A new and alarming threat has emerged, drawing the attention of the Google Threat Intelligence Group (GTIG), which has issued a warning regarding a group known as UNC6783. This threat actor is primarily targeting business process outsourcers (BPOs) and large enterprises, utilizing live chat channels as a conduit for extortion.
Austin Larsen, the principal threat analyst with GTIG, identified UNC6783 as a financially motivated threat actor that is possibly connected to another known group referred to as the “Raccoon” persona. This group has been reported to systematically target a variety of high-value corporate entities spanning multiple sectors. Their focus, however, is particularly attuned to BPOs, although they have also resorted to targeting in-house helpdesk and support teams directly.
The primary objective of the UNC6783 group is to steal sensitive data for the purpose of extortion. This campaign is notable for its reliance on social engineering techniques, primarily through live chat interactions. According to Larsen, they direct employees toward malicious, spoofed log-in pages that mimic those of legitimate organizations using well-crafted domain patterns that include variations such as [.]zendesk-support<##>[.]com. This clever impersonation plays a crucial role in deceiving the targeted employees.
One of the more sophisticated tactics employed by this group involves the use of phishing kits specifically designed to bypass traditional multi-factor authentication (MFA) processes. They achieve this by stealing clipboard contents, allowing them to enroll their own devices for persistent and unauthorized access to the compromised systems. This level of sophistication highlights the increasing complexity of modern cyber threats, and organizations must remain vigilant against such techniques.
In addition to the phishing tactics, the GTIG team has noted that UNC6783 often employs fake security software updates to trick users into downloading remote access malware. This tactic further underscores the group’s cunning approach toward data exfiltration, which precedes the delivery of ransom notes via Proton Mail accounts.
The methods employed by UNC6783 bear a striking resemblance to those used by other notorious extortion-focused collectives, such as Scattered Lapsus$ Hunters. Reports from the previous year shed light on a campaign where this notorious group utilized Zendesk phishing domains to harvest employee credentials. They were also found to be submitting fraudulent tickets to helpdesk staff, a strategy that enabled them to infect corporate systems with remote access trojans (RATs) and various other types of malware.
With the threat landscape constantly evolving, it is critical for BPOs and helpdesk staff to take proactive measures. Austin Larsen has provided several recommendations aimed at fortifying defenses against this new wave of cyber threats.
Firstly, organizations are urged to implement phishing-resistant MFA solutions, such as FIDO2 hardware security keys, particularly for users in high-risk positions like support and helpdesk roles. The need for robust authentication methods cannot be overstated in light of increasingly sophisticated threats.
Additionally, monitoring live chat interactions for any suspicious behavior, particularly those directing users to external links, is imperative. This proactive surveillance can serve to intercept malicious activities before they escalate into more serious breaches.
Education plays a pivotal role in defense strategies, and Larsen emphasizes the importance of informing employees about the specific tactics being employed by the UNC6783 group. This can significantly enhance an organization’s overall readiness against cyber threats.
Proactively blocking any unauthorized domains that adhere to the [.]zendesk-support[.]com pattern is another crucial strategy that organizations can implement. Such measures act as a first line of defense against impersonation attempts by malicious actors.
Moreover, organizations should consistently monitor for unauthorized binary executions, especially installers or “updates” that may be downloaded during ostensibly legitimate support sessions. This vigilance can help to neutralize potential threats before they can inflict damage.
Finally, conducting regular audits of newly enrolled MFA devices across the organization will allow for the identification of any unauthorized additions, further strengthening security measures in place.
As the landscape of cyber threats continues to evolve, it is clear that groups like UNC6783 pose a significant risk to BPOs and large enterprises alike. Adopting a proactive and informed approach is essential for safeguarding sensitive corporate data and maintaining the integrity of business operations.