A US federal agency was compromised by a backdoor malware, "Firestarter," linked to a China-backed espionage campaign targeting Cisco firewalls. Despite Cisco's patches for vulnerabilities exploited in this campaign, the malware remains persistent and requires specific actions from federal agencies to verify and mitigate the infection.
For cybersecurity professionals, the key takeaway from this report is the persistent threat posed by state-sponsored actors exploiting zero-day vulnerabilities in Cisco firewalls. Despite patching efforts, malware such as the Firestarter backdoor can persist, necessitating additional measures such as uploading device core dumps to CISA's Malware Next Gen portal to verify compromise and conducting hard resets. This highlights the critical importance of comprehensive incident response strategies that go beyond patching to include thorough post-remediation verification and system resets.