Targeted Exploitation of Cisco Firepower Devices by UAT-4356
Cisco Talos has reported ongoing targeting by the threat actor group UAT-4356 against Cisco Firepower devices, specifically exploiting vulnerabilities in the Firepower eXtensible Operating System (FXOS). Utilizing n-day vulnerabilities such as CVE-2025-20333 and CVE-2025-20362, UAT-4356 gains unauthorized access to these devices, deploying a custom backdoor named FIRESTARTER.
FIRESTARTER facilitates remote access and execution of arbitrary code within the LINA process, a critical component of Cisco’s ASA and FTD appliances. Additionally, it establishes persistence by modifying the Cisco Service Platform’s mount list to ensure its execution during device reboots. This implementation allows FIRESTARTER to hide its presence after execution by restoring the mount list and deleting its own files, indicating a sophisticated level of operation within the compromised environment.
The backdoor’s operational characteristics demonstrate notable similarities to the RayInitiator malware’s behavior, specifically its ability to parse and execute shellcode from incoming WebVPN requests. FIRESTARTER identifies specific XML patterns within request data, enabling it to execute payloads injected into the device’s memory.
Defensive Context
Organizations relying on Cisco Firepower devices need to be particularly vigilant regarding the activities of UAT-4356, which primarily targets perimeter security infrastructure for potential espionage. This threat is significant for institutions involved in sensitive communications or data transactions, as compromise could lead to severe operational and data security breaches. Conversely, smaller establishments with limited Cisco equipment or those using alternate security solutions may be less impacted by this active threat.
Why This Matters
The ongoing exploitation of Cisco devices via FIRESTARTER poses real-world risks, especially for sectors like government, finance, and healthcare, where network perimeter devices are critical. Entities using affected devices must be cognizant of these vulnerabilities to avert unauthorized access and potential espionage efforts.
Defender Considerations
Entities must prioritize actions specified in Cisco’s Security Advisory to mitigate this threat. The removal of the FIRESTARTER backdoor necessitates device reimaging or, in some configurations, terminating the lina_cs process and rebooting the device. It is advisable to monitor for the presence of artifacts associated with FIRESTARTER, including files located at /usr/bin/lina_cs and /opt/cisco/platform/logs/var/log/svc_samcore.log, as these could suggest a compromised device.
Indicators of Compromise (IOCs)
Relevant IOCs include:
- File paths: /usr/bin/lina_cs, /opt/cisco/platform/logs/var/log/svc_samcore.log
- Snort rules: 65340, 46897 (related to CVE-2025-20333 and CVE-2025-20362), and rule 62949 (specific to FIRESTARTER)
- ClamAV signature: Unix.Malware.Generic-10059965-0
Entities are encouraged to regularly review these indicators and adjust their monitoring and detection strategies accordingly.
