![[FI] The Exploit Part 3](https://mortgageworkspace.com/hs-fs/hubfs/blog-images/exploit-pt3-the-breach-hero.jpg?width=1200&height=571&name=exploit-pt3-the-breach-hero.jpg)
In This Article
- Marquis Software: One Firewall, 74 Financial Institutions
- How a Single Vendor Breach Cascades Across Your Supply Chain
- SitusAMC: When JPMorgan's Data Sits on Someone Else's Server
- ConnectWise: The MSP Platform That Was Breached Twice
- Breaking the Third Link: Eliminating the MSP Supply Chain
- Frequently Asked Questions
In August 2025, a ransomware group exploited a known SonicWall firewall vulnerability at Marquis Software Solutions — a single fintech vendor serving over 700 banks and credit unions. Within hours, the attackers had accessed data pipelines feeding 74 financial institutions. Social Security numbers, bank account details, and taxpayer identification numbers for 780,000 people were exposed. Not because those 74 institutions failed. Because one vendor's firewall wasn't patched.
This is Part 3 of a four-part series tracking the cyber kill chain that credit unions, banks, and mortgage companies face today. In Part 1: The Leak, stolen credentials built the target profile. In Part 2: The Phish, AiTM phishing bypassed MFA and compromised email accounts. Now the attack chain reaches beyond your walls — into the vendors, platforms, and service providers that touch your data every day.
ConnectWise ScreenConnect — Auth Bypass (CVSS 10.0)
Critical authentication bypass vulnerability (CVE-2024-1709) exploited by Play and LockBit ransomware within 48 hours of disclosure. MSPs and their downstream financial institution clients exposed. One finance company's SAN encrypted.
ConnectWise — Nation-State Breach
A nation-state actor compromised ConnectWise's own environment, targeting ScreenConnect customers directly. Mandiant engaged for incident response. ConnectWise disclosed that a "very small number" of customers were breached — the second compromise of the same platform in 15 months.
Marquis Software Solutions — 74 Financial Institutions
Ransomware group exploited SonicWall firewall vulnerability (CVE-2024-40766) at Marquis, a fintech serving 700+ banks and credit unions. 780,000+ individuals across 74 institutions had SSNs, bank account numbers, and taxpayer IDs exposed.
SitusAMC — JPMorgan Chase, Citi, Morgan Stanley
Cyberattack on mortgage services vendor SitusAMC exposed residential mortgage loan data for JPMorgan Chase, Citigroup, Morgan Stanley, and hundreds of other banks. Pure data theft — no ransomware demand, no encryption. Just quiet exfiltration.
Third-party vendor breaches accounted for 30% of all data breaches in 2024 — a 15% year-over-year increase, according to Verizon's Data Breach Investigations Report. For credit unions, banks, and mortgage companies, the math is straightforward: every vendor in your technology stack is an extension of your attack surface. When your vendor gets breached, your data gets breached.
Marquis Software: One Firewall, 74 Financial Institutions
Marquis Software Solutions provides core technology services to more than 700 banks and credit unions across the United States. In August 2025, a ransomware group exploited CVE-2024-40766 — a critical vulnerability in SonicWall's SonicOS SSLVPN access control — to breach Marquis's network perimeter.
The vulnerability had been public since August 2024. SonicWall had issued patches. Marquis had not applied them.
Marquis Software Solutions — Supply Chain Ransomware
Attackers exploited an unpatched SonicWall firewall vulnerability to access Marquis's network. From there, they moved laterally into client data pipelines. 74 financial institutions were affected. 780,000+ individuals had personal data exposed, including Social Security numbers, bank account numbers, dates of birth, and taxpayer identification numbers. The breach notification letters, filed with state attorneys general across the country, listed dozens of banks and credit unions that shared the same vendor — and the same vulnerability.
Sources: BleepingComputer, TechRadar, Infosecurity Magazine, state attorney general filings
The attack followed a pattern that security researchers call "one-to-many" compromise: breach one vendor, access dozens of institutions. Marquis's position as a shared services provider meant that the attacker didn't need to breach 74 firewalls, defeat 74 MFA implementations, or bypass 74 security operations centers. They needed to exploit one unpatched firewall at one company, and the data from 74 institutions was waiting on the other side.
