Re: Post ransomware firewall query

slevink · ‎01-03-2024

I just wanted to reach out and run past something past you all for some advice.

In the site we had a breach where hackers got remote access to a laptop on the internal network and attacked a few other devices powered on the network. That laptop was one I would use to use ASDM for the firewall.

In regards to the firewall I don’t believe any access was made, I could still access it using normal credentials before I then changed them all.

The advice I’m after as I need reinstate the network shortly is are there are any steps or things I should look out for with the firewall? I’ve checked the configuration and don’t see anything suspicious but maybe I’ve missed something so hard to be 100% sure. I obviously want to get everything checked and secure before the network is back online. Maybe you have some experience with similar situations?

Thank you in advance.

Rob Ingram · ‎01-03-2024

@slevink I'd probably suggesting wiping the ASA and restoring using an old backup configuration. You should also consider restricting from which networks you can manage the firewall from (for the future), restrict from a Jump server or known trusted networks (not the entire RAVPN network). Also change your admin credentials to the firewalls and upgrade the ASA to the latest supported version.

ASA harden guide - https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/200150-Cisco-Guide-to-Harden-Cisco-ASA-Firewall.html

marce1000 · ‎01-03-2024

- Ideally the firewall rules should be saved (backup) externally away from the firewall too upon each authorized change, then if such an important security breach occurs the firewall rules should be restored from the last 'authoritative backup'.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Ruben Cocheno · ‎01-03-2024

@slevink

Assuming you can track exactly when they were able to have access to your network, compare the latest backups you have and check if you see anything wrong there. Also rebuilding all systems is also recommended unless they were not reachable due. Also start watching out for systems in the meantime that try to reach Internet on ports/websites/locations that deviate from your baseline assuming that you have one.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

slevink · ‎01-09-2024

Thank you all for the excellent advice.

Next question in regard to backups. In ASDM when restoring a backup must the backup I'm restoring match the current firmware and ASDM version installed on the ASA? The fimrware version looks to be the same but ASDM is older in the backup. I can see this by looking in the .cfg file.

Also when restoring do I tick all options for restore ie, Runnign configuration, Start-up configuration, All Security Images, Identity Certs, VPN Pre-shared kayes.

Thank you in advance all.

Rob Ingram · ‎01-09-2024

@slevink I would probably use the same current firmware version initially and get it working as before first, because in newer ASA version some crypto settings have been depreciated and removed - so that might impact you. Once the restore is complete and everything is working, then you can look to upgrade (review the release notes for depreciated/removed features).

Select everything to restore.