Marquis Blames Ransomware Attack on SonicWall Cloud Hack
▼ Summary
– Marquis Software Solutions attributes a ransomware attack affecting U.S. banks to a prior breach of SonicWall’s customer portal, not an unpatched firewall.
– The attackers used configuration data stolen from SonicWall’s cloud backup service to circumvent Marquis’s firewall security.
– SonicWall disclosed the breach in September, initially affecting 5% of customers, but later confirmed all cloud backup users were impacted.
– An investigation linked the SonicWall breach to state-sponsored hackers, and the company stated it was unrelated to separate ransomware attacks.
– Marquis is considering legal action against SonicWall to recoup expenses from responding to the data incident.
A recent ransomware incident affecting a major financial software provider has been traced back to a previously disclosed cloud security breach at a network hardware company. Marquis Software Solutions, a Texas-based firm serving hundreds of U.S. financial institutions, now states that attackers did not exploit a vulnerability in its SonicWall firewall directly. Instead, the criminals leveraged configuration data stolen from SonicWall’s own online customer portal, fundamentally altering the understanding of the attack vector.
The company provides critical data analytics, compliance, and customer relationship management tools to over 700 banks, credit unions, and mortgage lenders. In communications to its clients this week, Marquis clarified that the initial assumption of an unpatched firewall flaw was incorrect. The investigation revealed the ransomware operators used information taken from firewall configuration backup files. These files were accessed after the attackers gained unauthorized entry to SonicWall’s MySonicWall cloud portal.
“Based on the ongoing third-party investigation, we have determined that the threat actor that attacked Marquis was able to circumvent our firewall by leveraging the configuration data extracted from the service provider’s cloud backup breach,” the company explained in its statement. Marquis further indicated it is now assessing its legal and financial options regarding the firewall provider, potentially seeking to recover costs incurred by both the company and its customers during the incident response.
SonicWall had initially disclosed this cloud portal breach in mid-September, advising customers to reset their account passwords. At first, the company estimated the incident impacted only about five percent of its firewall clients using the cloud backup feature. The warning included a note that threat actors could potentially extract access credentials and security tokens, making it far simpler to compromise the firewalls of affected organizations.
However, the scope of the breach widened significantly. Roughly three weeks after the initial disclosure, SonicWall issued an update confirming that every customer using its cloud backup service was affected. A subsequent update, one month later, revealed that an investigation by cybersecurity firm Mandiant found evidence linking the September intrusion to state-sponsored hacking activity.
SonicWall has been careful to distinguish this cloud backup breach from other, unrelated attacks. The company stated the MySonicWall incident was not connected to a separate campaign by the Akira ransomware gang, which targeted multi-factor authentication protected SonicWall VPN accounts in late September. Around the same time, cybersecurity firm Huntress reported observing threat actors compromise over one hundred SonicWall SSLVPN accounts using stolen, valid credentials in a large-scale operation. Huntress found no evidence connecting those attacks to the SonicWall cloud backup hack. SonicWall has not publicly commented on the specific link to the Marquis ransomware attack.
(Source: Bleeping Computer)
