To fully remove the persistence mechanism, Cisco strongly recommends reimaging and upgrading the device using the fixed releases that are listed in the Fixed Software ["#fs"] section of this advisory. For more information, see the reimaging documentation for the specific product:
Cisco Secure Firewall ASA and Threat Defense Reimage Guide ["https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html"]
Perform a Complete Reimage for FXOS in Firepower 4100 and 9300 Series ["https://www.cisco.com/c/en/us/support/docs/security/firepower-9300-series/220603-perform-a-complete-reimage-for-fxos-in-f.html"]
Reimage a Secure FTD for 1000, 2100, and 3100 Series ["https://www.cisco.com/c/en/us/support/docs/security/firepower-1000-series/220642-reimage-a-secure-firewall-threat-defense.html"]
Cisco recommends reimaging and upgrading to a fixed release that is listed in the Fixed Software ["#fs"] section of this advisory.
In cases of confirmed compromise on any Cisco Secure ASA or FTD platforms, all configuration elements of the device should be considered untrusted. Cisco recommends that all configurations – especially local passwords, certificates, and keys – be reconfigured and that all certificates and keys are regenerated.
Alternative Mitigation (not recommended): The following action can mitigate this issue until reimaging can be performed:
A cold restart will remove the malicious persistent implant. The shutdown, reboot, and reload CLI commands will not clear the malicious persistent implant, the power cord must be pulled out and plugged back in the device.
Important: Disconnecting device power can risk database or disk corruption, and devices might not boot or run as expected. For this reason, Cisco strongly recommends reimaging the device instead if a compromise is suspected.
