Sonicwall hacking of configuration

snoopaloop
snoopaloop used Ask the Experts™
on
I inherited a client that had a loose security environment and that turned into a ransomware attack.  Things have been weird ever since.  One of the weird situations is us finding ports 443 and 80 open and forwarded to our jump box.  We deleted those ports or so we thought because they popped up again.  We chalked it up to maybe not applying the setting.  So maybe it didnt get saved.  However, the client reported internet issues that felt like someone did a loopback in the network.  Then i looked at the router and found these ports open again w a loop back comment.  We changed the password of the router last time.  We are really at a loss as to why we are being haunted by this issue.  Any thoughts?   Two factor authentication does not come out for sonicwall until later in the year.   We are setting up LDAP tomorrow and VLAN segmentation on the 20th for some additional protection but we are still unclear how this individual is lurking.

 2019-01-17_23-24-03.png

zz.png
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
Commented:
Are you allowing remote administration? That may be something worth shutting off. But also, what is worth digging into is whether any systems in the network have been compromised. Especially ones that are used by anyone in your team.

Do you have a backup from before the issues started? I would look into blowing out the Sonicwall entirely and setting it up fresh, updated firmware and all.

You could look into having notifications sent when changes are made to the firewall. At least that should let you know when things occur. This Sonicwall article has information on firewall access rule log notifications, but you should be able to enable for more than that.
you ought to be able to access the sonicwall admin ui/ssh/whatever from a single vlan. this vlan should be directly connected to the sonicwall, accessible from nowhere including other parts of the lan, and contain only machines used by admins who know how to keep them reasonably secure, and should rather not be windows hosts and most definitely not hosts in a domain. if that seems unmanageable, boot your admin machines from live cds. and reinstall the sonic wall anyway.

the above would be a good start. then you'd need to cleanup the network itself. there is a next to 100% chance several of the lan hosts are compromised.
Distinguished Expert 2018
Commented:
Also think of this as a chance to do several things:
1) audit your firewall rules (you may have had some unnecessary rules to begin with that left openings)
2) audit your password policy (someone may have had a guess able password)
3) assess the effectiveness of existing tools
4) effectiveness of user training
5) audit your security program
Sudeep SharmaTechnical Designer
Commented:
Which Sonicwall Firewall or appliance are you using?
Is it running on latest firmware?
As stated above you should hard reset your firewall and start fresh. It seems that some has the back door onto your firewall and creating enabling the rules on its wish.

Take the backup of the configuration, but don't restore the configuration. There are some applications through which you can read the Sonicwall configuration as you would need to know what are all configurations of your firewall.

Thanks,
Sudeep

Author

Commented:
We reset to factory default, setup VLANs, updated firmware, and performed ldap authentication for each privileged IT user logging in/

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial