UNC6783 Hackers Target BPOs to Steal Corporate Zendesk Support Tickets

Severity: High (Score: 71.0)

Sources: Cybersecuritydive, Bleepingcomputer

Summary

A threat actor group known as UNC6783 has been targeting business process outsourcing (BPO) providers to gain access to sensitive data from high-value companies across various sectors. The Google Threat Intelligence Group reported that the hackers employ social engineering and phishing tactics, including directing support staff to spoofed Okta login pages. They have been linked to the 'Raccoon' persona, which has claimed responsibility for breaches at companies like Adobe, where 13 million support tickets were allegedly stolen. The attackers utilize phishing kits that can bypass multi-factor authentication (MFA) and have also distributed fake security updates to deploy remote access malware. Victims are contacted via ProtonMail with extortion demands after data exfiltration. While specific organizations affected have not been disclosed, dozens have been targeted. Recommendations for defense include deploying FIDO2 security keys for MFA and monitoring live chat for abuse. Key Points: • UNC6783 targets BPOs to access sensitive corporate data through social engineering. • Phishing kits used in attacks can bypass multi-factor authentication protections. • Victims receive extortion demands via ProtonMail after data is stolen.

Key Entities

• Data Breach (attack_type)
• Malware (attack_type)
• Phishing (attack_type)
• Adobe (company)
• Okta (company)
• Zendesk (company)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1056 - Input Capture (mitre_attack)
• T1566.002 - Spearphishing Link (mitre_attack)