Google's Threat Intelligence Group (GTIG) has raised concerns about a new campaign orchestrated by a financially motivated threat actor, identified as UNC6783, which is targeting business process outsourcing (BPO) organizations with the intent to steal sensitive corporate data from high-value companies.

According to GTIG principal threat analyst Austin Larsen, UNC6783 is potentially linked to a hacker persona known as ‘Raccoon’, who recently claimed responsibility for the theft of various Adobe data from a third-party supplier.

UNC6783 has been actively engaged in social engineering and phishing campaigns, focusing on dozens of high-value corporate entities across multiple sectors. Larsen notes, “The actor primarily concentrates on compromising BPOs that provide services to these targeted companies. They also directly target the support and helpdesk staff of these organizations to gain trusted access and steal sensitive data for extortion operations.”

The threat actor employs live chat techniques to lure employees into spoofed Okta login pages, utilizing a phishing kit designed to capture clipboard contents, which helps in bypassing standard multi-factor authentication (MFA) verification measures.

GTIG highlighted that UNC6783's social engineering strategies include deploying fake Zendesk support pages that mimic the domain of the targeted organization. By utilizing the compromised accounts of targeted employees, the hackers are able to enroll their own devices, thus securing persistent access to the compromised environment.

Larsen further explains, “We have also observed them employing fake security software updates to trick victims into downloading remote access malware. After data exfiltration, UNC6783 has been known to utilize Proton Mail accounts to send ransom notes as part of their data theft extortion operations.”

Mr. Raccoon Claims Adobe Data Theft

GTIG’s detailed description of UNC6783’s tactics and the reference to Raccoon suggest that this threat actor may be the same individual who claimed to have stolen a significant amount of data from Adobe via a BPO firm located in India.

According to the hacker, the stolen data encompasses the personal information of approximately 15,000 employees, alongside millions of support tickets and bug bounty submissions. The attack reportedly began with a phishing email targeting a support agent at the BPO, who was deceived into executing a Remote Access Trojan (RAT), allowing the hacker full control over their computer.

Subsequently, the attacker conducted reconnaissance and used the employee’s email address to send a second phishing email to a manager, who inadvertently provided credentials for the support platform.

Mr. Raccoon claimed to have successfully exported the entire Adobe database from the platform with a single request. Security experts have reached out to Adobe for a comment regarding the hacker's claims and will provide updates as the company responds.

Related Issues: This incident raises significant concerns, as it mirrors other recent data breaches, including the Eurail data breach impacting 300,000 individuals, and a Lloyds data security incident affecting 450,000 people.

Furthermore, the expanding mobile attack surface poses an increasing threat to enterprises, as they lose control over sensitive data. In another alarming case, $3.6 million was stolen in a hack involving Bitcoin Depot.

The ramifications of such attacks highlight the critical necessity for organizations to enhance their cybersecurity measures, particularly those involved in business process outsourcing. The reliance on BPOs for operational support makes them vulnerable targets for cybercriminals seeking to exploit weaknesses in data security protocols.

In summary, the threat posed by UNC6783 underscores the importance of vigilance, employee training, and robust security practices to mitigate the risks associated with targeted phishing and social engineering attacks.

Source: SecurityWeek News