FIRESTARTER Backdoor

The Cybersecurity and Infrastructure Security Agency (CISA) analyzed a sample of FIRESTARTER malware obtained from a forensic investigation. CISA and the United Kingdom National Cyber Security Centre (NCSC) assess advanced persistent threat (APT) actors are using FIRESTARTER malware for persistence, specifically targeting publicly accessible Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. CISA and the NCSC are releasing this Malware Analysis Report to share analysis of one FIRESTARTER malware sample operating as a backdoor and urge organizations to take key response actions.

Note: The release of this Malware Analysis Report aligns with CISA’s update to V1: Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices and Supplemental Direction ED 25-03: Core Dump and Hunt Instructions. The malware outlined in this report is relevant for both Cisco Firepower and Secure Firewall devices; however, CISA has only observed a successful implant of the malware in the wild on a Cisco Firepower device running ASA software.

• Collect and submit core dumps to CISA’s Malware Next Generation platform.
• Immediately report the submission via CISA’s 24/7 Operations Center; CISA will reach out with next steps.
• Take no additional action until CISA provides further guidance.

• Use the YARA rules to detect FIRESTARTER malware against either a disk image or core dump of a device.
• Report any findings to CISA or the NCSC.
• If compromise is confirmed, conduct incident response actions.

Organizations: Government and critical infrastructure organizations (Note: While this publication supplements CISA ED 25-03, the guidance is applicable to all organizations, including U.K. organizations.)

Sector: Government Services and Facilities Sector

Roles: Digital forensics analysts, incident responders, vulnerability analysts, system administrators