Sonicwall hacking of configuration

I inherited a client that had a loose security environment and that turned into a ransomware attack.  Things have been weird ever since.  One of the weird situations is us finding ports 443 and 80 open and forwarded to our jump box.  We deleted those ports or so we thought because they popped up again.  We chalked it up to maybe not applying the setting.  So maybe it didnt get saved.  However, the client reported internet issues that felt like someone did a loopback in the network.  Then i looked at the router and found these ports open again w a loop back comment.  We changed the password of the router last time.  We are really at a loss as to why we are being haunted by this issue.  Any thoughts?   Two factor authentication does not come out for sonicwall until later in the year.   We are setting up LDAP tomorrow and VLAN segmentation on the 20th for some additional protection but we are still unclear how this individual is lurking.

 2019-01-17_23-24-03.png

zz.png
LVL 1
snoopaloopAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

masnrockCommented:
Are you allowing remote administration? That may be something worth shutting off. But also, what is worth digging into is whether any systems in the network have been compromised. Especially ones that are used by anyone in your team.

Do you have a backup from before the issues started? I would look into blowing out the Sonicwall entirely and setting it up fresh, updated firmware and all.

You could look into having notifications sent when changes are made to the firewall. At least that should let you know when things occur. This Sonicwall article has information on firewall access rule log notifications, but you should be able to enable for more than that.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
skullnobrainsCommented:
you ought to be able to access the sonicwall admin ui/ssh/whatever from a single vlan. this vlan should be directly connected to the sonicwall, accessible from nowhere including other parts of the lan, and contain only machines used by admins who know how to keep them reasonably secure, and should rather not be windows hosts and most definitely not hosts in a domain. if that seems unmanageable, boot your admin machines from live cds. and reinstall the sonic wall anyway.

the above would be a good start. then you'd need to cleanup the network itself. there is a next to 100% chance several of the lan hosts are compromised.
masnrockCommented:
Also think of this as a chance to do several things:
1) audit your firewall rules (you may have had some unnecessary rules to begin with that left openings)
2) audit your password policy (someone may have had a guess able password)
3) assess the effectiveness of existing tools
4) effectiveness of user training
5) audit your security program
Sudeep SharmaTechnical DesignerCommented:
Which Sonicwall Firewall or appliance are you using?
Is it running on latest firmware?
As stated above you should hard reset your firewall and start fresh. It seems that some has the back door onto your firewall and creating enabling the rules on its wish.

Take the backup of the configuration, but don't restore the configuration. There are some applications through which you can read the Sonicwall configuration as you would need to know what are all configurations of your firewall.

Thanks,
Sudeep
snoopaloopAuthor Commented:
We reset to factory default, setup VLANs, updated firmware, and performed ldap authentication for each privileged IT user logging in/
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Ransomware

From novice to tech pro — start learning today.