Ethical Hacking News
Google has identified a new group of hackers tracked as UNC6783, who have been targeting business process outsourcing (BPO) providers to gain access to high-value companies across multiple sectors. Dozens of corporate entities have been targeted through this method to exfiltrate sensitive data for extortion.
Google has identified a new group of hackers, UNC6783, targeting business process outsourcing (BPO) providers to gain access to high-value companies. These hackers use social engineering and phishing tactics to bypass security controls, exfiltrate sensitive data for extortion. UNC6783 relies on fake security updates or spoofed login pages to compromise BPOs working with targeted companies. The attackers can steal clipboard contents to bypass multi-factor authentication (MFA) protection and access sensitive data. The threat actors extort victims by contacting them via ProtonMail addresses with payment demands. Google has observed attacks where UNC6783 distributed fake security updates to deliver remote access malware. Raccoon, a persona linked to UNC6783, may be responsible for breaches at well-known organizations like Adobe, but GTIG did not offer more information due to sensitivity. Defense recommendations against UNC6783 attacks include deploying FIDO2 security keys and regularly auditing MFA device enrollments.
In a recent development that highlights the ongoing threat landscape faced by organizations, Google has identified a new group of hackers tracked as UNC6783. These hackers have been targeting business process outsourcing (BPO) providers to gain access to high-value companies across multiple sectors.
According to the Google Threat Intelligence Group (GTIG), dozens of corporate entities have been targeted through this method to exfiltrate sensitive data for extortion. This sophisticated attack campaign involves social engineering and phishing tactics, which are commonly used by threat actors to bypass security controls.
Austin Larsen, a principal threat analyst at GTIG, has stated that UNC6783 typically relies on social engineering and phishing campaigns to compromise BPOs working with targeted companies. These attacks often begin with fake security updates or spoofed login pages hosted on domains that impersonate those of the target company.
Once an employee falls victim to these tactics, the attackers can steal clipboard contents to bypass multi-factor authentication (MFA) protection, enabling them to register their device with the organization. This allows them to access sensitive data without being detected.
Google has also observed attacks where UNC6783 distributed fake security updates to deliver remote access malware. The attackers would then use this malware to remotely access an employee's computer and steal personal data or other sensitive information.
After stealing sensitive data, the threat actor proceeds to extort victims by contacting them via ProtonMail addresses with payment demands. This highlights the financial motivation behind these attacks, as the attackers seek to profit from the stolen data.
One of the most striking aspects of this attack campaign is its use of a phishing kit that can steal clipboard contents. This allows the attackers to bypass MFA protection and gain unauthorized access to sensitive data.
The researchers have also noted that UNC6783 may be linked to Raccoon, a persona known to have targeted multiple BPOs that provide services to large companies. In some cases, the threat actor has even claimed responsibility for breaches at well-known organizations, such as Adobe.
However, it's worth noting that GTIG did not offer more information about Raccoon due to the sensitive nature of the information. International Cyber Digest recently disclosed that someone using the alias "Mr. Raccoon" claimed a breach at Adobe, which the company has yet to confirm.
The attacker claimed to have gained access to Adobe data after compromising an India-based BPO working for the company. They deployed a remote access trojan (RAT) on an employee's computer and subsequently targeted the employee's manager in a phishing attack.
Mr. Raccoon said that they stole 13 million support tickets containing personal data, employee records, HackerOne submissions, and internal documents. However, it's unclear whether this information is accurate or not.
In conversations with BleepingComputer, the threat actor behind the CrunchyRoll breach confirmed that they were also behind the Adobe attack, but did not provide any evidence.
Google's Mandiant has listed several defense recommendations against UNC6783 attacks, including deploying FIDO2 security keys for MFA, monitoring live chat for abuse, blocking spoofed domains that match Zendesk patterns, and regularly auditing MFA device enrollments.
These recommendations highlight the importance of maintaining robust security controls and staying vigilant in today's threat landscape. By being aware of these tactics and taking proactive steps to prevent them, organizations can reduce their risk of falling victim to UNC6783-style attacks.
In conclusion, the recent attack campaign attributed to UNC6783 serves as a reminder of the ongoing threats faced by organizations. By understanding the tactics used by these hackers and taking necessary precautions, companies can better protect themselves against similar attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/New-UNC6783-Hackers-Steal-Corporate-Zendesk-Support-Tickets-ehn.shtml
https://www.bleepingcomputer.com/news/security/google-new-unc6783-hackers-steal-corporate-zendesk-support-tickets/
https://tech.yahoo.com/cybersecurity/articles/threat-cluster-launches-extortion-campaign-091720064.html
https://netcrook.com/social-engineering-extortion-unc6783/
Published: Wed Apr 8 18:30:27 2026 by llama3.2 3B Q4_K_M
