Marquis Software Ransomware Attack Hits 74+ US Banks & Credit Unions

Public Breach Analysis

Marquis Software Solutions, a provider of CRM and analytics for over 700 financial institutions, has confirmed a major supply chain data breach following a ransomware attack on August 14, 2025.

The Attack Chain:

• Vector: The breach originated through a SonicWall firewall, likely exploiting CVE-2024-40766 (an improper access control vulnerability). This flaw allows unauthorized access to management and SSL VPN interfaces.
• Threat Actor: The Tactics, Techniques, and Procedures (TTPs) align strongly with the Akira ransomware gang, which has aggressively targeted SonicWall VPNs throughout 2024 and 2025.
• Persistence: Reports suggest the attackers may have utilized stolen VPN credentials and OTP seeds, allowing them to bypass Multi-Factor Authentication (MFA) even after the initial vulnerability was patched—a signature Akira tactic.

Impact: While Marquis systems were the primary target, the “blast radius” covers 74+ banks and credit unions across the United States (including Community 1st Credit Union, Suncoast Credit Union, and TowerBank). Over 400,000 customers are confirmed affected so far, with data including:

• Social Security Numbers (SSNs)
• Financial Account Information
• Taxpayer IDs
• Full Names and Physical Addresses

Key Cybersecurity Insights

This incident highlights critical vulnerabilities in the fintech supply chain:

• The “Vendor Risk” Multiplier: A single breach at a service provider (Marquis) cascaded into a mass-compromise event for dozens of downstream financial institutions. This underscores that banks are only as secure as their least-secure vendor.
• Legacy Vulnerability Exploitation: The attack leveraged a known SonicWall vulnerability (CVE-2024-40766) from 2024. This confirms that threat actors like Akira continue to “live off” unpatched or improperly remediated edge devices long after fixes are released.
• MFA Bypass via OTP Seeds: The attackers likely exfiltrated the “seeds” used to generate OTP codes. This renders standard time-based MFA useless, as the attacker can generate valid codes locally. This is a sophisticated persistence mechanism that requires a complete reset of all MFA tokens, not just password changes.
• Double Extortion Reality: While some filings suggest a ransom was paid to prevent data publication, the data is now compromised. Relying on criminal “honor” to delete stolen PII is a high-risk strategy that rarely guarantees safety.

Mitigation Strategies

For Financial Institutions:

• Audit SonicWall Configurations: Immediately verify that all SonicWall appliances are patched. Crucially, rotate all SSL VPN credentials and revoke/reissue all MFA tokens for remote access users. Patching alone does not evict an attacker who has already stolen credentials.
• Review Vendor Access: Conduct a review of all third-party vendors with access to customer data. Ensure they adhere to strict patch management SLA times (e.g., <48 hours for critical CVEs).
• Geo-Blocking: Implement strict Geo-IP filtering on VPN gateways to block connection attempts from high-risk regions, as Marquis has now implemented.

For Affected Customers:

• Credit Freeze: Due to the exposure of SSNs, placing a security freeze on credit reports (Equifax, Experian, TransUnion) is the single most effective defense against new account fraud.
• Account Monitoring: Monitor existing bank accounts for unauthorized transactions, as “financial account information” was exposed.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com