For each of those 74 financial institutions, the breach notification process was identical to what they'd face if they had been directly attacked. State attorney general notifications. Individual letters to every affected member or customer. Credit monitoring services. Regulatory scrutiny. The difference: none of those 74 institutions could have prevented it. Their security was irrelevant because the vulnerability was in their vendor's infrastructure.
How a Single Vendor Breach Cascades Across Your Supply Chain
The Marquis breach illustrates a fundamental problem with the vendor-heavy architecture that most financial institutions operate today. Every tool, platform, and service provider in your stack adds attack surface — and you don't control most of it.
Supply Chain Reality: A Mid-Size Credit Union's Vendor Exposure
Consider a 50,000-member credit union running a typical IT stack: a managed service provider (MSP) handles day-to-day IT through ConnectWise or Kaseya; a core processor manages member data and transactions; a mortgage servicing platform handles loan files; an email security vendor filters inbound threats; a backup vendor stores copies of everything. Each vendor has access to member data. Each vendor has its own security team, its own patching cadence, and its own firewall.
When any one of those vendors gets breached, the credit union's member data is exposed. The credit union's CISO can have a perfect Secure Score, phishing-resistant MFA on every account, and a 24/7 SOC — and still send breach notification letters because a vendor's SonicWall wasn't patched.
The growth in supply chain attacks tracks directly with the growth in SaaS and managed service adoption. As credit unions, banks, and mortgage companies have moved more workloads to cloud platforms and outsourced more IT operations to MSPs, the blast radius of any single vendor breach has expanded dramatically. An MSP serving 200 financial institutions is a 200x multiplier for any attacker who can breach its platform.
SitusAMC: When JPMorgan's Data Sits on Someone Else's Server
In November 2025, SitusAMC — a mortgage services and technology vendor serving some of the largest banks in the United States — disclosed a cyberattack that exposed residential mortgage loan data.
The client list read like a directory of American banking: JPMorgan Chase, Citigroup, Morgan Stanley, and hundreds of smaller institutions. All of them relied on SitusAMC for mortgage-related services. All of them had borrower data sitting on SitusAMC's servers when the breach occurred.
SitusAMC — Mortgage Vendor Breach Hits Major Banks
Cyberattack on SitusAMC exposed residential mortgage loan data for JPMorgan Chase, Citigroup, Morgan Stanley, and hundreds of other financial institutions. No ransomware was deployed — the attackers performed pure data theft, exfiltrating mortgage records without encrypting systems or demanding payment. The quiet nature of the attack meant weeks of dwell time before detection.
Sources: Reuters, CSO Online, SecureWorld
The SitusAMC breach highlights a reality that most CISOs at credit unions, banks, and mortgage companies understand but can't fully solve: when you outsource a business function, you outsource its security. JPMorgan Chase has one of the most sophisticated cybersecurity operations in the world — a $15 billion annual technology budget, thousands of security professionals, and a CISO who reports directly to the CEO. None of that mattered when the breach was at their vendor.
SitusAMC's breach was notable for what it wasn't. No ransomware. No encryption. No dramatic shutdown. The attackers simply exfiltrated data — mortgage loan records, borrower information, closing documents — and left. This "smash and grab" approach is increasingly common in attacks targeting the financial services supply chain. The data itself is valuable enough to sell or leverage for future fraud. No ransom necessary.
