Cisco has confirmed that the ArcaneDoor threat actor deployed a persistence mechanism that isn't handled by the security patches released by the company in September last year, affecting the operating system in a range of Firepower and Secure Firewall protective devices.
Named Firestarter by the United States Cybersecurity and Infrastructure Security Agency (CISA) and Britain's National Cyber Security Centre (NCSC), the malware implant is a Linux binary.
The threat actor stowed Firestarter as a Linux binary file in the Firepower eXtensible Operating System (FXOS) base layer.
As such, it sits below the software in Firepower Threat Defence (FTD) and Adaptive Security Appliances that customers normally upgrade and survives reboots of the devices.
Firestarter copies itself to a log directory and rewrites the storage mount list to point to /usr/bin/lina_cs when a firewall receives a graceful termination signal as part of the reboot sequence.
Once the firewall is rebooted, the malware restores the original mount list and removes the trojanised file to hide itself from forensic investigations.
The malware then injects itself into the LINA core processing engine on ASA and FTD appliances, replacing a WebVPN extended markup language handler with a shellcode loader that can be triggered by a magic packet in an authentication request.
In effect, Firestarter acts as a backdoor with remote control abilities.
A simple soft reboot will not clear Firestarter, but a hard restart by unplugging firewalls from mains power interrupts the persistence routine, as the malware does not have time to write itself to disk.
The Australian Cyber Security Centre (ACSC) has issued a high alert, advising organisations to follow CISA's supplemental direction for emergency directive (ED) 25-03 which involves pulling the plug on infected firewalls, after core dump has been collected and submitted to the agency.
Cisco's advice goes further, and the network vendor strongly recommends reimaging and upgrading devices with fixed software releases.
CISA said the malicious activity that resulted in Firestarter has been in active use since 2024. It is still investigating the effects of it.
_(36).jpg&h=140&w=231&c=1&s=0)
_(39).jpg&w=100&c=1&s=0)
iTnews Executive Retreat - Data & AI Edition
.png&w=120&c=1&s=0)
iTnews Cloud Covered Breakfast Summit
iTnews State of Security Breakfast
The 2026 iAwards
.jpg&w=120&c=1&s=0)
Integrate 2026
_(1).jpg&h=140&w=231&c=1&s=0)
