UNC6783 is compromising business process outsourcing (BPO) providers to access and exfiltrate sensitive data from high-value companies across multiple sectors and then extorting victims for payment. Their tactics include social engineering, phishing to spoof Okta logins on Zendesk-patterned domains, clipboard-stealing phishing kits to bypass MFA, delivery of remote access trojans via fake security updates, and extortion contacts via ProtonMail. #UNC6783 #Raccoon #Okta #Zendesk #Adobe
Keypoints
- UNC6783 targets BPO providers to gain access to client networks and exfiltrate sensitive data for extortion.
- The group primarily uses social engineering and phishing campaigns against support and helpdesk staff.
- Attackers direct victims to spoofed Okta login pages hosted on domains that mimic Zendesk patterns.
- Phishing kits can steal clipboard contents to bypass MFA and fake security updates have been used to deliver RATs.
- Recommended defenses include FIDO2 security keys, monitoring live chat for abuse, blocking Zendesk-pattern spoofed domains, and auditing MFA device enrollments.