Firewalls became persistence targets
Firewalls have always been treated as the first defensive layer in enterprise and government networks. The problem is that advanced threat groups now view these devices as long-term espionage platforms.
The Firestarter case gained attention for exactly that reason. The malware remained active on Cisco ASA and Firepower Threat Defense (FTD) devices even after patches and operational reboots.
In some scenarios, the only way to interrupt the malware was a complete physical power cycle.
That completely changes the risk perception around security appliances.
What is Firestarter
Firestarter is a persistent backdoor associated with the ArcaneDoor campaign, also tracked as UAT-4356 and Storm-1849.
The operation focused on compromising Cisco firewalls deployed in critical environments.
The malware targeted internet-exposed devices by exploiting known vulnerabilities to obtain remote code execution and low-level persistence.
Once installed, operators gained:
- Remote command execution
- Network traffic capture
- VPN authentication bypass
- Log suppression
- Lateral movement into internal networks
- Persistence resistant to standard reboot procedures
The most important detail is that Firestarter did not behave like traditional malware running only inside the appliance operating system.
Instead, it integrated directly into the LINA process, the core component responsible for traffic processing and security operations on Cisco ASA and FTD devices.
How the compromise works
The initial infection vector leveraged critical vulnerabilities such as CVE-2025-20333 and CVE-2025-20362.
On publicly exposed environments, attackers uploaded the payload and initiated the persistence chain.
The observed process included:
1. Initial exploitation
Exposed management interfaces allowed remote execution and ELF binary upload.
2. LINA process hook
The malware injected hooks directly into the process responsible for firewall control and traffic inspection.
This allowed attackers to intercept authentication flows, manipulate VPN sessions and inspect sensitive traffic.
3. Boot persistence
Firestarter modified initialization mechanisms associated with Cisco Service Platform (CSP), ensuring automatic execution after reboot.
This explains why standard commands such as reload or shutdown failed to remove the malware.
4. Operational execution
Once persistence was active, the LINE VIPER toolkit enabled:
- Arbitrary CLI command execution
- Activity concealment
- Log manipulation
- Internal traffic capture
- Persistent remote control
From an espionage perspective, this level of access is extremely valuable because the firewall has visibility into strategic enterprise communications.
Why rebooting the firewall was not enough
Many security teams still assume a reboot removes threats from network appliances.
This case demonstrated the opposite.
Firestarter persisted within components loaded during the device boot sequence. Standard logical reboots preserved parts of the malicious structure.
In several cases, only a complete cold restart temporarily interrupted the backdoor.
Even then, the recommended remediation involved full device reimaging and rebuilding the configuration from scratch.
From an offensive security perspective, this demonstrates deep knowledge of Cisco appliance internals.
The US federal agency incident
In March 2026, investigators identified Firestarter running on a Firepower firewall used by a US federal civilian agency.
The critical detail is that the device had already received security patches.
Despite that, persistent remote access remained active since at least September 2025.
The response included an updated CISA Emergency Directive 25-03 requiring:
- Memory dump analysis
- Verification of hooks in critical processes
- Mandatory power cycle procedures
- Full reimage of suspicious appliances
- Complete distrust of compromised firewall configurations
In practice, any internet-exposed Cisco ASA or FTD firewall became a potential compromise candidate until fully validated.
What this means for enterprise environments
Many organizations still assume security appliances are trustworthy by default.
In reality, modern firewalls run complex Linux-based systems, web services, APIs, VPN modules, cloud integrations and third-party components.
That dramatically expands the attack surface.
During offensive security assessments performed by Antisec, it is common to identify:
- Internet-exposed management interfaces
- Overly permissive ACLs
- VPNs without MFA
- Outdated firmware
- Insufficient logging
- Lack of segmentation
Once attackers gain persistence on a firewall, they are no longer compromising a single device. They are operating from a privileged position inside the environment.
How to reduce exposure
Mitigation requires a practical approach.
1. Never expose administrative interfaces
Publicly accessible management interfaces remain one of the most abused attack vectors against appliances.
2. Continuously validate integrity
Applying patches is not enough. Organizations must validate processes, hooks, loaded modules and suspicious boot modifications.
3. Use external logging
Logs stored only inside the appliance can be manipulated by attackers.
External SIEM integration reduces this risk.
4. Harden VPN access
MFA, segmentation and restrictive policies remain essential.
5. Adopt continuous offensive validation
Red Team exercises, Purple Team operations and recurring technical assessments help identify exposure before advanced groups exploit it.
The issue goes beyond vulnerabilities
Firestarter highlights an important shift in the threat landscape.
Advanced actors are no longer focused only on initial exploitation. They are focused on silent operational persistence inside enterprise infrastructure.
When the target becomes the corporate firewall itself, the operational impact increases significantly.
This type of threat requires real defensive maturity, continuous monitoring and ongoing technical validation of exposed infrastructure.
Many organizations discover too late that the perimeter can no longer be fully trusted.
How Antisec helps organizations
Antisec performs offensive assessments and technical validation focused on exactly this type of critical exposure.
Our Red Team, Pentest, Blue Team, DevSecOps and vCISO services help organizations identify exploitable weaknesses before real-world threat actors do.
In environments with critical exposed appliances, continuous validation is no longer optional. It is an operational requirement.
