The Google Threat Intelligence Group (GTIG) has issued a warning about a financial threat actor targeting business process outsourcing (BPO) organizations with the goal of stealing sensitive data from high-value companies.

This threat actor, identified as UNC6783, is suspected to be linked with a persona known as 'Mr. Raccoon,' who recently claimed responsibility for stealing a vast amount of Adobe data from a third-party supplier.

According to Austin Larsen, a principal threat analyst at GTIG, UNC6783 has been executing extensive social engineering and phishing campaigns aimed at numerous high-value corporate targets across various industries.

“The actor primarily focuses on compromising Business Process Outsourcers (BPOs) that collaborate with these companies. We have also observed them directly targeting the support and helpdesk staff within these organizations to gain trusted access and exfiltrate sensitive data for extortion efforts,” Larsen noted.

The tactics employed by the threat actor include engaging employees through live chats that lead to spoofed Okta login pages. Additionally, they utilize a phishing kit designed to steal clipboard contents, allowing them to bypass standard multi-factor authentication (MFA) security measures.

GTIG reports that UNC6783's social engineering strategies also involve creating fake Zendesk support pages that mimic the domains of the targeted organizations.

Once they gain access to the employee accounts, the hackers enroll their own devices, establishing persistent access to the compromised networks.

“We have also observed them deploying fake security software updates to deceive victims into downloading remote access malware. After exfiltrating data, UNC6783 often uses Proton Mail accounts to send ransom notes demanding payment for the stolen data,” Larsen explained.

Mr. Raccoon Claims Responsibility for Adobe Data Breach

GTIG's characterization of UNC6783's tactics, along with the mention of the Raccoon persona, indicates that this actor may be the same individual who recently claimed to have stolen a significant volume of Adobe data from a BPO firm located in India.

The hacker asserted that the stolen information includes personal details of 15,000 employees, millions of support tickets, and submissions from bug bounty programs.

The attack reportedly initiated with a phishing email aimed at a support agent at the BPO, who was deceived into executing a remote access trojan (RAT), granting the hacker comprehensive access to their computer.

Following this initial breach, the attacker conducted reconnaissance and utilized the employee's email to send a second phishing email to a manager, who inadvertently disclosed credentials for the support platform.

Mr. Raccoon claimed to have successfully exported the entire Adobe database from this platform with a single request, showcasing the efficiency of their attack methods.

In light of these developments, GTIG is closely monitoring the activities of UNC6783 and urges BPOs and their clients to bolster their security measures against such sophisticated phishing and social engineering tactics.

GTIG has reached out to Adobe for a statement regarding the hacker's claims and will provide updates should the company respond.

Related Developments: Recent incidents have highlighted the growing concerns over data security, with notable breaches affecting hundreds of thousands of individuals and organizations.

Source: SecurityWeek News