ToyMaker Hackers Compromise Numerous Hosts via SSH and File Transfer Tools

In a alarming cybersecurity breach uncovered by Cisco Talos in 2023, a critical infrastructure enterprise fell victim to a meticulously orchestrated attack involving multiple threat actors.

The initial access broker, identified as “ToyMaker” with medium confidence as a financially motivated entity, exploited vulnerabilities in internet-facing servers to infiltrate the network.

A Sophisticated Multi-Actor Attack on Critical Infrastructure

Using a custom backdoor named “LAGTOY,” ToyMaker executed rapid reconnaissance, credential harvesting, and backdoor deployment across numerous hosts within a week.

Their tactics included dual-use remote administration tools, SSH utilities, and file transfer mechanisms, setting the stage for a secondary actor to escalate the attack.

After a three-week lull, access was handed over to the Cactus ransomware gang, notorious for double extortion schemes, who leveraged stolen credentials to deepen the compromise through network proliferation, data exfiltration, and ransomware deployment.

From Initial Breach to Double Extortion Tactics ...