The initial access occurs through the Cisco Firewall
Symantec found evidence that the attacker gained access to the victim’s network through the Cisco ASA firewall and then turned to Windows machines. Researchers have not revealed that such access is achieved by exploiting vulnerabilities or using weak or trade-off credentials, but zero-day attacks on network edge devices such as firewalls, VPN gateways, and other security devices have become common in the past two years.
Even if most of these zero-day attacks are the work of a nation-state group with a lot of resources and funds, once a vulnerability is revealed and a vulnerability is acquired, other types of attackers may try and exploit it.
The attacker managed to deploy InfoStealer
In this attack, the Balloon Fly Group did not enter the stage of deploying gaming ransomware, as this is usually one of the final stages when an attacker controls important parts of the network for maximum damage. However, the team does deploy an InfoStealer called Grixba, usually part of its toolset.
