Introduction
In February 2026, Marquis Software Solutions filed a lawsuit against SonicWall, blaming the cybersecurity firm for gross negligence that resulted in a ransomware attack affecting 74 U.S. banks. This article delves into the technical aspects of the incident, providing insights for SOC analysts, pentesters, and security engineers.
What Happened
On August 14, 2025, a ransomware attack breached Marquis' network after compromising a SonicWall firewall. The attackers stole files containing personal information such as names, addresses, phone numbers, Social Security numbers, Taxpayer Identification Numbers, and financial account information. Initially, it was believed that the attackers exploited an unpatched flaw in the firewall. However, a subsequent investigation revealed that the breach was due to a security gap in SonicWall’s MySonicWall cloud backup service introduced via an API code change in February 2025.
Technical Breakdown
The vulnerability, which allowed unauthorized access to firewall configuration backup files stored in SonicWall’s cloud, wasCVE not assigned. The files contained AES-256 encrypted credentials, configuration data, and MFA scratch codes. SonicWall initially estimated that the incident impacted only 5% of its customers but later confirmed that all clients were affected. The investigation by Mandiant pointed to state-sponsored hackers behind the attack.
Detection & Hunting
To detect similar threats, analysts should look for the following Indicators of Compromise (IOCs):
- Unusual access patterns to backup services.
- Unauthorized decryption of backup files.
- Changes in API code that impact data privacy and security.
For hunting, consider the following Sigma rule to detect suspicious access to backup services:
title: Detection of Unauthorized Access to Backup Services
description: Detects unauthorized access attempts to backup services
status: experimental
author: Your Name
date: 2026/02/25
logsource:
product: sonicwall
service: backup
detection:
selection:
event_id: 12345
action: unauthorized_access
condition: selection
falsepositives:
- Backup tests by administrators
level: medium
tags:
- attack.t1486
- backupbreach
Mitigation Steps
To mitigate such breaches, organizations should:
- Regularly audit and update API code changes affecting backup services.
- Implement strict access controls and monitoring for backup services.
- Encrypt backup data with strong algorithms and manage encryption keys securely.
- Enable multi-factor authentication (MFA) for all access points, including backup services.
Attacker Perspective
From a red team perspective, understanding the value of compromising a company’s backup configuration is crucial. Attackers can use this access to decrypt and manipulate backups, leading to data theft or ransomware attacks. Penetration testers should simulate these attacks to assess an organization's resilience.
Conclusion
The Marquis vs. SonicWall lawsuit highlights the critical importance of securing backup services and configurations. As organizations rely more on cloud services, the risk of such breaches increases. Implementing robust detection, mitigation, and incident response measures is essential to protect against current and emerging threats.
Need help assessing your exposure? Request a free penetration test — currently in open beta.
Top comments (0)