TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

The Hacker News

FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches

[email protected] (The Hacker News) · 2026-04-24 · Read original ↗

ATT&CK techniques detected

10 predictions
T1190Exploit Public-Facing Application
98%
“firestarter backdoor hit federal cisco firepower device, survives security patches the u. s. cybersecurity and infrastructure security agency ( cisa ) has revealed that an unnamed federal civilian agency ' s cisco firepower device running adaptive security appliance ( asa ) softw…”
T1190Exploit Public-Facing Application
94%
“is tracking the exploitation activity associated with the two vulnerabilities under the moniker uat4356 ( aka storm - 1849 ), described firestarter as a backdoor that facilitates the execution of arbitrary shellcode received by the lina process by parsing specially crafted webvpn…”
T1584.005Botnet
94%
“##ter implant. " the shutdown, reboot, and reload cli commands will not clear the malicious persistent implant, the power cord must be pulled out and plugged back in the device, " it added. chinese hackers shift from individually procured infrastructure to covert networks the dis…”
T1542.003Bootkit
90%
“to the compromised appliance as recently as last month. a linux elf binary, firestarter can set up persistence on the device, and survive firmware updates and device reboots unless a hard power cycle occurs. the malware lodges itself into the device ' s boot sequence by manipulat…”
T1190Exploit Public-Facing Application
89%
“cve - 2025 - 20362 ( cvss score : 6. 5 ) - an improper validation of user - supplied input vulnerability that could allow an unauthenticated, remote attacker to access restricted url endpoints without authentication by sending crafted http requests. " firestarter can persist as a…”
T1090.002External Proxy
74%
“challenging for defenders to identify and block them using static ip blocklists. " covert networks mostly consist of compromised soho routers, but they also pull in any vulnerable device they can exploit at scale, " the agencies said. " their traffic will be forwarded through mul…”
T1090.003Multi-hop Proxy
51%
“challenging for defenders to identify and block them using static ip blocklists. " covert networks mostly consist of compromised soho routers, but they also pull in any vulnerable device they can exploit at scale, " the agencies said. " their traffic will be forwarded through mul…”
T1584.008Network Devices
44%
“firestarter backdoor hit federal cisco firepower device, survives security patches the u. s. cybersecurity and infrastructure security agency ( cisa ) has revealed that an unnamed federal civilian agency ' s cisco firepower device running adaptive security appliance ( asa ) softw…”
T1583.005Botnet
38%
“##ter implant. " the shutdown, reboot, and reload cli commands will not clear the malicious persistent implant, the power cord must be pulled out and plugged back in the device, " it added. chinese hackers shift from individually procured infrastructure to covert networks the dis…”
T1584.008Network Devices
37%
“– including silver dragon, which targets government organizations in europe and southeast asia, and operation truechaos, which abused a trusted software update channel to deliver malware across government networks – both reflect the same underlying logic : use legitimate infrastr…”

Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed federal civilian agency's Cisco Firepower device running Adaptive Security Appliance (ASA) software was compromised in September 2025 with a new malware called FIRESTARTER. FIRESTARTER, per CISA and the U.K.'s National Cyber Security Centre (NCSC), is assessed to be a backdoor designed for remote access