ConnectWise: The MSP Platform That Was Breached Twice
If the Marquis and SitusAMC breaches show what happens when a vendor gets hacked, the ConnectWise story shows what happens when the platform your managed service provider relies on gets hacked — twice.
| ConnectWise Breach #1 (Feb 2024) | ConnectWise Breach #2 (May 2025) | |
|---|---|---|
| Attack Vector | Authentication bypass vulnerability (CVE-2024-1709, CVSS 10.0) — the maximum severity score | Nation-state actor compromised ConnectWise's own environment |
| Exploitation Timeline | Exploited within 48 hours of public disclosure | Unknown dwell time before detection |
| Threat Actors | Play and LockBit ransomware groups | Nation-state actor (unnamed) |
| Impact | MSPs and downstream clients exposed. Finance company SAN encrypted by Play ransomware. | "Very small number" of ScreenConnect customers breached directly. Mandiant engaged. |
| ABT Client Exposure | Zero. ABT does not use ConnectWise. | Zero. ABT does not use ConnectWise. |
In February 2024, researchers disclosed CVE-2024-1709 — an authentication bypass vulnerability in ConnectWise ScreenConnect rated at the maximum CVSS severity score of 10.0. Within 48 hours, Play and LockBit ransomware groups had weaponized the exploit and were actively targeting ScreenConnect instances across the internet. Any managed service provider using ScreenConnect was a potential entry point, and their downstream financial institution clients were the ultimate targets.
Fifteen months later, in May 2025, ConnectWise was breached again — this time by a nation-state actor who compromised ConnectWise's own infrastructure to target ScreenConnect customers directly. Mandiant was engaged for incident response. ConnectWise disclosed that a "very small number" of customers were affected, but for MSPs that had rebuilt their security posture after the February 2024 breach, the message was clear: the platform itself was the vulnerability.
ConnectWise was breached twice in 15 months — once by ransomware groups exploiting a CVSS 10.0 vulnerability, once by a nation-state actor targeting the platform directly. The platform your MSP relies on is the platform attackers target.
For credit unions, banks, and mortgage companies that use MSPs built on ConnectWise, Kaseya, or similar platforms, the math is unforgiving. Your MSP's security controls don't protect you if the MSP's platform gets breached. And when an MSP serves dozens or hundreds of financial institutions, the attacker gets economies of scale that dwarf anything they could achieve attacking institutions one at a time.
Regulatory Reality: Third-Party Risk Under the FTC Safeguards Rule
The updated FTC Safeguards Rule requires financial institutions to oversee the security practices of their service providers. Section 314.4(f)(1) specifically mandates that covered institutions select service providers that maintain appropriate safeguards and contractually require them to implement and maintain those safeguards. The Marquis breach — where an unpatched SonicWall firewall exposed 74 institutions — is exactly the scenario regulators had in mind. Your vendor's patching failure is your compliance failure. Due diligence on vendor security is not optional; it's a regulatory requirement with enforcement teeth.
Breaking the Third Link: Eliminating the MSP Supply Chain
Most guidance on third-party risk management focuses on vendor assessment questionnaires, contract language, and periodic audits. Those controls are necessary. They are also insufficient. When Marquis's SonicWall was unpatched, no vendor questionnaire would have caught it before the ransomware group did.
The most effective way to reduce supply chain risk is to reduce the supply chain itself.
Pure Microsoft stack — no third-party MSP platforms. ABT delivers managed IT and security services for 750+ credit unions, banks, and mortgage companies without ConnectWise, Kaseya, SolarWinds, Nerdio, or N-able. Every management function that those platforms provide — remote monitoring, patch management, endpoint security, identity management — is handled natively through the Microsoft ecosystem: Intune, Defender, Entra ID, and Sentinel. When ConnectWise was breached in February 2024 and again in May 2025, ABT clients had zero exposure. Not reduced exposure. Zero.
Microsoft Defender for Identity. Tracks lateral movement within the Microsoft 365 environment. When an attacker who has compromised a vendor account tries to move laterally — accessing SharePoint sites, downloading files from other users' OneDrives, or querying Active Directory for admin accounts — Defender for Identity flags the behavior pattern and generates a high-priority alert.
Continuous Access Evaluation. Session tokens are no longer valid indefinitely. When a risk score spikes — an impossible travel alert, a sign-in from a new country, or a sudden burst of data access — Continuous Access Evaluation revokes the token in real time. Even if an attacker has captured a session token through a supply chain compromise, the token gets invalidated the moment the behavior looks wrong.
