Google Warns of UNC6783 Threat Group Targeting BPOs
High severity β significant development or major threat actor activity
Basically, a new hacker group is tricking companies into giving up sensitive information.
Google warns of a new threat group, UNC6783, targeting BPOs and helpdesks for extortion. This group uses social engineering tactics to steal sensitive data. Companies must implement stronger security measures to defend against these attacks.
What Happened
Google's Threat Intelligence Group (GTIG) has issued a warning about a new threat group named UNC6783. This group is targeting business process outsourcers (BPOs) and large enterprises, aiming to extort sensitive data. The group appears to be financially motivated and may have links to the notorious Raccoon persona.
Who's Behind It
The principal threat analyst at GTIG, Austin Larsen, highlighted that UNC6783 has already targeted numerous high-value corporate entities across various sectors. Their primary focus is on BPOs, but they also directly attack in-house helpdesk and support teams.
Tactics & Techniques
UNC6783 employs social engineering tactics via live chat to lure employees into visiting malicious, spoofed Okta login pages. These phishing attempts often use domain patterns that mimic legitimate organizations, such as [.]zendesk-support<##>[.]com. The attackers also utilize a phishing kit designed to bypass standard multi-factor authentication (MFA) by stealing clipboard contents, allowing them to enroll their own devices for persistent access.
In addition, the group has been observed using fake security software updates to trick users into downloading remote access malware. After exfiltrating data, they typically send ransom notes through Proton Mail accounts.
Defensive Measures
To mitigate risks, GTIG advises organizations to:
- Implement phishing-resistant MFA like FIDO2 hardware security keys for all users, especially those in high-risk roles.
- Monitor live chat for suspicious interactions that direct users to external links.
- Educate employees about this specific campaign to enhance awareness.
- Proactively block unauthorized domains that follow the
[.]zendesk-support[.]compattern. - Monitor for unauthorized binary executions, particularly during support sessions.
- Regularly audit newly enrolled MFA devices to detect any unauthorized additions.
Conclusion
The emergence of UNC6783 highlights the evolving tactics of cybercriminals targeting BPOs and helpdesks. Organizations must remain vigilant and adopt robust security measures to protect sensitive data from these sophisticated threats.
π How to Check If You're Affected
- 1.Check for unauthorized login attempts from external domains.
- 2.Monitor for unusual live chat interactions directing users to external links.
- 3.Review recent MFA enrollments for any unauthorized devices.
πΊοΈ MITRE ATT&CK Techniques
π Pro insight: UNC6783's tactics mirror those of other extortion groups, indicating a trend towards more sophisticated social engineering methods in cybercrime.