Initial access occurred through Cisco firewall
Symantec found evidence that the attackers gained access to the victim’s network through a Cisco ASA firewall and then pivoted to a Windows machine. The researchers didn’t reveal if this access was achieved by exploiting a vulnerability or by using weak or compromised credentials, but zero-day attacks against network-edge devices such as firewalls, VPN gateways and other security appliances have become very common over the past two years.
Even though most of these zero-day attacks are the work of nation state groups with significant resources and funding, once a vulnerability is revealed and an exploit becomes available, other types of attackers are also likely to try and capitalize on it.
Attackers managed to deploy infostealer
In this attack, the Balloonfly group didn’t get to the stage of deploying the Play ransomware, as that is usually one of the final stages when attackers have control over significant parts of the network for maximum damage. However, the group did deploy an infostealer called Grixba that’s usually part of its toolset.