Google's Threat Intelligence Group (GTIG) has issued a warning about a new and financially motivated threat actor that is actively targeting business process outsourcing (BPO) organizations to extract valuable corporate data.

The actor, identified as UNC6783, is believed to be associated with a hacker persona known as 'Raccoon'. This individual recently claimed responsibility for the theft of significant amounts of data from Adobe through a third-party supplier.

Austin Larsen, principal threat analyst at GTIG, indicates that UNC6783 has implemented various social engineering tactics and phishing campaigns directed at numerous high-value corporate entities across different sectors.

“The primary objective of this actor is to breach BPOs that collaborate with these targeted corporations. We've also noted attempts to directly target the helpdesk and support staff within these organizations to gain trusted access and extract sensitive data for extortion purposes,” Larsen explains.

One of the methods used by the threat actor involves using live chat interactions to deceive employees into providing credentials on spoofed Okta login pages. They employ a phishing kit designed to capture clipboard contents to circumvent standard multi-factor authentication (MFA) measures.

According to the GTIG report, UNC6783's social engineering strategies include the creation of counterfeit Zendesk support pages that mimic the domains of the targeted organizations.

By utilizing the compromised accounts of employees, the hackers are able to enroll their own devices, thereby securing continuous access to the breached environment.

“We've also observed the use of counterfeit security software updates to trick victims into downloading remote access malware. After exfiltrating data, UNC6783 typically relies on Proton Mail accounts to send ransom notes as part of their data theft extortion efforts,” Larsen further notes.

Connection to Recent Adobe Data Theft

The description of UNC6783's tactics, along with references to Raccoon, suggest that this threat actor may indeed be the same individual who claimed responsibility for the recent theft of extensive Adobe data from a BPO firm located in India.

The hacker asserted that the stolen data encompasses personal information related to 15,000 employees, as well as millions of support tickets and bug bounty submissions.

The attack reportedly initiated with a phishing email directed at a support agent within the BPO, who was deceived into executing a remote access Trojan (RAT), granting the hacker comprehensive access to their machine.

Subsequently, the attacker conducted reconnaissance and used the employee's email to launch a second phishing attempt aimed at a manager, who unwittingly provided credentials for the support platform.

The hacker claimed to have successfully exported the entire Adobe database from the platform through a singular request.

Efforts have been made to obtain a statement from Adobe regarding the hacker's claims, and updates will be provided should a response be received.

Related Incidents:

• 300,000 individuals affected by the Eurail data breach.
• Lloyds data security incident impacts 450,000 people.
• Expansion of mobile attack surfaces as enterprises lose control.
• $3.6 million stolen in the Bitcoin Depot hack.

Author: Ionut Arghire, an international correspondent.

Source: SecurityWeek News