Google's Threat Intelligence Group (GTIG) has issued a warning about a new threat actor, identified as UNC6783, targeting business process outsourcing (BPO) organizations to steal sensitive data from high-value companies.
According to GTIG, this financially motivated group is believed to be linked to the persona known as 'Raccoon', which has previously claimed responsibility for significant data breaches, including the theft of various Adobe data from a third-party supplier.
GTIG's principal threat analyst, Austin Larsen, noted that UNC6783 has been actively engaged in social engineering and phishing campaigns aimed at numerous high-value corporate entities across various industries.
"The actor primarily concentrates on compromising BPOs that have relationships with these targeted corporations. We have also observed direct attacks on the support and helpdesk personnel of these organizations to gain trusted access and pilfer sensitive data for extortion purposes," Larsen explained.
The methods employed by UNC6783 include orchestrating live chat sessions to entice employees into visiting spoofed Okta login pages. Additionally, the threat actors utilize a phishing kit that captures clipboard contents to bypass traditional multi-factor authentication (MFA) measures.
GTIG reports that the social engineering tactics of UNC6783 involve the creation of deceptive Zendesk support pages that mimic the domains of the targeted organizations.
By exploiting compromised employee accounts, the hackers are able to enroll their own devices, thereby securing persistent access to the affected environments.
"We have also witnessed their use of fraudulent security software updates to deceive victims into downloading remote access malware. Following the exfiltration of data, UNC6783 has been known to operate using Proton Mail accounts to send ransom notes demanding payment for the stolen information," Larsen added.
Mr. Raccoon Claims Responsibility for Adobe Data Breach
The description of UNC6783's tactics, alongside references to Raccoon, indicate a possible connection to the hacker known as Mr. Raccoon, who has asserted the theft of significant amounts of Adobe data from a BPO in India.
The hacker claimed that the stolen information includes personal details of 15,000 employees, millions of support tickets, and various bug bounty submissions.
The attack reportedly initiated with a phishing email directed at a support agent within the BPO, who unwittingly executed a remote access trojan (RAT), granting the hacker full control over their computer.
Subsequently, the attacker conducted reconnaissance and utilized the employee's email address to send a second phishing email to a manager, who inadvertently disclosed their credentials for the support platform.
Mr. Raccoon has asserted that he was able to export the entire Adobe database from the platform with just a single request.
GTIG has reached out to Adobe for an official statement regarding the hacker's claims and will update this article pending a response.
Related News: 300,000 Individuals Affected by Eurail Data Breach. Lloyds Data Security Incident Impacts 450,000 Individuals. Mobile Attack Surface Expands as Enterprises Struggle for Control. $3.6 Million Stolen in Bitcoin Depot Hack.
Written By: Ionut Arghire
Ionut Arghire serves as an international correspondent focusing on cybersecurity issues.
Latest Headlines
- Organizations Advised on Exploited Windows and Adobe Acrobat Vulnerabilities
- Booking.com Reports Unauthorized Access to User Information
- BrowserGate: Discrepancies Between Claims of LinkedIn 'Spying' and Security Research Findings
- OpenAI Targeted by North Korea-Linked Supply Chain Attack
- International Operations Targeting Multimillion-Dollar Cryptocurrency Theft Schemes
- CPUID Compromised to Distribute Trojans via CPU-Z and HWMonitor Downloads
- Fake Claude Website Distributing PlugX RAT
- Gmail Introduces End-to-End Encryption for Android and iOS Enterprise Users
Source: SecurityWeek News