When a cybersecurity provider becomes the entry point for a cyberattack, the ripple effects can be catastrophic. This is the stark reality facing Marquis Software Solutions, which recently filed a lawsuit against SonicWall. The allegation? That gross negligence and misrepresentation on the part of the security giant allowed threat actors to breach their systems, deploy ransomware, and disrupt operations at 74 U.S. banks.
While the legal battles play out in court, this incident serves as a critical warning for the cybersecurity community. It highlights the dangerous convergence of supply chain risk, perimeter security, and data availability. For managed security providers and internal SOC teams, the lesson is clear: trust but verify, and always assume your perimeter can be breached.
The Anatomy of the Breach
The lawsuit centers on the claim that SonicWall's Secure Remote Access (SRA) or backup appliances contained vulnerabilities that were exploited by attackers. While specific CVEs in the filing point toward known zero-day exploits in SonicWall's ecosystem, the operational impact is what matters most to analysts. Once inside the perimeter, the attackers moved laterally to target the backup infrastructure.
This attack vector follows a disturbing trend in modern ransomware: The Double Tap.
- Initial Access: Compromising a trusted security appliance (often VPNs or firewalls) to bypass traditional perimeter defenses.
- Lateral Movement: Privilege escalation to access backup servers or admin panels.
- Destruction: Encrypting primary data and simultaneously deleting or corrupting backup snapshots.
By crippling the backup mechanism, the attackers remove the victim's ability to restore operations without paying the ransom. In the Marquis case, the dependency on a single vendor for both perimeter defense and potentially data recovery created a single point of failure that paralyzed 74 financial institutions.
Technical Deep Dive: Attack Vectors and TTPs
From a threat hunting perspective, the exploitation of network appliances to pivot to internal backup servers involves specific Tactics, Techniques, and Procedures (TTPs) that SOC teams must identify.
Attackers often leverage CVEs in SSL-VPN appliances to gain remote code execution (RCE). Once they have a foothold, they dump credentials from the appliance's memory to access the internal network. Their primary goal is often the Virtual Disk Service (VSS) or specific backup agents like Veeam or Dell EMC, which they use to delete shadow copies and stop backup services before the encryption phase begins.
Detection and Threat Hunting
To detect similar activities in your environment, you need to monitor for anomalies in privileged access to backup systems and unexpected interactions with volume shadow copies.
KQL Query (Microsoft Sentinel / Defender)
This query hunts for suspicious command-line arguments related to backup destruction, often a precursor to ransomware execution.
// Hunt for Shadow Copy Deletion and Backup Service Tampering
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("vssadmin.exe", "wbadmin.exe", "wmic.exe", "powershell.exe")
| where ProcessCommandLine has_any ("delete", "shadows", "/delete", "shadowcopy", "stop")
| where ProcessCommandLine has_any ("all", "storage", "backup")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine
| order by Timestamp desc
PowerShell Script for Backup Integrity Check
This script can be run on backup servers to verify that the VSS service is running and check for recent file deletions in backup directories.
# Audit Backup Service Status and Check for Potential Tampering
Write-Host "Checking VSS Service Status..." -ForegroundColor Cyan
$vssService = Get-Service -Name VSS -ErrorAction SilentlyContinue
if ($vssService) {
if ($vssService.Status -ne 'Running') {
Write-Host "[ALERT] VSS Service is not running. Current State: $($vssService.Status)" -ForegroundColor Red
} else {
Write-Host "[OK] VSS Service is running." -ForegroundColor Green
}
} else {
Write-Host "[ERROR] VSS Service not found." -ForegroundColor Red
}
# Check Event Log for VSS specific errors in the last 24 hours
Write-Host "\nChecking for VSS errors in Event Log..." -ForegroundColor Cyan
$vssErrors = Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; Level=2; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
if ($vssErrors) {
Write-Host "[ALERT] Found $($vssErrors.Count) VSS errors in the last 24 hours." -ForegroundColor Red
$vssErrors | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-Table -Wrap
} else {
Write-Host "[OK] No critical VSS errors found." -ForegroundColor Green
}
Bash Command (Linux Backup Servers)
For environments running Linux-based backup solutions, check for unauthorized user modifications or recent large-scale deletion events.
# Check for recent sudo usage related to backup directories
sudo grep -i backup /var/log/secure | tail -20
# Check for 'rm' commands run by root in the last 2 days
sudo journalctl _COMM=rm --since "2 days ago" | grep -E "delete|remove"
Mitigation and Strategic Defense
The Marquis lawsuit underscores that security is not just about products; it is about resilience. To prevent a similar scenario in your organization, consider the following actionable steps:
- Immutable Backups: Implement immutable storage solutions (WORM - Write Once Read Many) that cannot be modified or deleted even by admin accounts during a specific retention period. This neutralizes the "delete backup" TTP.
- Zero Trust Network Access (ZTNA): Do not rely solely on VPN appliances for implicit trust. Ensure that even authenticated users to the network must undergo strict segmentation and verification before accessing backup servers.
- Vendor Risk Diversification: Avoid placing all your security eggs in one basket. If your edge protection vendor also manages your backups, ensure there are administrative silos and distinct credential sets so that a compromise in one does not automatically doom the other.
- Patch Management Vigilance: Appliances (Firewalls, VPNs) are often neglected compared to endpoints. Treat every firmware update for your perimeter devices as critical.
Executive Takeaways
- Vendor Liability is Rising: Organizations are increasingly holding security vendors accountable for breaches originating from their products. This changes the procurement landscape significantly.
- Backup Availability is Paramount: The most damaging part of this attack was the disruption of backups. If you cannot restore, you cannot recover.
- Perimeter is Dead: Your VPN or Firewall is no longer a wall; it is a door. Assume it will be opened and secure the assets behind it accordingly.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.