Massive SonicWall Reconnaissance Campaign Signals Imminent Ransomware Strikes
Do Son 
Between February 22 and February 25, 2026, threat intelligence firm GreyNoise detected a highly coordinated reconnaissance campaign targeting SonicWall SonicOS infrastructure. With over 84,000 scanning sessions originating from more than 4,300 unique IP addresses, threat actors are aggressively mapping the internet to find vulnerable gateways into corporate networks.
What makes this campaign stand out is its precision. This is not a noisy, spray-and-pray attempt to exploit a specific software bug. Instead, 92% of the observed scanning sessions were designed to do one simple thing: check a single API endpoint to see if the SonicWall SSL VPN was enabled.
The attackers used commercial proxy services to mask their origins, rotating through thousands of IP addresses in short, surgical bursts to avoid triggering automated defenses. Because there was almost no actual exploitation during this phase, it confirms that this is pure attack surface mapping—the vital prerequisite check before credential stuffing and brute-force attacks begin.
For organizations running SonicWall hardware, this reconnaissance should be treated as a blaring alarm. SonicWall SSL VPNs are one of the most thoroughly documented initial access vectors for modern ransomware groups.
The Akira and Fog ransomware syndicates have repeatedly demonstrated their ability to turn compromised SonicWall VPN credentials into total network encryption in under four hours. The financial toll is staggering: since March 2023, the Akira group alone has compromised at least 250 organizations, generating an estimated $244 million in illicit proceeds. Alarmingly, 75% of those SonicWall VPN intrusions were attributed directly to Akira.
The gap between the reconnaissance we are seeing today and the actual network breaches of tomorrow may be shorter than your organization’s standard patching cycle.
Security teams must act immediately to ensure they are not the next victim on the list. GreyNoise recommends a swift, five-minute diagnostic check to determine if your infrastructure has been targeted:
Step 1: Check Your Logs Search your firewall logs for external requests made to the following paths between February 22 and 25:
-
/api/sonicos/is-sslvpn-enabled(Checking the VPN status) -
/sonicui/7/login/(Probing the management interface) -
/cgi-bin/userLogin(Testing VPN credentials)
Step 2: Review Active VPN Sessions For those running SonicOS 7.x, navigate to your network status page (NETWORK | SSL VPN > Status). Scrutinize the active sessions for any IP addresses that originate outside your normal user base, paying special attention to traffic coming from cloud hosting or Virtual Private Server (VPS) providers.
Step 3: Verify Firmware and Enforce MFA Ensure your SonicOS firmware is fully patched. Specifically, versions at or below 7.1.1-7058, 7.1.2-7019, or 8.0.0-8035 are vulnerable to CVE-2024-53704. Above all else, ensure that Multi-Factor Authentication (MFA) is strictly enforced for every single SSL VPN user.
If you discover that your organization was probed and you are still running legacy, end-of-life Secure Remote Access (SRA) appliances, you must disconnect them from the internet immediately.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
