Preliminary entry occurred via Cisco firewall
Symantec discovered proof that the attackers gained entry to the sufferer’s community via a Cisco ASA firewall after which pivoted to a Home windows machine. The researchers didn’t reveal if this entry was achieved by exploiting a vulnerability or by utilizing weak or compromised credentials, however zero-day assaults in opposition to network-edge units akin to firewalls, VPN gateways and different safety home equipment have develop into quite common over the previous two years.
Regardless that most of those zero-day assaults are the work of nation state teams with important sources and funding, as soon as a vulnerability is revealed and an exploit turns into out there, different sorts of attackers are additionally more likely to try to capitalize on it.
Attackers managed to deploy infostealer
On this assault, the Balloonfly group didn’t get to the stage of deploying the Play ransomware, as that’s often one of many ultimate levels when attackers have management over important components of the community for max harm. Nevertheless, the group did deploy an infostealer referred to as Grixba that’s often a part of its toolset.