Guardian Security Insights. Monitors for the telltale signs of a supply chain compromise inside your tenant — sign-in anomalies, external sharing exposure, MFA coverage gaps, and compliance drift. When a vendor's compromised account triggers an impossible travel alert or starts accessing SharePoint sites it has never touched before, Guardian surfaces it immediately. ABT's cross-client visibility across 750+ financial institutions means attack patterns detected at one institution improve detection for every institution in the network.
Network segmentation and access controls. Vendor accounts don't get blanket access. ABT configures Conditional Access policies that restrict vendor sessions to specific applications, specific IP ranges, and specific time windows. A vendor that needs access to your email migration doesn't get access to your SharePoint containing borrower files.
Kill Chain Status — Part 3 of 4
Recon > Phish [>>> BREACH >>>] Heist
The stolen credentials from Part 1 were weaponized into phishing attacks in Part 2. Now, supply chain compromises have extended the breach beyond your walls. In Part 4: The Heist, the attacker turns access into money — wire fraud, persistence, and the devastating aftermath.
Is Your Vendor Stack a Liability?
ABT's supply chain security assessment shows you exactly where your risk lives:
- Complete inventory of vendors with access to your member/customer data
- Risk analysis of each MSP platform in your stack (ConnectWise, Kaseya, SolarWinds exposure)
- Gap analysis against FTC Safeguards Rule third-party risk requirements
- Migration roadmap to pure Microsoft stack — eliminate the MSP platform supply chain
Frequently Asked Questions
In August 2025, a ransomware group exploited an unpatched SonicWall firewall vulnerability (CVE-2024-40766) at Marquis Software Solutions, a fintech vendor serving over 700 banks and credit unions. The attackers accessed client data pipelines and exposed personal information — including Social Security numbers, bank account details, and taxpayer IDs — for 780,000+ individuals across 74 financial institutions. Each affected institution had to file breach notifications with state attorneys general and notify affected customers, despite having no direct security failure of their own.
Every third-party MSP platform in your security stack — ConnectWise, Kaseya, SolarWinds, N-able — adds attack surface that you cannot directly control. When ConnectWise ScreenConnect was breached through a CVSS 10.0 authentication bypass in February 2024, MSPs using the platform exposed their downstream financial institution clients to Play and LockBit ransomware. ConnectWise was breached again in May 2025 by a nation-state actor. A pure Microsoft stack — using Intune, Defender, Entra ID, and Sentinel for all management functions — eliminates the MSP platform supply chain entirely. ABT serves 750+ financial institutions on this architecture, which resulted in zero client exposure during both ConnectWise breaches.
The updated FTC Safeguards Rule requires financial institutions to select service providers that maintain appropriate safeguards and to contractually require those providers to implement and maintain security controls. Specifically, Section 314.4(f)(1) mandates due diligence on vendor security practices, contractual provisions requiring safeguards, and periodic assessment of vendor compliance. A vendor's patching failure — like the unpatched SonicWall at Marquis Software that exposed 74 institutions — can become your compliance failure if you haven't documented adequate vendor risk management procedures.
MSP platforms provide centralized management for dozens or hundreds of client environments. Breaching a single MSP platform gives an attacker access to every organization that MSP manages — a one-to-many attack multiplier. ConnectWise ScreenConnect had a CVSS 10.0 authentication bypass exploited by ransomware groups in February 2024 and was compromised by a nation-state actor in May 2025. Kaseya VSA was exploited in a supply chain attack in July 2021 that affected over 1,500 businesses. For credit unions, banks, and mortgage companies, the risk is that their MSP's platform vulnerability becomes their data breach, regardless of their own security controls.
Start by inventorying every vendor that has access to your member, customer, or borrower data. For each vendor, document what data they access, what platforms they operate, and how their security controls are verified. Reduce the number of vendors in your stack where possible — every vendor eliminated is attack surface removed. Evaluate whether your MSP platform itself can be replaced with native Microsoft management tools. Implement Conditional Access policies that restrict vendor access to specific applications, IP ranges, and time windows. Require contractual security obligations aligned with FTC Safeguards Rule Section 314.4(f). Monitor vendor access patterns continuously, not just at annual review.
