Unpacking the Ransomware Attack on Marquis Software Solutions
In a disturbing cyber attack, the personal and financial data of hundreds of thousands of consumers were compromised. The breach occurred at Marquis Software Solutions, a marketing and compliance vendor, which provides services to numerous community banks and credit unions. The incident has underlined the ongoing risk posed by third-party vendors and the threat of unpatched software vulnerabilities.
The Breach and Its Impact
On August 14, Marquis detected suspicious activities on its network. An investigation found that on the same day, an unauthorized third party accessed the company’s systems and may have acquired certain files. While Marquis has stated that there is no evidence of misuse or attempted misuse of personal information, one affected financial institution disclosed that the vendor had paid the attackers in response to the ransomware attack.
The incident has had a widespread impact on the financial services sector. Data breach notifications filed in Washington, Maine and Iowa list at least 70 affected financial institutions. The largest impacts were seen at Gesa Credit Union and iQ Credit Union, affecting 152,000 and 111,000 individuals respectively. In Washington state alone, 270,000 individuals were affected. The total number of affected individuals is estimated to be at least 400,000, according to threat intelligence firm, SOCRadar.
The SonicWall Vulnerability
The breach was traced back to a vulnerability in SonicWall’s software, a flaw that is being actively exploited by a ransomware group known as Akira. This weakness in SonicWall firewalls allows attackers to bypass multifactor authentication when seeking VPN access.
This aligns with a broader campaign of attacks targeting SonicWall VPN devices. Security researchers have linked these attacks to the Akira ransomware group, noting that threat actors are exploiting an improper access control vulnerability in SonicOS. This vulnerability was disclosed in August 2024, and Akira began exploiting it around 11 months later.
The Importance of Proper Patching and Password Reset
This incident serves as a stark reminder that merely applying a software patch is not enough if credentials have already been compromised. SonicWall has warned that the incidents this summer involving the vulnerability disclosed last year involved migrations from sixth-generation to seventh-generation firewalls, where local user passwords were carried over during the migrations and were not reset after.
Threat actors have been observed successfully authenticating against accounts even with one-time password multifactor authentication enabled, suggesting they are using valid, stolen credentials. Therefore, resetting passwords is crucial to ensure the security of the system.
Steps Towards Remediation and Protection
SonicWall and security researchers urge financial institutions using these devices to implement the latest security patch and update credentials. SonicWall has also launched a firewall configuration analysis tool to provide targeted guidance.
Post-incident, Marquis has implemented additional security technologies, including deploying an endpoint detection and response tool, and is rebuilding its impacted infrastructure with new operating systems.
This incident underscores the importance of regular password resets as a critical step in maintaining security, particularly when a vulnerability has been disclosed. As the Marquis incident shows, even if a security patch is applied, there is still a risk if the passwords have been compromised and not reset.
For more detailed information, you can refer to the original report here.
