The Exploit: Anatomy of a Modern Cyber Heist Part 3 - The Clone Trap

In August 2025, a ransomware group exploited a known SonicWall firewall vulnerability at Marquis Software Solutions, a single fintech vendor serving over 700 banks and credit unions. Within hours, the attackers had accessed data pipelines feeding 74 financial institutions. Social Security numbers, bank account details, and taxpayer identification numbers for 780,000 people were exposed. Not because those 74 institutions failed. Because one vendor's firewall was not patched.

This is Part 3 of a four-part series tracking the cyber kill chain that credit unions, banks, and mortgage companies face today. In Part 1: The Leak, stolen credentials built the target profile. In Part 2: The Phish, AiTM phishing bypassed MFA and compromised email accounts. Now the attack chain reaches beyond your walls, into the vendors, platforms, and service providers that touch your data every day.

Third-party vendor breaches accounted for 30% of all data breaches in 2024, a 15% year-over-year increase, according to Verizon's Data Breach Investigations Report. For credit unions, banks, and mortgage companies, the math is straightforward. Every vendor in your technology stack is an extension of your attack surface. When your vendor gets breached, your data gets breached.

Marquis Software: One Firewall, 74 Financial Institutions

Marquis Software Solutions provides core technology services to more than 700 banks and credit unions across the United States. In August 2025, a ransomware group exploited CVE-2024-40766, a critical vulnerability in SonicWall's SonicOS SSLVPN access control, to breach Marquis's network perimeter.

The vulnerability had been public since August 2024. SonicWall had issued patches. Marquis had not applied them.

The attack followed a pattern that security researchers call one-to-many compromise. Breach one vendor, access dozens of institutions. Marquis's position as a shared services provider meant that the attacker did not need to breach 74 firewalls, defeat 74 MFA implementations, or bypass 74 security operations centers. They needed to exploit one unpatched firewall at one company, and the data from 74 institutions was waiting on the other side.

For each of those 74 financial institutions, the breach notification process was identical to what they would face if they had been directly attacked. State attorney general notifications. Individual letters to every affected member or customer. Credit monitoring services. Regulatory scrutiny. The difference: none of those 74 institutions could have prevented it. Their security was irrelevant because the vulnerability was in their vendor's infrastructure.

How a Single Vendor Breach Cascades Across Your Supply Chain

The Marquis breach illustrates a fundamental problem with the vendor-heavy architecture that most financial institutions operate today. Every tool, platform, and service provider in your stack adds attack surface, and you do not control most of it.

The growth in supply chain attacks tracks directly with the growth in SaaS and managed service adoption. As credit unions, banks, and mortgage companies have moved more workloads to cloud platforms and outsourced more IT operations to MSPs, the blast radius of any single vendor breach has expanded dramatically. An MSP serving 200 financial institutions is a 200x multiplier for any attacker who can breach its platform.

SitusAMC: When JPMorgan's Data Sits on Someone Else's Server

In November 2025, SitusAMC, a mortgage services and technology vendor serving some of the largest banks in the United States, disclosed a cyberattack that exposed residential mortgage loan data.

The client list read like a directory of American banking: JPMorgan Chase, Citigroup, Morgan Stanley, and hundreds of smaller institutions. All of them relied on SitusAMC for mortgage-related services. All of them had borrower data sitting on SitusAMC's servers when the breach occurred.

The SitusAMC breach highlights a reality that most CISOs at credit unions, banks, and mortgage companies understand but cannot fully solve. When you outsource a business function, you outsource its security. JPMorgan Chase has one of the most sophisticated cybersecurity operations in the world. A $15 billion annual technology budget, thousands of security professionals, and a CISO who reports directly to the CEO. None of that mattered when the breach was at their vendor.

SitusAMC's breach was notable for what it was not. No ransomware. No encryption. No dramatic shutdown. The attackers simply exfiltrated data: mortgage loan records, borrower information, closing documents, and left. This smash-and-grab approach is increasingly common in attacks targeting the financial services supply chain. The data itself is valuable enough to sell or leverage for future fraud. No ransom necessary.

