Early access to Cisco Firewall
Cementac found evidence that the attackers had access to the victim’s network through Cisco ASA Firewall and then pivsed into a Windows machine. Researchers did not explain whether this access was obtained using a vulnerability or using a weak or compromised credentials, but zero-day attacks against network-edged devices such as firewall, VPN Gateway and other security equipment have become very common in the last two years.
Even though most of these zero-day attacks are the work of the nation state groups with important resources and wealth, once a vulnerability is revealed and an exploitation is available, other types of attackers are also likely to try and capitalize on it.
The attackers managed to deploy infostealer
In this attack, the Balloonfly group did not reach the stage of deploying the play ransomware, as it is usually one of the final stages when the attackers control vital parts of the network for maximum damage to the attackers. However, the group deployed an infoseller called Grichicsba which is usually part of its toolset.
