Quotidien Shaarli

Cisco Talos discovered a sophisticated attack on critical infrastructure by ToyMaker and Cactus, using the LAGTOY backdoor to orchestrate a relentless double extortion scheme.

• In 2023, Cisco Talos discovered an extensive compromise in a critical infrastructure enterprise consisting of a combination of threat actors.
• From initial access to double extortion, these actors slowly and steadily compromised a multitude of hosts in the network using a combination of various dual-use remote administration, SSH and file transfer tools.
• The initial access broker (IAB), whom Talos calls “ToyMaker” and assesses with medium confidence is a financially motivated threat actor, exploits vulnerable systems exposed to the internet. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints.
• A compromise by LAGTOY may result in access handover to a secondary threat actor. Specifically, we’ve observed ToyMaker handover access to Cactus, a double extortion gang who employed their own tactics, techniques and procedures (TTPs) to carry out malicious actions across the victim’s network.

• An open directory associated with a ransomware affiliate, likely linked to the Fog ransomware group, was discovered in December 2024. It contained tools and scripts for reconnaissance, exploitation, lateral movement, and persistence.
• Initial access was gained using compromised SonicWall VPN credentials, while other offensive tools facilitated credential theft, exploitation of Active Directory vulnerabilities, and lateral movement.
• Persistence was maintained through AnyDesk, automated by a PowerShell script that preconfigured remote access credentials.
• Sliver C2 executables were hosted on the server for command-and-control operations, alongside Proxychains tunneling.
• The victims spanned multiple industries, including technology, education, and logistics, across Europe, North America, and South America, highlighting the affiliate’s broad targeting scope.