ConnectWise: The MSP Platform That Was Breached Twice

If the Marquis and SitusAMC breaches show what happens when a vendor gets hacked, the ConnectWise story shows what happens when the platform your managed service provider relies on gets hacked twice.

In February 2024, researchers disclosed CVE-2024-1709, an authentication bypass vulnerability in ConnectWise ScreenConnect rated at the maximum CVSS severity score of 10.0. Within 48 hours, Play and LockBit ransomware groups had weaponized the exploit and were actively targeting ScreenConnect instances across the internet. Any managed service provider using ScreenConnect was a potential entry point, and their downstream financial institution clients were the ultimate targets.

Fifteen months later, in May 2025, ConnectWise was breached again, this time by a nation-state actor who compromised ConnectWise's own infrastructure to target ScreenConnect customers directly. Mandiant was engaged for incident response. ConnectWise disclosed that a "very small number" of customers were affected, but for MSPs that had rebuilt their security posture after the February 2024 breach, the message was clear. The platform itself was the vulnerability.

ConnectWise was breached twice in 15 months, once by ransomware groups exploiting a CVSS 10.0 vulnerability, once by a nation-state actor targeting the platform directly. The platform your MSP relies on is the platform attackers target.

For credit unions, banks, and mortgage companies that use MSPs built on ConnectWise, Kaseya, or similar platforms, the math is unforgiving. Your MSP's security controls do not protect you if the MSP's platform gets breached. And when an MSP serves dozens or hundreds of financial institutions, the attacker gets economies of scale that dwarf anything they could achieve attacking institutions one at a time.

Breaking the Third Link: Eliminating the MSP Supply Chain

Most guidance on third-party risk management focuses on vendor assessment questionnaires, contract language, and periodic audits. Those controls are necessary. They are also insufficient. When Marquis's SonicWall was unpatched, no vendor questionnaire would have caught it before the ransomware group did.

The most effective way to reduce supply chain risk is to reduce the supply chain itself.

Pure Microsoft stack, no third-party MSP platforms. Access Business Technologies delivers managed IT and security services for 750+ credit unions, banks, and mortgage companies without ConnectWise, Kaseya, SolarWinds, Nerdio, or N-able. Every management function that those platforms provide (remote monitoring, patch management, endpoint security, identity management) is handled natively through the Microsoft ecosystem: Microsoft Intune, Microsoft Defender, Microsoft Entra ID, and Microsoft Sentinel. When ConnectWise was breached in February 2024 and again in May 2025, ABT clients had zero exposure. Not reduced exposure. Zero.

How M365 Guardian, Microsoft Defender, and Microsoft Sentinel Stop the Cascade

Eliminating MSP platforms removes one attack vector. The harder problem is what happens when an attacker still gets in through a vendor account that has legitimate Microsoft 365 access to your tenant. Vendor email migrations, mortgage interface partners, audit firms, IT consultants, all of them carry working credentials inside your environment for the length of an engagement. When their tenant gets breached, their credentials in your tenant become attacker credentials in your tenant. The detection-and-response stack inside Microsoft 365, anchored by Microsoft Defender for the threat surface and Microsoft Sentinel for the unified incident view, is the layer that catches that cascade before it turns into your breach notification letter.

M365 Guardian is ABT's operating model on top of Microsoft 365 for regulated financial institutions. Microsoft sells the licensing. ABT operates the configuration, monitoring, and response across all 750+ FI tenants under delegated admin. The Guardian operating model layers institution-specific Conditional Access policies tuned to branch geography and role behavior on top of the Microsoft baseline. It binds broker-dealer-specific and mortgage-specific Microsoft Purview DLP profiles to customer NPI, loan files, and supervisory correspondence. It deploys Microsoft Defender for Office 365, Defender for Endpoint, Defender for Identity, and Defender for Cloud Apps with policies tuned to actual FI attack patterns rather than vendor SMB defaults. It runs Microsoft Sentinel as the SIEM of record across the customer's entire Microsoft 365 footprint. And it ties the whole stack to a 24/7 security operations center that watches every Defender alert and every Sentinel incident every minute of the day. The customer keeps its tenant ownership, its regulatory relationships, and its data. ABT supplies the operating model that turns Microsoft's tooling into a managed detection and response service for FIs.

