UAT-4356's Targeting of Cisco Firepower Devices

Key Points:

• UAT-4356 is actively targeting Cisco Firepower devices by exploiting n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to deploy a backdoor named "FIRESTARTER."
• The backdoor allows remote access and control over compromised devices, impacting Cisco's ASA and FTD appliances running FXOS.
• Organizations are advised to follow Cisco's Security Advisory for mitigation steps, including reimaging affected devices and applying software upgrades.

Technical Details: FIRESTARTER manipulates the CSP_MOUNT_LIST to establish persistence and executes arbitrary shellcode via memory manipulation within the LINA process. The malware specifically targets XML-based WebVPN requests for payload execution.

MITRE ATT&CK Techniques:

• T1203 - Exploit Public-Facing Application (Initial Access)
• T1055.001 - Process Injection: Dynamic Link Library Injection (Execution)
• T1543.003 - Create or Modify System Process: Windows Service (Persistence)

IOCs Mentioned:

• CVE-2025-20333
• CVE-2025-20362
• Filenames: /usr/bin/lina_cs, /opt/cisco/platform/logs/var/log/svc_samcore.log