A ransomware group called EncryptHub has been accelerating attacks and is now known to have breached the networks of more than 600 organizations worldwide. EncryptHub has been active since June 2024 and gains initial access to victims’ networks via spear phishing attacks, with initial contact made via SMS messages rather than email.
The group impersonates commonly used corporate VPN products such as Palo Alto GlobalProtect and Cisco AnyConnect as well as Microsoft 365, and drives traffic to its malicious domains by making contact via personalized SMS messages (smishing) or the phone (vishing).
If vishing is used and the victim is contacted by phone, EncryptHub impersonates a member of the IT helpdesk and uses social engineering techniques to trick them into disclosing their VPN credentials. The phone number is spoofed to make it appear that the call is coming from inside the company or Microsoft Teams phone numbers are used. The victim is told that there is a problem with the corporate VPN that needs to be resolved, and if the scam works, the user is sent a link via SMS that directs them to a domain that resembles the VPN solution used by that company. If the user enters their credentials, they are used in real-time to log in, and if there are any multifactor authentication prompts, the threat actor is able to obtain them on the call. After successfully gaining access, the user is redirected to the genuine login page for their VPN, and the call is terminated.
Another tactic used by the group involves SMS messages with a fake Microsoft Teams link with the goal of capturing their Microsoft 365 credentials. The user is directed to a Microsoft Teams-related login page and the threat actor exploits Open URL parameters on microsoftonline.com to harvest email addresses and passwords, while the user believes they are interacting with the legitimate Microsoft service. Once access is gained, the group uses PowerShell scripts and malware to gain persistence, then moves laterally, steals data, deploys the ransomware payload, and issues a ransom demand.
The group’s tactics are highly effective, as in contrast to spear phishing via email, it is difficult to block the initial contact via SMS or over the phone. The key to preventing these attacks is improving the security awareness of the workforce and using a web filter to prevent the phishing domains from being accessed by employees. TitanHQ’s web filter, WebTitan, is a DNS-based web filtering solution that is constantly updated with the latest threat intelligence from multiple sources to provide up-to-the-minute protection against new phishing domains. Any attempt to visit a known phishing domain or other malicious site will be blocked, with the user directed to a locally hosted block page.
Regular security awareness training for the workforce is vital to teach security best practices and raise awareness of the tactics used by cybercriminals to breach corporate networks. With the SafeTitan security awareness training platform, businesses can easily create training programs tailored for individuals, roles, and departments, and automate those campaigns so they run continuously throughout the year, delivering training in small chunks on a weekly or monthly basis. It is easy to incorporate new training in response to changing threat actor tactics to increase awareness of specific threats. The platform also includes a phishing simulator for running phishing simulations on the workforce to reinforce training and identify knowledge gaps. If a phishing simulation is failed, training is automatically delivered to the user in real time, relevant to the threat they failed to identify. This ensures training is delivered at the point when it is likely to be most effective.
For more information on TitanHQ solutions, including the WebTitan DNS filter and the SafeTitan security awareness training platform, give the TitanHQ team a call today. Both solutions are available on a free trial to allow you to assess them fully before making a purchase decision.