Source: BleepingComputer
A devastating supply chain attack has exposed the interconnected vulnerabilities in enterprise security infrastructure. Marquis Software Solutions, a Texas-based financial services provider serving over 700 banks, credit unions, and mortgage lenders, has revealed that an August 2025 ransomware attack affecting 74+ U.S. financial institutions was made possible by exploiting stolen configuration data from SonicWall’s cloud backup service breach.
Key Findings
- Over 400,000 individuals had sensitive personal information compromised, including Social Security numbers, financial account details, and personal identifiers
- State-sponsored hackers breached SonicWall’s MySonicWall cloud service in September 2025, initially reported as affecting 5% of customers but later confirmed to impact all cloud backup users
- Attackers accessed firewall configuration backup files via API calls, then used this information to circumvent Marquis’s firewall defenses
- The attack did not exploit CVE-2024-40766 as initially suspected – instead, stolen configuration data provided the roadmap to bypass security controls
Attack Timeline
August 14, 2025: Marquis detected ransomware attack and initiated investigation
September 17, 2025: SonicWall disclosed MySonicWall cloud breach (claimed 5% affected)
October 9, 2025: SonicWall confirmed all cloud backup customers were impacted
November 5, 2025: Mandiant investigation attributed breach to state-sponsored hackers
January 29, 2026: Marquis publicly attributed ransomware attack to SonicWall breach
Why This Matters
This incident demonstrates the cascading impact of supply chain compromises. Organizations may maintain strong internal security postures, yet remain vulnerable when third-party service providers are breached. The stolen firewall configurations essentially provided attackers with a complete map of Marquis’s network defenses – allowing them to identify and exploit weaknesses with surgical precision.
Implications for Enterprise Security
The breach highlights several critical security considerations:
- Cloud Service Risk: Configuration files stored in cloud backup services can become attack vectors if the provider is compromised
- Vendor Assessment: Third-party security breaches can directly enable attacks against downstream customers
- Defense in Depth: Single points of failure in vendor services can compromise otherwise secure configurations
- Credential Management: SonicWall warned that extracted credentials and tokens could make it “significantly easier” to compromise customers’ firewalls
Mitigation Recommendations
Organizations should immediately:
- Reset all credentials, API keys, and authentication tokens for network security devices
- Conduct comprehensive firewall configuration audits against known-good baselines
- Deploy multi-factor authentication across all administrative interfaces and VPN connections
- Reassess network segmentation strategies to limit lateral movement potential
- Evaluate security posture of all third-party cloud services handling configuration data
Marquis is evaluating legal options against SonicWall, including seeking recoupment of incident response expenses. The specific ransomware family used in the attack has not been publicly disclosed.
