Overview
- CISA, which updated Emergency Directive 25-03 on Thursday, is requiring federal agencies to audit Cisco ASA and FTD firewalls, upload core dumps by April 24, and perform hard resets by April 30.
- CISA confirmed it found the Firestarter backdoor on a U.S. federal civilian agency’s Cisco Firepower device and assessed the breach started in early September 2025 before patches, with the actors using it to redeploy Line Viper as recently as March 2026.
- Firestarter survives normal reboots and software updates by rewriting the Cisco Service Platform mount list during shutdown, so only pulling power or fully reimaging reliably removes it.
- Once active, the malware hooks the LINA process and waits for a crafted WebVPN authentication request with a secret prefix, then runs attacker-provided code in memory to restore access on demand.
- Security guidance includes checking for a lina_cs process and related files, applying Cisco’s fixed releases, and using YARA and Snort rules, while Cisco Talos links the toolkit to UAT-4356 with overlaps to ArcaneDoor as officials stop short of naming a country.