath contains @"hidden_partition")
| where ActionType in ("FileAccessed", "FileCreated", "FileModified")
| project TimeGenerated, DeviceName, FileName, FilePath, InitiatingProcessFileName, 
          InitiatingProcessAccountName, SHA256, MD5
| order by TimeGenerated desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for Firestarter persistence indicators on Cisco Linux-based appliances
-- Target: Firepower/FTD devices running Linux-based OS

-- Check for suspicious hidden files and directories in non-standard paths
SELECT FullPath, Size, Mode, Mtime, Atime, Ctime, Btime
FROM glob(globs="/*/.hidden/**")
WHERE Mode =~ "^.*x.*" AND FullPath NOT IN ("/root/.ssh", "/home/.local")

-- Examine processes with suspicious network connections (potential C2)
SELECT Pid, Ppid, Name, Exe, Username, Cmdline, Cwd
FROM pslist()
WHERE Name IN ("python", "perl", "bash", "sh", "nc", "telnet", "ssh")
   AND Cmdline =~ "(socket|connect|bind|listen)"
   AND (Exe NOT MATCHES "(/usr/bin/|/bin/|/sbin/)"
        OR Exe MATCHES "(/tmp/|/dev/shm/|/var/tmp/)")

-- Identify recently modified configuration and startup files
SELECT FullPath, Size, Mode, Mtime, Atime, Ctime
FROM glob(globs=["/etc/*.conf", "/etc/cisco/*", "/usr/local/sf/*", "/var/sf/*"])
WHERE Mtime > now() - 7d

-- Check for suspicious crontab entries
SELECT FullPath, Data
FROM glob(globs=["/var/spool/cron/*", "/etc/cron.*", "/etc/crontab"])
WHERE Data =~ "(wget|curl|nc|bash.*-c|python.*-c|perl.*-e)"
   OR Data =~ "(/tmp/|/dev/shm/|\.hidden)"

-- Network connections from non-standard processes
SELECT RemoteAddress, RemotePort, State, Pid, ProcessName
FROM netstat()
WHERE RemotePort NOT IN (22, 443, 80, 161, 162, 8305, 8306)
   AND ProcessName NOT IN ("sshd", "snort", "lina", "luDN", "ntopng")
   AND State =~ "(ESTABLISHED|LISTEN)"

-- Search for suspicious strings in memory of running processes
SELECT Pid, Name, Exe
FROM pslist()
WHERE foreach(row={
    SELECT * FROM strings(filename=Exe, min_length=8)
    WHERE String =~ "(Firestarter|C2:|implant|backdoor|reverse.*shell)"
})

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# Firestarter Malware Remediation Script for Cisco ASA/FTD Devices
# WARNING: This script should be run under vendor guidance. Back up all configs before execution.
# Version: 1.0
# Date: 2024-12-19
#
# Usage: sudo ./firestarter_rem.sh [verify|remediate|hardened]

ACTION=${1:-verify}
LOG_FILE="/var/log/firestarter_rem_$(date +%Y%m%d_%H%M%S).log"
BACKUP_DIR="/var/tmp/firestarter_backup_$(date +%Y%m%d_%H%M%S)"

# Logging function
log() {
    echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
}

# Create backup directory
create_backup() {
    mkdir -p "$BACKUP_DIR"
    log "Created backup directory: $BACKUP_DIR"
    
    # Backup current configuration
    if [ -f /mnt/disk0/startup-config ]; then
        cp /mnt/disk0/startup-config "$BACKUP_DIR/startup-config.bak"
        log "Backed up startup-config"
    fi
    
    if [ -f /flash/startup-config ]; then
        cp /flash/startup-config "$BACKUP_DIR/startup-config.bak"
        log "Backed up startup-config (alternate path)"
    fi
}

# Verify function - scans for potential Firestarter indicators
verify_scan() {
    log "=== STARTING FIRESTARTER VERIFICATION SCAN ==="
    
    # Check for hidden directories in unusual locations
    log "Scanning for hidden directories..."
    find / -type d -name ".*" -not -path "/proc/*" -not -path "/sys/*" -not -path "/dev/*" \
        -not -path "/root/.ssh/*" -not -path "/home/*" 2>/dev/null | tee -a "$LOG_FILE"
    
    # Check for suspicious files in /tmp and /dev/shm
    log "Scanning for suspicious executables in /tmp and /dev/shm..."
    find /tmp /dev/shm -type f -executable -o -name "*.sh" -o -name "*.py" 2>/dev/null | tee -a "$LOG_FILE"
    
    # Check for recently modified system files
    log "Scanning for recently modified system files (last 7 days)..."
    find /etc /usr/local /var/cisco -type f -mtime -7 2>/dev/null | tee -a "$LOG_FILE"
    
    # Check crontabs for suspicious entries
    log "Checking crontab entries..."
    for user in root cisco admin; do
        if [ -f "/var/spool/cron/$user" ]; then
            log "Crontab for $user:"
            cat "/var/spool/cron/$user" | tee -a "$LOG_FILE"
        fi
    done
    cat /etc/crontab 2>/dev/null | tee -a "$LOG_FILE"
    
    # Check running processes
    log "Checking for suspicious processes..."
    ps aux | grep -E "(python|perl|bash|sh)" | grep -vE "(grep|lina|luDN|snort)" | tee -a "$LOG_FILE"
    
    # Check network connections
    log "Checking established network connections..."
    netstat -antp 2>/dev/null | grep ESTABLISHED | tee -a "$LOG_FILE"
    
    log "=== VERIFICATION SCAN COMPLETE ==="
    log "Review results in: $LOG_FILE"
}

