UNC6783 Hackers Target BPOs for Data Theft and Extortion

Severity: High (Score: 69.5)

Sources: Infosecurity-Magazine, Bleepingcomputer, Cybersecuritydive

Summary

A new threat group known as UNC6783 has been identified targeting business process outsourcing (BPO) providers and large enterprises to steal sensitive data for extortion. The Google Threat Intelligence Group (GTIG) reports that UNC6783 employs social engineering tactics, particularly through live chat, to direct employees to spoofed Okta login pages. These phishing attacks often utilize domains that mimic the targeted organizations, specifically using patterns like [.]zendesk-support [.]com. The attackers have been successful in bypassing multi-factor authentication (MFA) by stealing clipboard contents. Following data exfiltration, victims receive ransom demands via ProtonMail. The group is believed to be linked to the Raccoon persona, which has previously claimed responsibility for breaches, including a significant incident involving Adobe. GTIG has recommended several defensive measures, including the deployment of FIDO2 security keys and monitoring for abuse in live chat systems. The extent of the impact is significant, with dozens of organizations across various sectors being targeted. Key Points: • UNC6783 targets BPOs and helpdesk staff to steal sensitive data for extortion. • The group uses social engineering and phishing tactics to bypass MFA protections. • Victims receive ransom demands via ProtonMail after data exfiltration.

Key Entities

• Raccoon (malware)
• Unc6783 (apt_group)
• Data Breach (attack_type)
• Data Exfiltration (attack_type)
• Malware (attack_type)
• Phishing (attack_type)
• Adobe (company)
• Crunchyroll (company)
• Okta (company)
• Zendesk (company)
• India (country)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1056 - Input Capture (mitre_attack)
• T1566.002 - Spearphishing Link (mitre_attack)
• T1566 - Phishing (mitre_attack)
• Proton Mail (platform)
• Phishing Kit (tool)