Modern cyber-espionage campaigns are increasingly shifting away from loud exploitation techniques and toward stealth-focused, persistence-driven operations that abuse trusted infrastructure. Rather than relying on chains of zero-day vulnerabilities or commodity malware, advanced threat actors are now embedding themselves deep within network perimeter devices—firewalls, VPN gateways, and secure access platforms that organizations implicitly trust.
A recent investigation by security researchers sheds light on one such operation: a highly targeted campaign conducted by the threat actor UAT-4356, which deployed a custom backdoor named FIRESTARTER on Cisco ASA, Firepower, and Secure Firewall devices running FXOS. This activity highlights a broader trend where network security appliances themselves have become prime targets for long-term espionage and covert access.
Background on UAT-4356
UAT-4356 is a threat actor tracked by Cisco Talos and linked to the ArcaneDoor campaign, a state-sponsored espionage operation focused on compromising network edge devices. Unlike traditional endpoint-centered attacks, this actor demonstrates a deep understanding of firewall internals, memory-resident implants, and trusted authentication pathways 1.
Key characteristics of UAT-4356 operations include:
- Targeting network perimeter and security appliances
- Deploying minimal on-disk artifacts
- Leveraging legitimate services and processes for execution
This approach allows the actor to remain undetected for extended periods while maintaining privileged access inside critical environments.
Campaign Overview
The FIRESTARTER campaign represents a focused effort to compromise Cisco firewall infrastructure widely deployed in enterprise and government networks.
Primary Targets
- Cisco ASA
- Cisco Firepower
- Cisco Secure Firewall appliances running FXOS
These devices often sit at the intersection of VPN, authentication, and internal traffic routing, making them ideal platforms for surveillance and lateral movement.
Vulnerabilities Details
UAT-4356 gained initial access by exploiting known vulnerabilities in exposed Cisco firewall devices.
| CVE ID | AFFECTED PRODUCT | CVSS Score | EPSS Score |
|---|---|---|---|
| CVE-2025-20333 | Cisco ASA / Firewall Threat defense | 9.9 | 24.78% |
| CVE-2025-20362 | Cisco ASA / Firewall Threat defense | 8.6 | 43.64% |
These vulnerabilities were actively exploited in the wild to gain privileged access to firewall appliances.
FIRESTARTER Backdoor Overview
Once access was achieved, the attackers deployed FIRESTARTER, a custom-built backdoor specifically engineered for Cisco firewall environments.
Key Characteristics
- Written to operate inside the LINA process, a core Cisco firewall component
- Executes attacker-supplied shellcode directly in memory
- Avoids traditional malware deployment models
- Provides powerful remote code execution capabilities without persistent files on disk
Tactics and Techniques
- TA0001 – Initial Access: Exploiting public-facing applications through misconfigured network edge devices.
- TA0002 – Execution:Injecting and executing attacker-controlled shellcode directly within the trusted LINA process using in-memory execution techniques.
- TA0003 – Persistence:Achieving transient persistence by modifying the Cisco Service Platform (CSP) mount list to trigger execution during graceful reboot events.
- TA0005 – Defense Evasion:Operating as fileless malware, restoring modified configurations after execution, and blending malicious activity into legitimate firewall and VPN request handling.
Indicators of Compromise (IOCs)
Cisco Talos identified the following artifacts that may indicate compromise:
Suspicious Files
/usr/bin/lina_cs/opt/cisco/platform/logs/var/log/svc_samcore.log
Infection Method
Initial Access
Attackers associated with UAT-4356 scanned for publicly exposed Cisco ASA, Firepower, and Secure Firewall devices, particularly those running vulnerable FXOS versions with internet-accessible WebVPN or management interfaces. Rather than relying on zero-day exploits, the attackers primarily abused unpatched or weakly protected firewall and VPN services, reflecting a shift toward opportunistic compromise of perimeter appliances.
In earlier stages of the campaign, known vulnerabilities in Cisco firewall products were exploited to gain an initial foothold, enabling unauthorized access without deploying traditional endpoint malware.
Exploitation
Following initial access, the attackers exploited weaknesses in the firewall software stack to deepen control over compromised devices, enabling:
- Unauthorized access to firewall management and VPN components
- Privileged interaction with core traffic-processing services
- Direct access to the LINA process, responsible for packet inspection, VPN services, and firewall enforcement
This phase allowed attackers to manipulate trusted execution contexts, preparing the environment for backdoor deployment without introducing obvious malicious binaries.
Payload Delivery
Rather than deploying large custom payloads, the attackers leveraged native, trusted firewall functionality, minimizing forensic artifacts and reducing detection risk.
Key behaviors included:
- Scanning LINA process memory for injection points
- Loading stage-two shellcode into executable memory regions
- Replacing legitimate WebVPN XML request handlers with malicious handlers
- Executing attacker payloads embedded in crafted WebVPN XML requests
If required magic byte markers were absent, traffic was forwarded normally, allowing malicious activity to blend into legitimate operations.
Execution & Persistence
Execution was performed entirely in memory, avoiding persistent malware installation on disk.
Persistence mechanisms included:
- Modification of the Cisco Service Platform (CSP) mount list
- Execution triggered during graceful reboot events
- Restoration of original configurations to remove forensic traces
This transient model allowed the backdoor to survive soft reboots while avoiding long-term persistence artifacts. A full power-off reboot removed the implant, further reducing detection likelihood.
Command-and-Control (C2)
Instead of traditional beaconing, command-and-control was achieved through trusted device workflows, including:
- Legitimate WebVPN request flows
- Authenticated firewall management interfaces
- In-memory payload execution via crafted requests
By abusing existing communication paths, FIRESTARTER avoided anomalous outbound traffic, complicating detection by conventional network-based monitoring tools
Impact
- Network Perimeter Compromise: By targeting firewalls directly, attackers gain visibility into sensitive VPN and authentication traffic while bypassing endpoint defenses entirely.
- Covert Remote Code Execution: Memory-resident execution inside trusted firewall processes enables attackers to run arbitrary code without triggering traditional malware detection.
- Long-Term Espionage Capability: Stealthy persistence and minimal artifacts support prolonged intelligence collection and access to protected network segments.
Attack Flow
Initial Access -> Firewall Appliance Compromise -> FIRESTARTER Injection into LINA Process -> Memory-Resident Payload Execution -> Stealthy Persistence via CSP Mount Manipulation
-> Long-Term Undetected Access
Mitigation
Organizations using Cisco ASA and Firepower devices should take immediate steps to reduce exposure:
- Apply Cisco patches addressing CVE-2025-20333 and CVE-2025-20362
- Monitor firewall processes for unexpected binaries or memory behavior
- Restrict management access to trusted networks only
- Audit CSP mount configurations and reboot behavior
- Reimage devices suspected of compromise, as recommended by Cisco 1
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.