# Remediate function - attempts to remove Firestarter components
remediate_clean() {
    log "=== STARTING FIRESTARTER REMEDIATION ==="
    log "WARNING: This will make changes to the system. Full backup recommended."
    
    create_backup
    
    # Remove suspicious files from /tmp and /dev/shm
    log "Removing suspicious files from /tmp and /dev/shm..."
    find /tmp -type f -name ".*" -delete 2>/dev/null
    find /dev/shm -type f -name ".*" -delete 2>/dev/null
    
    # Remove suspicious hidden directories
    log "Scanning and removing suspicious hidden directories..."
    for dir in $(find / -type d -name ".*" -not -path "/proc/*" -not -path "/sys/*" \
        -not -path "/root/.ssh" -not -path "/home/*" 2>/dev/null); do
        if [ "$dir" != "/root/.ssh" ] && [[ "$dir" =~ "/tmp/|/var/tmp/|/dev/shm/|hidden" ]]; then
            log "Removing suspicious directory: $dir"
            rm -rf "$dir" 2>/dev/null
        fi
    done
    
    # Check and clean suspicious crontab entries
    log "Cleaning suspicious crontab entries..."
    # This section requires manual review before execution
    log "Manual review required for crontab modifications."
    
    # Kill suspicious processes
    log "Checking for processes to terminate..."
    # Manual intervention required for process termination
    
    log "=== REMEDIATION COMPLETE ==="
    log "Please perform a full system reimage following Cisco guidance."
}

# Harden function - applies security hardening measures
harden_system() {
    log "=== STARTING SYSTEM HARDENING ==="
    
    # Disable unused services
    log "Reviewing and disabling unnecessary services..."
    systemctl disable telnet.socket 2>/dev/null
    systemctl stop telnet.socket 2>/dev/null
    
    # Verify SSH configuration
    log "Checking SSH configuration..."
    if [ -f /etc/ssh/sshd_config ]; then
        grep -E "(PermitRootLogin|PasswordAuthentication|Protocol)" /etc/ssh/sshd_config | tee -a "$LOG_FILE"
    fi
    
    # Check for world-writable files
    log "Scanning for world-writable files..."
    find /etc /usr/local -type f -perm -o+w 2>/dev/null | tee -a "$LOG_FILE"
    
    # Enable firewall logging (if applicable)
    log "Ensuring logging is enabled..."
    # Platform-specific commands would go here
    
    log "=== HARDENING COMPLETE ==="
    log "Apply all latest Cisco security patches immediately."
}

# Main execution
case "$ACTION" in
    verify)
        verify_scan
        ;;
    remediate)
        remediate_clean
        ;;
    hardened)
        harden_system
        ;;
    *)
        echo "Usage: $0 [verify|remediate|hardened]"
        exit 1
        ;;
esac

exit 0

Remediation

Immediate Actions Required

  1. Check Device Integrity: Run verification scans on all Cisco Firepower, ASA, and FTD devices. Look for:

    • Hidden directories or files outside standard paths
    • Unexpected processes running from /tmp, /dev/shm, or /var/tmp
    • Recent modifications to startup-config or system files
    • Unusual network connections from management interfaces

  2. Isolate Compromised Devices: If Firestarter is suspected:

    • Immediately disconnect from management networks
    • Preserve forensic evidence (memory dumps, full filesystem images)
    • Do NOT attempt standard patch remediation alone — it will not remove the malware

  3. Complete Device Reimage: Due to the malware's persistence capabilities:

    • Perform a complete factory reset or reimage from known-good media
    • Verify the integrity of the reimage source (check hash values against Cisco's published values)
    • Consider replacing hardware if compromise is confirmed to be firmware-level

  4. Password and Credential Rotation:

    • Change all administrator passwords for affected devices
    • Revoke and reissue SSH keys and API tokens
    • Rotate credentials for any authentication systems integrated with the firewalls

Vendor Advisory and Patch Information

AdvisoryURLStatus
Cisco Security Advisoryhttps://sec.cloudapps.cisco.com/security/center/publicationListing.xhtmlMonitor for updates
CISA Alerthttps://www.cisa.gov/news-events/cybersecurity-advisoriesActive monitoring
NCSC Advisoryhttps://www.ncsc.gov.uk/alertsActive monitoring

Patch Version Guidance

Apply the latest security updates for your platform:

  • FTD Software: Upgrade to the latest FTD release that addresses CVEs related to command injection and arbitrary file write vulnerabilities
  • ASA Software: Upgrade to the latest ASA maintenance release
  • Firepower Management Center (FMC): Ensure FMC is updated to the latest version to support managed device remediation

CISA Remediation Deadlines

Per CISA Binding Operational Directive (BOD) 22-01 and KEV requirements:

  • Emergency Directive Expected: Given the severity and active exploitation, emergency directive deadlines of 48-72 hours may apply
  • Standard KEV Timeline: If added to KEV catalog, federal agencies have 3 weeks to remediate
  • Private Sector Recommendation: Remediate within 7 days given active threat and persistence capabilities

Long-Term Hardening Recommendations

  1. Implement Zero Trust for Device Management: Restrict firewall management access to specific jump hosts with MFA

  2. Deploy Integrity Monitoring: Implement file integrity monitoring (FIM) on all firewall devices to detect unauthorized configuration changes

  3. Network Segmentation: Separate management plane from data plane; enforce strict firewall rules between management networks and other segments

  4. Regular Firmware Verification: Periodically verify filesystem integrity against known-good baselines

  5. Hunt for Persistence: Conduct regular threat hunting exercises focused on persistence mechanisms on network infrastructure

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemciscofirestarter-malwareasa

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action