TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

GreyNoise

Active Reconnaissance Campaign Targets SonicWall Firewalls Through Commercial Proxy Infrastructure

2026-02-27 · Read original ↗

ATT&CK techniques detected

9 predictions
T1190Exploit Public-Facing Application
97%
". 3 + ) - sonicwall administrators running sonicos 7. 3. 2 or nsm saas also have access to the credential auditor feature, which provides visibility into credential sprawl and reuse across the firewall environment - enable geo - ip filtering and botnet protection on the firewall …"
T1090.003Multi-hop Proxy
59%
"##s thousands of ips within a single scan window. the headless state of the proxy service — operating for three months without active abuse oversight after its management platform went offline — highlights a structural gap in the proxy ecosystem. when proxy providers lose the abi…"
T1190Exploit Public-Facing Application
56%
"the gap between the reconnaissance greynoise is observing and the exploitation that follows may be shorter than many organizations ’ patching cycles. check if your sonicwall was targeted ( 5 minutes ) step 1 — check your logs ( 2 minutes ). search firewall logs for external reque…"
T1090.003Multi-hop Proxy
51%
"for login testing. four infrastructure clusters cluster 1 : netherlands vpn hunters ( 28 % of campaign ) six ips within a single ukrainian - registered autonomous system ( as211736 ) operating from amsterdam - based infrastructure delivered 23, 794 sessions. these ips run dual - …"
T1190Exploit Public-Facing Application
48%
"active reconnaissance campaign targets sonicwall firewalls through commercial proxy infrastructure greynoise observed 84, 142 scanning sessions targeting sonicwall sonicos infrastructure between february 22 and february 25, 2026. the activity originated from 4, 305 unique ip addr…"
T1588.006Vulnerabilities
45%
"the gap between the reconnaissance greynoise is observing and the exploitation that follows may be shorter than many organizations ’ patching cycles. check if your sonicwall was targeted ( 5 minutes ) step 1 — check your logs ( 2 minutes ). search firewall logs for external reque…"
T1190Exploit Public-Facing Application
43%
"##wall vpn enumeration and credential testing endpoints indicates systematic attack surface mapping - 92 % of sessions probed a single api endpoint — the vpn status check determines which devices have ssl vpn active, creating a target list for future credential attacks - 32 % of …"
T1190Exploit Public-Facing Application
42%
"% of campaign ) 156 ips across four dedicated ranges maintain continuous credential testing at 54 – 72 sessions per hour against the netextender vpn login endpoint. this cluster uses a legitimate sonicwall vpn client identifier and never stops — it ran uninterrupted through the f…"
T1090.002External Proxy
41%
"itself as offering 100 + million ips across 150 + countries for web scraping and data collection. the scanning traffic originates from bytezero ’ s paying customers, not the proxy infrastructure itself. bytezero is the anonymization layer enabling the activity. the proxy usage wa…"

Summary

84,000+ scanning sessions targeting SonicWall SonicOS infrastructure in four days. GreyNoise details a coordinated reconnaissance campaign using rotating proxy infrastructure.