Firestarter Malware Persists on Cisco Firewalls Despite Updates and Patches

Cybersecurity agencies in the U.S. and U.K. are warning about a custom malware called Firestarter that persists on Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. The backdoor has been attributed to a threat actor that Cisco tracks as UAT4356 and that the U.K. National Cyber Security Centre calls STORM-1849. The agencies say the attackers are likely a China-based cyber espionage group. Firestarter is a backdoor that uses the firewall's own packet filtering capabilities to hide command-and-control traffic. It allows the attackers to maintain access even after administrators apply updates or patches. The malware specifically targets Cisco devices and has been designed to survive firmware updates, making it particularly difficult to remove. Security researchers say the attackers have been active since at least 2020 and have targeted organizations in multiple sectors. Cisco has released guidance for detecting and removing the malware, but the agencies warn that the threat actor remains active and continues to target firewall devices.