Preliminary entry occurred by Cisco firewall
Symantec discovered proof that the attackers gained entry to the sufferer’s community by a Cisco ASA firewall after which pivoted to a Home windows machine. The researchers didn’t reveal if this entry was achieved by exploiting a vulnerability or by utilizing weak or compromised credentials, however zero-day assaults in opposition to network-edge units equivalent to firewalls, VPN gateways and different safety home equipment have turn into quite common over the previous two years.
Though most of those zero-day assaults are the work of nation state teams with important assets and funding, as soon as a vulnerability is revealed and an exploit turns into obtainable, different varieties of attackers are additionally prone to attempt to capitalize on it.
Attackers managed to deploy infostealer
On this assault, the Balloonfly group didn’t get to the stage of deploying the Play ransomware, as that’s normally one of many last levels when attackers have management over important elements of the community for optimum injury. Nonetheless, the group did deploy an infostealer known as Grixba that’s normally a part of its toolset.
