Ransomware attack on Marquis Software Solutions targeted 74 banks

In yet another third-party supply chain incident, Marquis Software Solutions reported that more than 400,000 users from 74 banking and credit union customers had data stolen in a ransomware attack on its SonicWall firewall.

In filings to U.S. Attorney General offices in Maine, Iowa, and Texas, Marquis said it first detected the attack on Aug. 14.

The company said the stolen information included names, addresses, phone numbers, Social Security numbers, taxpayer ID numbers, financial account info, and dates of birth.

Related reading:

Was Akira group behind ransomware attack?

Security pros pointed to recent attacks by the Akira ransomware group on SonicWall firewalls, but because SonicWall offered few specific details, researchers could only speculate which CVE was exploited or even if it was an Akira attack.

John Carberry, solution sleuth at Xcape Inc., said the Marquis case highlights that a single compromised vendor can expose data from numerous banks, even if those banks have taken the necessary security precautions.

While Marquis hasn't specified the exact CVE used, Carberry said their remediation efforts — MFA implementation, account lockouts, geo-IP filtering, and botnet IP blocking — point to a VPN account compromise rather than an internal breach.

Carberry added that the attack appears similar to the 2025 Akira campaign, which exploited SonicWall vulnerabilities. Akira has a history of using SonicWall SSL-VPN to gain access, initially through CVE-2024-40766 and later by leveraging stolen VPN credentials and OTP seeds even after patching.

“This flaw allowed attackers to bypass security measures, including MFA, and steal sensitive data like Social Security numbers and bank account details from various client banks,” said Carberry. “The incident underscores the critical need to carefully vet any vendor handling financial data. It also emphasizes that perimeter appliances represent high-value targets, and even "patched" systems can be vulnerable if credentials and session secrets have already been compromised.”

Lydia Zhang, president of Ridge Security, said this recent attack was more closely related to CVE-2024-53704 rather than CVE-2024-40766. Zhang said the "53704" SonicWall SSL VPN vulnerability leaks the swap cookie and session ID, which lets a remote attacker bypass authentication and take over an existing session.

“I still remember back in April when our team wrote and published the detection and validation plugins for it,” said Zhang. “Now it has triggered a major incident.”

Zhang said other banks should act quickly to test, identify, and patch their SonicWall firewalls. If a ransomware incident can't be prevented, Zhang said at the very least security teams should ensure we do not stumble twice or multiple times over the same issue.

Piyush Pandey, chief executive officer at Pathlock, said the Marquis incident reflects the broader trend of cybercriminals exploiting third-party vulnerabilities to target major organizations, necessitating a more comprehensive and proactive approach to access controls across all levels of the supply chain.

“Given how highly regulated the financial sector is with regard to data protection and privacy, ensuring that third-party vendors comply with these standards is crucial,” said Pandey. “The financial sector should adopt stricter frameworks for vendor security and risk management. Regulators may need to step in to establish or reinforce such frameworks, especially given the risk for this incident to cascade into a series of supply-chain attacks targeting financial institutions, given their dependence on shared technology providers, many of whom lack sufficient security controls and zero-trust enforcement.”