Tag

Line Viper

All articles tagged with #line viper

Firestarter Backdoor Survives Cisco Patch Cycles on Firepower Gear
security2 months ago

Firestarter Backdoor Survives Cisco Patch Cycles on Firepower Gear

U.S. CISA and U.K. NCSC warn that Firestarter malware persists on Cisco Firepower/ASA/FTD devices after patches, maintaining persistence by hooking into the LINA process and re‑launching after reboots or firmware updates; attackers used Line Viper to gain initial access before deploying Firestarter. Cisco provides mitigations and recommends reimaging, with cold restart as a last resort (risking disk damage); CISA has released YARA rules to aid detection.

FIRESTARTER Backdoor Persists on Federal Cisco Devices After Patch Rollouts
technology2 months ago

FIRESTARTER Backdoor Persists on Federal Cisco Devices After Patch Rollouts

U.S. CISA/NCSC warn that a federal Cisco Firepower ASA device was compromised in Sept 2025 by FIRESTARTER, a backdoor that survives firmware updates by hooking the LINA core and is used alongside the LINE VIPER post-exploitation toolkit to sustain remote access; the intrusion leveraged patched CVE-2025-20333 (authenticated remote code execution) and CVE-2025-20362 (unauthenticated access), and can endure normal reboots, requiring a full device reimage to fully remove. Cisco also recommends a cold restart (power cycle) to clear the implant and cautions that all configuration elements should be treated as untrusted until reimaging. Attribution hints at prior ArcaneDoor activity with possible China nexus, though origins remain uncertain.