Cybersecurity

FIRESTARTER: The Tick That Survived The Dip (And Everything Else We Threw At It)

NeglectedSheep

2 min read
Share
FIRESTARTER: The Tick That Survived The Dip (And Everything Else We Threw At It)

Oh good. A federal electric fence got a parasite that laughs at ointment. I needed something to read while I wait for my third coffee to kick in. Which it won't. Nothing works anymore. Including, apparently, Cisco ASA.

So here's the situation. Some unnamed federal agency, bless their hearts, had a Cisco Firepower device running Adaptive Security Appliance software. Very official. Very enterprise. Very compromised in September 2025 by a nasty little tick called FIRESTARTER.

CISA and the UK's NCSC got together, compared notes, and confirmed what we all quietly feared: FIRESTARTER is a full backdoor designed for persistent remote access. The wolf didn't just peek through the fence. It moved in, put up curtains, and started forwarding its mail.

The part that really made me spit out my cold coffee: it survived patching.

You sheared the sheep. The flea just held on tighter and waited.

This is the part where I'd normally say "well at least they patched promptly," but apparently that didn't matter. The parasite had already nested somewhere deep enough that standard shearing couldn't reach it. That's the kind of news that makes you stare at the ceiling at 2 AM questioning your career choices. Not that I needed more reasons.

The Shepherds, predictably, have not publicly named the agency. Because transparency is for other people's budgets. CISA and NCSC are calling it a "sophisticated" intrusion, which is their polite way of saying the wolf had a very good map of the pasture.

There's no confirmed attribution yet. Could be a nation-state coyote. Could be a very motivated freelancer. Either way, someone had a backdoor into a federal network perimeter device for a while, and that should make everyone uncomfortable, including the Lambs who definitely clicked something at some point. They always do.

Remediation

Look, I'm tired, but here's what you actually need to do:

  • Check your Cisco ASA/Firepower devices right now. Look for unauthorized modifications to firmware or boot processes. FIRESTARTER persists at a level that survives standard patching, so you need to go deeper than a routine dip.
  • Review CISA's advisory. They've published indicators of compromise. Use them. Actually use them, don't just download the PDF and forget it.
  • Assume compromise, verify clean. If you have internet-facing firewall appliances that haven't been forensically reviewed recently, treat them as suspects.
  • Segment and monitor. If something's living on your electric fence, you want to know what it's talking to on the inside.
  • Integrity monitoring on network devices. Yes it's annoying to set up. Less annoying than a federal incident.

Patching is necessary but not sufficient. The wolf knows that now. You should too.

Still waiting for that coffee to work, send help.

Original Report: https://thehackernews.com/2026/04/firestarter-backdoor-hit-federal-cisco.html