What's Happening?
Cisco has acknowledged that the 'Firestarter' malware, deployed by the ArcaneDoor threat actor, remains active despite security patches released in September last year. This malware affects the Firepower and Secure Firewall devices by embedding itself
as a Linux binary in the Firepower eXtensible Operating System (FXOS). It survives device reboots by copying itself to a log directory and manipulating the storage mount list. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Britain's National Cyber Security Centre (NCSC) have named the malware 'Firestarter'. CISA advises organizations to perform a hard reboot by unplugging the devices to disrupt the malware's persistence routine.
Why It's Important?
The persistence of the 'Firestarter' malware poses a significant threat to organizations relying on Cisco's firewall devices for security. The malware's ability to survive reboots and act as a backdoor with remote control capabilities could lead to unauthorized access and data breaches. This situation highlights the challenges in cybersecurity where threat actors continuously evolve their tactics to bypass security measures. Organizations using these devices must take immediate action to mitigate risks, emphasizing the need for robust cybersecurity strategies and regular updates to security protocols.
What's Next?
Organizations affected by the 'Firestarter' malware are advised to follow CISA's emergency directive, which includes collecting core dumps and performing a hard reboot of the devices. Cisco recommends reimaging and upgrading devices with fixed software releases to ensure security. The ongoing investigation by CISA aims to understand the full impact of the malware and develop further mitigation strategies. This incident may prompt a review of cybersecurity practices and collaboration between security agencies and technology providers to enhance defenses against sophisticated threats.
