Active Reconnaissance Campaign Targets SonicWall Firewalls Through Commercial Proxy Infrastructure
Summary:
Between February 22 and 25, 2026, GreyNoise recorded 84,142 scanning sessions targeting SonicWall SonicOS devices’ SSL VPN interfaces, originating from 4,305 unique IP addresses across 20 autonomous systems. The activity was highly structured, with 92% of all sessions probing a single REST API endpoint to check whether SSL VPN was enabled, a reconnaissance step that creates a target list for later attacks. Three distinct infrastructure clusters conducted the scanning, including a commercial proxy service that contributed 32% of total traffic through 4,102 rotating exit IPs to evade rate limits, and other actors performing continuous credential testing and broader multi-vendor VPN enumeration. CVE exploit attempts were minimal, confirming this as attack surface mapping rather than active exploitation.
Scanning occurred in coordinated bursts, with noticeable operational scheduling and intentional low per-IP request rates to avoid detection. Fingerprint analysis showed a consistent automated toolset, and persistent clusters tested legitimate VPN login endpoints in the background. The campaign mirrors previous high-volume reconnaissance patterns seen in late 2025 and reflects a broader trend of proxy-backed scanning infrastructure now used by threat actors to discover exposed VPN services at scale. The overwhelming focus on the SSL VPN status endpoint, rather than exploits, underscores that actors are building a prioritized list of devices with active remote access before attempting credential or vulnerability attacks.
Security Officer Comments:
SonicWall SSL VPN is a well documented initial access vector for ransomware groups such as Akira and Fog, where compromised credentials can lead to full network encryption in hours. With hundreds of thousands of SonicWall devices exposed online and multiple critical vulnerabilities in CISA’s Known Exploited Vulnerabilities catalog, finding and enumerating devices with active VPN services dramatically lowers attacker effort for follow-on credential stuffing or exploitation campaigns. This reconnaissance phase, now under way, typically precedes rapid exploitation, making immediate mitigations like restricting remote access, enforcing multi-factor authentication, and patching critical flaws essential before attackers convert the mapping into active compromise.
Suggested Corrections:
For Security Leadership:
https://www.greynoise.io/blog/activ...walls-through-commercial-proxy-infrastructure
Between February 22 and 25, 2026, GreyNoise recorded 84,142 scanning sessions targeting SonicWall SonicOS devices’ SSL VPN interfaces, originating from 4,305 unique IP addresses across 20 autonomous systems. The activity was highly structured, with 92% of all sessions probing a single REST API endpoint to check whether SSL VPN was enabled, a reconnaissance step that creates a target list for later attacks. Three distinct infrastructure clusters conducted the scanning, including a commercial proxy service that contributed 32% of total traffic through 4,102 rotating exit IPs to evade rate limits, and other actors performing continuous credential testing and broader multi-vendor VPN enumeration. CVE exploit attempts were minimal, confirming this as attack surface mapping rather than active exploitation.
Scanning occurred in coordinated bursts, with noticeable operational scheduling and intentional low per-IP request rates to avoid detection. Fingerprint analysis showed a consistent automated toolset, and persistent clusters tested legitimate VPN login endpoints in the background. The campaign mirrors previous high-volume reconnaissance patterns seen in late 2025 and reflects a broader trend of proxy-backed scanning infrastructure now used by threat actors to discover exposed VPN services at scale. The overwhelming focus on the SSL VPN status endpoint, rather than exploits, underscores that actors are building a prioritized list of devices with active remote access before attempting credential or vulnerability attacks.
Security Officer Comments:
SonicWall SSL VPN is a well documented initial access vector for ransomware groups such as Akira and Fog, where compromised credentials can lead to full network encryption in hours. With hundreds of thousands of SonicWall devices exposed online and multiple critical vulnerabilities in CISA’s Known Exploited Vulnerabilities catalog, finding and enumerating devices with active VPN services dramatically lowers attacker effort for follow-on credential stuffing or exploitation campaigns. This reconnaissance phase, now under way, typically precedes rapid exploitation, making immediate mitigations like restricting remote access, enforcing multi-factor authentication, and patching critical flaws essential before attackers convert the mapping into active compromise.
Suggested Corrections:
For Security Leadership:
- Audit SonicWall management interface exposure — administrative endpoints should never be internet-accessible
- Verify MFA is enforced on all SSL VPN users — credential stuffing is rendered ineffective by MFA
- Evaluate dynamic blocklists to address the IP rotation that makes static lists ineffective against proxy-based campaigns
- Treat VPN infrastructure as a priority patching tier — the reconnaissance-to-exploitation gap is narrowing
- Patch SonicOS against CVE-2024-53704 (CVSS 9.8, CISA KEV) — SonicWall advisory SNWLID-2025-0003
- Reset all local user account passwords, especially those carried over during Gen 6 to Gen 7 migrations
- Decommission end-of-life SRA appliances — no patches are available for CVE-2021-20028 or CVE-2019-7481
- Enable login attempt lockout and password complexity enforcement (SonicOS 7.3+)
- SonicWall administrators running SonicOS 7.3.2 or NSM SaaS also have access to the Credential Auditor feature, which provides visibility into credential sprawl and reuse across the firewall environment
- Enable Geo-IP filtering and Botnet Protection on the firewall
https://www.greynoise.io/blog/activ...walls-through-commercial-proxy-infrastructure