Case Study – How can the MyIT Program prevent real-world attacks

When talking with perspective new clients about our MyIT Program, one question that comes up quite a bit is something like “Yeah, I get that you do some stuff but how does that really help me” and I usually try to come up with something relevant but, to be honest, I’m pretty sure that I usually fall short. So, when I read this post by Cisco Talos about ToyMaker and Cactus, an up and coming favorite attack chain currently being used by bad guys, it looked like a perfect way to illustrate the value of our MyIT Program in the real world.

What are ToyMaker and Cactus and why should I care?

ToyMaker and Cactus are two tools that Cisco Talos discovered in an “extensive compromise” back in 2023. ToyMaker basically gains access to the target environment, gathers some information about that environment and then creates a backdoor that can be used by (rented out to) other cyber criminals. Cactus then starts exploring the environment, exfiltrating data (intellectual property, client data, patient data, payment data, etc.) and potentially launching ransomware, locking the legitimate user out of their data until a ransom is paid leveraging the stolen data as an added incentive for the victim to pay.

How can the MyIT Program help, specifically?

The MyIT Program is based on the CIS18 Critical Security Controls and leverages a layered approach to ideally prevent a threat actor from gaining access to client environments but, if they are able to gain access, to maximize the likelihood that they’re discovered and minimize the amount of damage that can be done.

  • Gaining Access – According to the article, ToyMaker attacks vulnerabilities in exposed systems to gain initial access. Our MyIT Program helps protect clients by minimizing their exposure, ensuring that they’re patched against known vulnerabilities and blocking access to and from known malicious addresses.
    • Minimize Exposure – As a general rule, we try to minimize what our clients are leaving exposed to criminals by installing firewalls and requiring VPN to access anything inside the firewall.
    • Patch Management – Our Patch Management system starts pushing updates within around 48 hours for non-critical updates and within 24 hours for critical updates. Ideally, by the time the criminals have developed a way to exploit the vulnerabilities, we’ve already patched them.
    • Blocking Access – In addition to the security services included with the firewalls, we curate a list of addresses that we observe malicious traffic from or that we find documented elsewhere (like the addresses listed in this Cisco Talos article) and automatically block traffic to and from those addresses to and from all of the firewalls that we manage. We refer to this internally maintained blacklist as Threatfeed.
  • Initial Attack – According to the article, once on target, ToyMaker immediately starts exploring the environment and setting up persistence. Our MyIT Program helps protect against this phase of the attack by alerting on suspicious activity, blocking known malicious tools and blocking access to Command and Control (C2) servers.
    • Alerting on Administrative Activities – The MyIT Silver and Gold programs provide near-real-time alerting for administrative activities like new user creation or giving users administrative access.
    • Blocking malicious software – The MyIT Silver and Gold programs alert on new software installation and the endpoint protection software monitors for and blocks malicious activity and software installation based on a combination of signature and behavior based detection tools. We also discourage the use of privileged / administrative accounts for daily use so that the cyber criminals can’t use the users standard account to install anything.
    • Blocking access to Command and Control – In addition to blocking access to the addresses that may be the sources of attack, Threatfeed also blocks access to many of the addresses and networks being used by these threat actors for Command and Control. If a threat actor is able to gain access to a target system, they often need to download additional tools to complete their task. Access to those tools is often blocked by Threatfeed, effectively neutering the attack.
  • Additional Activities – Once the system has been breached and the initial foothold has been established by ToyMaker, there seems to be a handoff to the Cactus gang for additional exploration of the network, data exfiltration and possibly ransomware.
    • Near-real-time alerting of software installs – Many of the remote tools (AnyDesk, for example) will generate an alert and a phone call to the client environment to verify the install.
    • Endpoint protection alerting for malicious activity – Many of the activities detailed in the Cisco Talos article will generate alerts from the endpoint security, prompting a a call to the client environment to verify the activity.

Summary

The attack scenario described in the Cisco Talos article is unfortunately one that’s played out time and again by cyber criminals, typically with no regard to the size of the organization, the industry or the impact that a successful attack on that organization may have. The target could be a small business with one or two employees or a large, global enterprise. It could be a service business like an HVAC repair, plumber or electrician, healthcare business like a medical office or hospital or it could be a defense contractor. A successful attack could leave two or three employees unemployed or it could block access to or subtly alter critical medical information for a healthcare office or hospital. In any case, an organization without a comprehensive security posture in place for their IT environment can easily fall victim.

Need IT Support for your Home or Business? We’d love to help!

Are you a small to medium sized business looking to leverage technology and enable your business and workforce to work smarter and more efficiently?  Do you already have computers, servers, firewalls, VPNs or other technology that you’re not taking full advantage of?  Are you looking for an IT Service Provider who understands small to medium sized businesses needs and the challenges that we face that can work with you to grow your business rather than just sell you time?

Cyber Tech Cafe an  IT Service Company with a focus on helping small to medium business get the most out of their technology investment.  As a small business ourselves, we understand the challenges you face and have designed our service offerings to help you get the most out of your technology dollar.  We offer on-call, as needed support if you just need a quick fix or extra set of hands right now.  We also offer maintenance plans that we call “MyIT” that are designed to address the most common concerns (patch management, disaster recovery / backup, log review, etc.) that are based on the number of workstations and servers that you have and have no term contract.  We believe that, if you find value in what we’re doing, you’ll find a way to keep us around without contract saying that you have to.

If you have questions about the MyIT plans or have an IT need that you need addressed right now, let us know.  We look forward to the opportunity to earn your business.

Additional Information