Microsoft Defender for Identity tracks lateral movement. When an attacker who has compromised a vendor account tries to move laterally (accessing SharePoint sites the vendor never touched before, downloading files from other users' OneDrives, or querying Microsoft Entra ID for admin accounts), Defender for Identity flags the behavior pattern and generates a high-priority alert. The Guardian SOC investigates, validates, and contains within an agreed response SLA. The customer's compliance team gets a clean incident timeline that satisfies amended Regulation S-P 30-day customer notification analysis and HUD Mortgagee Letter 2024-10 12-hour reporting where applicable.

Microsoft Defender for Cloud Apps closes the SaaS-to-SaaS sprawl gap. When a vendor's compromised account starts behaving abnormally inside Microsoft 365 (impossible travel, mass-download of borrower documents from SharePoint, sudden OAuth grants to unfamiliar apps), Defender for Cloud Apps fires the policy-aligned alert. The Guardian configuration also extends the Defender posture to the SaaS apps that touch Microsoft 365 from the side: Calyx PointCentral, MortgageExchange interfaces, Encompass connectors, core banking integrations. The Defender signal does not stop at the M365 perimeter, it follows the data.

Microsoft Sentinel aggregates everything into a single incident view. Sentinel pulls signals from Microsoft Entra ID sign-ins, every Defender product, Microsoft Purview audit logs, Microsoft Intune device compliance, and any third-party connectors required by the customer (firewall syslog, core-banking app logs, mortgage LOS audit feeds). Guardian-tuned analytic rules surface broker-dealer registered-representative impersonation, branch-targeted phishing chains, customer-account takeover signals, vendor-account anomaly cascades, and the specific multi-step patterns the kill-chain series describes. The SOC works from Sentinel hunting queries and automation runbooks. The customer gets a single timeline of who did what, when, and how the response unfolded, the exact form FINRA examiners and FFIEC examiners ask to see.

Continuous Access Evaluation makes session tokens disposable. Even if an attacker captures a session token through a supply chain compromise, Continuous Access Evaluation revokes the token in real time when a risk score spikes. Impossible travel. Sign-in from a new country. A sudden burst of data access. Guardian's Sentinel automation runbooks call revokeSignInSessions on the affected accounts the moment the policy threshold trips. Tokens that looked valid two seconds ago are dead. The cascade stops at the second hop.

Network segmentation through Conditional Access. Vendor accounts do not get blanket access. ABT configures Microsoft Entra ID Conditional Access policies that restrict vendor sessions to specific applications, specific IP ranges, and specific time windows. A vendor that needs access to your email migration does not get access to your SharePoint containing borrower files. The conditional policies are documented, tested, and renewed alongside the GDAP grants that govern ABT's own access to the tenant, so the same least-privilege discipline applies to every external party in the firm's perimeter.

Frequently Asked Questions

Justin Kirsch

CEO, Access Business Technologies

Justin Kirsch has spent over 25 years building secure IT environments for credit unions, banks, and mortgage companies without the third-party MSP platforms that create supply chain risk. As CEO of Access Business Technologies, the largest Tier-1 Microsoft Cloud Solution Provider dedicated to financial services, he architects pure Microsoft deployments for more than 750 financial institutions under the M365 Guardian operating model, with Microsoft Defender and Microsoft Sentinel running through a 24/7 security operations center to catch the in-tenant cascade that vendor breaches like ConnectWise, Kaseya, and SolarWinds set in motion across the industry.