Back

UNC6783 Exploits BPOs for Data Extortion via Phishing Campaigns

Severity: High (Score: 72.5)

Sources: Theregister, Infosecurity-Magazine, Bleepingcomputer, Cybersecuritydive, Thecyberexpress

Summary

The Google Threat Intelligence Group (GTIG) reported that a financially motivated cybercriminal group, UNC6783, is targeting business process outsourcing (BPO) companies to infiltrate high-value organizations across various sectors. The group employs social engineering and phishing tactics, particularly through live chat, to compromise BPOs and gain access to sensitive data. Attackers direct employees to spoofed Okta login pages hosted on domains resembling legitimate ones, often using the pattern [.]zendesk-support [.]com. They utilize advanced phishing kits capable of stealing clipboard contents to bypass multi-factor authentication (MFA). Following data exfiltration, ransom notes are sent via ProtonMail accounts. The campaign has already affected several dozen companies, with notable claims of a breach at Adobe involving the theft of 13 million support tickets. Google’s Mandiant division has recommended defensive measures, including the use of FIDO2 hardware keys for MFA and monitoring live chat systems for suspicious activity. Key Points: • UNC6783 targets BPOs to access sensitive data of high-value companies. • Attackers use phishing kits to bypass MFA and gain persistent access. • Ransom notes are sent via ProtonMail after data exfiltration.

Key Entities

  • Mr. Raccoon (apt_group)
  • Scattered Spider (apt_group)
  • ShinyHunters (apt_group)
  • Unc6783 (apt_group)
  • Raccoon (malware)
  • Data Breach (attack_type)
  • Data Exfiltration (attack_type)
  • Malware (attack_type)
  • Phishing (attack_type)
  • Adobe (company)
  • Crunchyroll (company)
  • Okta (company)
  • Zendesk (company)
  • India (country)
  • Singapore (country)
  • T1021 - Remote Services (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1056 - Input Capture (mitre_attack)
  • T1078 - Valid Accounts (mitre_attack)
  • T1566.002 - Spearphishing Link (mitre_attack)
  • Proton Mail (platform)
  • ProtonMail (platform)
  • WhatsApp (platform)
  • Phishing Kit (tool)
  • Remote Access Tool (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed