Summary: A new threat actor, LARVA-208 (EncryptHub), has been conducting sophisticated spear-phishing attacks since June 2024, utilizing innovative techniques like smishing and vishing to gain access to corporate networks. They have obtained 70 domain names to impersonate legitimate VPN login pages and exploit vulnerabilities to harvest user credentials, followed by deploying ransomware to demand payments. The group has affected at least 618 organizations, leading to significant data loss and operational issues.
Affected: Corporate networks (especially those using Cisco, Palo Alto, and Fortinet VPNs)
Keypoints :
- LARVA-208 employs smishing and vishing to trick employees into sharing VPN credentials or installing remote monitoring software.
- They use at least 70 fraudulent domains impersonating VPN services to bypass multifactor authentication and harvest one-time passcodes.
- The group has compromised over 618 organizations, deploying ransomware like Locker.ps1 to encrypt data and demand cryptocurrency payments.
Source: https://securityonline.info/encrypthub-exposed-600-targets-hit-by-larva-208/