InfoSecBulletin Cybersecurity for mankind
A big increase in scanning across the internet for SonicWall firewall management interface has been observed. GreyNoise, a threat intelligence company, found a big increase in scans of SonicWall SonicOS management APIs from May 9 to May 18, 2026.
The most notable spike occurred on May 12, when approximately 597,000 sessions were recorded in a single day. This represents a roughly 46-fold increase compared to the average daily activity observed over the previous 30 days.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
This is the highest single-day activity seen on the SonicWall SonicOS API Scanner tag in the last 90 days. It shows a big, planned effort to check exposed firewall interfaces.
Hackers Scan SonicWall Firewalls
Earlier this year, GreyNoise researchers noticed a rise in activity that came before the announcement of CVE-2026-0400, a SonicWall flaw shared on February 24, 2026.
The increases on January 18, January 30, and February 14 happened 37, 25, and 10 days before that news, respectively.
This connection does not prove a new weakness, but it shows a pattern where attackers start looking for problems before public announcements or attacks.
GreyNoise says the recent increase is a signal, not a guess, but it could show early surveillance.
Analysis of the GreyNoise scanning traffic reveals consistent tooling and infrastructure:
Tooling: Nearly 99% of requests use a Chrome 119 user-agent on Linux x86_64, matching earlier campaigns where 94.5% of traffic used the same fingerprint.
Source infrastructure: Around 56% of traffic originates from networks in the Netherlands and 44% from Ukraine, accounting for over 99% of observed sessions.
ASN concentration: A single autonomous system (AS211736) contributes roughly half of the total scanning volume.
Targeted services: Ports 80 and 8080 (HTTP) are almost exclusively targeted, indicating focus on web-based management interfaces.
Classification: The majority of source IPs are categorized as suspicious by GreyNoise.
Security teams that use SonicWall devices should act quickly to lower risks and be ready for possible hacking attempts:
Immediate actions:
Limit SonicOS management API and SSL VPN access to trusted IPs only.
Remove public access to firewall management interfaces.
Enforce MFA for all SSL VPN users.
Audit systems for unauthorized admin accounts created after May 1, 2026.
Deploy dynamic IP blocklists to filter suspicious sources.
Even though there is no new flaw confirmed, the amount and type of this activity show that defenders should see this increase as a warning sign.
