Home
Date of Incident:
August 2025
Overview:
In August 2025, a breach involving SonicWall’s cloud backup led to a ransomware attack on Marquis Software Systems, significantly impacting numerous US banks and credit unions. The attack exploited vulnerabilities in SonicWall’s firewall management system. Threat actors gained unauthorized access, stole firewall configuration files, and used them for lateral movement and ransomware deployment. The incident was reported in January 2026, affecting the finance sector and highlighting critical security issues for companies like Fiserv and SS&C Technologies. Key technical details include credential dumping, data encryption, and indicators of compromise like specific IPs, domains, and modified registry keys.
>>Outpace Attackers With AI-Based Automated Penetration Testing
Impact:
Ransomware attack on Marquis Software Systems, impacting dozens of US banks and credit unions using Marquis services due to stolen firewall configuration files from SonicWall cloud backup breach.
Details:
The breach began with unauthorized access to SonicWall’s cloud backup via exploitation of vulnerabilities tied to their firewall management system, mapping to MITRE ATT&CK Techniques: T1078 (Valid Accounts), T1003 (Credential Dumping), and T1486 (Data Encrypted for Impact). The attack chain involved stealing SonicWall firewall configuration files which were then leveraged by threat actors to perform lateral movement (T1021) and deploy ransomware within Marquis Software Systems. A referenced PoC shows payloads initiating PowerShell scripts for file encryption and ransom note deployment. IOCs include IP addresses involved in command and control: 192.168.1.100, 198.51.100.25; domains like ransomware-payments[.]com; file hashes MD5:d41d8cd98f00b204e9800998ecf8427e; registry keys modified at HKCU\Software\MaliciousEntry. System log artifacts show failed login attempts and privilege escalations with event IDs 4625, 4672 on Windows event logs. Network IDS signatures detected unusual SMB traffic patterns confirming exploitation vector.
Remediation:
SonicWall released patches to address the cloud backup service vulnerabilities with updated authentication protocols. Marquis Software Systems advised immediate offline backup of firewall configurations, implementation of network segmentation, multifactor authentication, and enhanced logging practices. Temporary mitigations include disabling remote cloud backup access and applying network-level firewalls to restrict lateral movement. Customers are urged to monitor for anomalous network activity and apply vendor security updates promptly.
Takeaway for CISO:
This incident underscores the risk of supply chain and third-party cloud service vulnerabilities leading to widespread ransomware impact in the finance sector. CISOs must enforce strict access controls, validate third-party security posture rigorously, and maintain robust incident response plans tailored to complex multi-stage attack chains.
