The Google Threat Intelligence Group (GTIG) has issued a warning regarding a financially motivated threat actor, tracked as UNC6783, which is specifically targeting business process outsourcing (BPO) organizations. This actor aims to steal sensitive data from high-value corporate entities across various industries.

According to Austin Larsen, a principal threat analyst at GTIG, UNC6783 is potentially connected to an individual known as 'Mr. Raccoon.' This hacker recently claimed responsibility for the theft of significant amounts of data from Adobe via a third-party supplier.

GTIG's analysis indicates that UNC6783 has been active in executing social engineering and phishing campaigns aimed at dozens of high-value companies. “The actor primarily focuses on compromising BPOs that serve these targeted organizations,” Larsen noted. The threat actor has also been observed directly targeting helpdesk and support staff to gain trusted access and extract sensitive data for extortion purposes.

The methods used by UNC6783 include luring employees into interacting with spoofed Okta login pages through live chat systems, as well as deploying a phishing kit designed to capture clipboard contents to circumvent standard multi-factor authentication (MFA) verification processes.

GTIG highlights that the social engineering techniques employed by UNC6783 often involve fake Zendesk support pages that mimic the legitimate domains of the targeted organizations. By using the compromised accounts of employees, the hackers are able to enroll their own devices, thereby securing persistent access to the breached environments.

“We have also seen them employing fake security software updates to deceive victims into downloading remote access malware,” Larsen explained. After exfiltrating data, UNC6783 has reportedly utilized Proton Mail accounts to send ransom notes demanding payment for the stolen information.

Mr. Raccoon Claims Adobe Data Theft

GTIG's insights into the tactics of UNC6783 and its connection to the Raccoon persona suggest that this actor might be the same individual who claimed to have stolen a massive volume of data from Adobe via a BPO firm located in India.

According to the hacker, the stolen data includes personal information of approximately 15,000 employees, millions of support tickets, and bug bounty submissions. The breach is reported to have commenced with a phishing email sent to a support agent at the BPO, who unwittingly executed a remote access Trojan (RAT), granting the hacker full control over their computer.

Subsequently, the attacker conducted reconnaissance and utilized the employee’s email to send a second phishing email to a manager, who then provided access credentials for the support platform. Mr. Raccoon stated that he was able to export the entire Adobe database from the platform with a single request.

Security experts are continuing to monitor the situation closely. GTIG has reached out to Adobe for comment regarding the hacker's claims and plans to update their findings if a response is received.

Related Topics:

• Impact of Eurail Data Breach Affecting 300,000 Individuals
• Lloyds Data Security Incident Impacting 450,000 People
• Expansion of Mobile Attack Surfaces as Enterprises Struggle
• $3.6 Million Stolen in Bitcoin Depot Hack

As cyber threats continue to evolve, organizations, particularly BPOs, are urged to enhance their security measures against these sophisticated attacks. Effective training and awareness programs for employees are critical to mitigate the risks associated with social engineering and phishing tactics.

Source: SecurityWeek News