CyberSecurity news
FlagThis
@cyberalerts.io
//
The initial access broker (IAB) known as ToyMaker has been identified as the facilitator of a sophisticated cyberattack targeting critical infrastructure. Cisco Talos's 2023 incident response report unveiled ToyMaker's operations, showing how the group exploited vulnerable, internet-facing systems to gain an initial foothold. ToyMaker utilizes a custom-made backdoor called LAGTOY, which is designed to execute attacker commands, evade detection, and maintain persistence as a Windows service. This IAB then extracts credentials from the compromised infrastructure, setting the stage for further malicious activity.
Once inside, ToyMaker performs preliminary reconnaissance, credential extraction using tools like Magnet RAM Capture, and deploys the LAGTOY implant. The extracted credentials are then exfiltrated using utilities such as 7-Zip and PuTTY’s SCP, enabling lateral movement and further compromise within the network. A fake user account is created with administrator privileges to maintain access. Following this initial burst of activity, there is a period of inactivity before the access is handed off to the Cactus ransomware group.
The Cactus ransomware operators leverage the stolen credentials to infiltrate additional endpoints, conduct broad network reconnaissance, and exfiltrate sensitive data. They deploy remote access tools, create malicious accounts for persistence, and attempt to disable defenses by deleting volume shadow copies and modifying boot recovery settings. This collaboration between ToyMaker and Cactus highlights a concerning trend in cybercrime, where specialized IABs provide entry points for ransomware groups to carry out large-scale attacks, causing significant disruption to critical infrastructure.
ImgSrc: blogger.googleu
References :
Once inside, ToyMaker performs preliminary reconnaissance, credential extraction using tools like Magnet RAM Capture, and deploys the LAGTOY implant. The extracted credentials are then exfiltrated using utilities such as 7-Zip and PuTTY’s SCP, enabling lateral movement and further compromise within the network. A fake user account is created with administrator privileges to maintain access. Following this initial burst of activity, there is a period of inactivity before the access is handed off to the Cactus ransomware group.
The Cactus ransomware operators leverage the stolen credentials to infiltrate additional endpoints, conduct broad network reconnaissance, and exfiltrate sensitive data. They deploy remote access tools, create malicious accounts for persistence, and attempt to disable defenses by deleting volume shadow copies and modifying boot recovery settings. This collaboration between ToyMaker and Cactus highlights a concerning trend in cybercrime, where specialized IABs provide entry points for ransomware groups to carry out large-scale attacks, causing significant disruption to critical infrastructure.
ImgSrc: blogger.googleu
Share:
References :
- blog.talosintelligence.com: Technical details on the attack and exploited vulnerabilities.
- cyberpress.org: Reports on the multi-stage attack targeting critical infrastructure.
- securityonline.info: Analysis of the ToyMaker attack campaign and tactics.
- thehackernews.com: Cybersecurity researchers have detailed the activities of an initial access broker (IAB) dubbed ToyMaker that has been observed handing over access to double extortion ransomware gangs like CACTUS.
- Cisco Talos Blog: Introducing ToyMaker, an initial access broker working in cahoots with double extortion gangs
- securityonline.info: Cisco Talos’ 2023 incident response report unveils the operations of “ToyMaker,†a financially motivated Initial Access Broker (IAB)
Classification:
- HashTags: #Cybercrime #APT #InitialAccess
- Company: Multiple Organizations
- Target: Critical Infrastructure Enterprise
- Attacker: ToyMaker
- Feature: Initial Access Broker
- Malware: LAGTOY
- Type: Hack
- Severity: Major