The campaign involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes.
The exact initial access vector is currently not known, although it has been assessed with high confidence that it's likely driven by the exploitation of a zero-day vulnerability.
The campaign has been observed going through four distinct attack phases that commenced around November 16, 2024.
Given subtle differences in tradecraft and infrastructure between intrusions, it is possible that multiple individuals or groups may have been involved in this campaign.
Collection
[
|
...
]