UNC6783 Hackers Steal Corporate Zendesk Support Tickets
High severity — significant development or major threat actor activity
Basically, hackers are tricking companies into giving them access to sensitive support tickets.
A new hacker group, UNC6783, is stealing sensitive Zendesk support tickets from BPOs. This poses a serious risk to companies across various sectors. Experts recommend enhanced security measures to combat these threats.
The Threat
A new threat actor known as UNC6783 has emerged, targeting business process outsourcing (BPO) providers to infiltrate high-value companies. This method allows them to exfiltrate sensitive data, including corporate support tickets from platforms like Zendesk.
Who's Behind It
According to the Google Threat Intelligence Group (GTIG), UNC6783 employs social engineering tactics and phishing campaigns to compromise BPOs. They have also been known to directly contact support staff within organizations to gain access. This group may be linked to a persona called Raccoon, which has previously targeted multiple BPOs.
Tactics & Techniques
UNC6783's attacks often involve directing support employees to spoofed Okta login pages. These pages mimic the target company's domains, making it easier to deceive employees into providing their login credentials. The phishing kits used in these attacks can even capture clipboard contents, allowing the hackers to bypass multi-factor authentication (MFA) protections. This capability enables them to register their devices with the organization, further deepening their access.
Additionally, UNC6783 has been observed distributing fake security updates that deliver remote access malware to victims’ systems. Once they have stolen sensitive data, they extort victims by demanding payment via ProtonMail addresses.
Impact on Organizations
The implications of these attacks are severe. Companies that fall victim to UNC6783 risk losing sensitive information that could lead to significant financial losses and reputational damage. The group has already targeted dozens of corporate entities, raising alarms across multiple sectors.
In a related incident, a threat actor using the alias Mr. Raccoon claimed to have stolen 13 million support tickets from Adobe after compromising a BPO that provided services to the company. This breach highlights the potential scale and impact of UNC6783's operations.
Defensive Measures
To combat these threats, GTIG recommends several defensive strategies:
- Deploy FIDO2 security keys for enhanced MFA.
- Monitor live chat systems for signs of abuse.
- Block spoofed domains that resemble Zendesk patterns.
- Regularly audit MFA device enrollments to ensure only authorized devices have access.
By implementing these measures, organizations can better protect themselves against the tactics employed by UNC6783 and similar threat actors.
🔍 How to Check If You're Affected
- 1.Review access logs for unusual login attempts from unknown devices.
- 2.Check for any unauthorized changes to Zendesk support ticket settings.
- 3.Monitor for phishing emails targeting support staff.
🗺️ MITRE ATT&CK Techniques
🔒 Pro insight: The tactics used by UNC6783 mirror established patterns in BPO-targeted attacks, indicating a growing trend in exploiting third-party vulnerabilities.