Preliminary entry occurred via Cisco firewall
Symantec discovered proof that the attackers gained entry to the sufferer’s community via a Cisco ASA firewall after which pivoted to a Home windows machine. The researchers didn’t reveal if this entry was achieved by exploiting a vulnerability or through the use of weak or compromised credentials, however zero-day assaults towards network-edge units akin to firewalls, VPN gateways and different security home equipment have grow to be quite common over the previous two years.
Despite the fact that most of those zero-day assaults are the work of nation state teams with important assets and funding, as soon as a vulnerability is revealed and an exploit turns into out there, different forms of attackers are additionally prone to attempt to capitalize on it.
Attackers managed to deploy infostealer
On this assault, the Balloonfly group didn’t get to the stage of deploying the Play ransomware, as that’s normally one of many last levels when attackers have management over important elements of the community for max harm. Nonetheless, the group did deploy an infostealer referred to as Grixba that’s normally a part of its toolset.
