A new extortion crew has targeted “several dozen high-value” corporations through phishing and helpdesk social-engineering, according to Google.
Google Threat Intelligence Group tracks the financially motivated group as UNC6783, and in a blog post, principal threat analyst Austin Larsen said that it may have ties to the "Raccoon" persona.
"We are aware of several dozen high-value corporate entities targeted across multiple sectors," Larsen wrote.
UNC6783 primarily compromises call centers and business process outsourcers (BPOs) that work with larger companies - an attack method popularized by groups like Scattered Spider and ShinyHunters. Once the criminals have access to the BPOs' networks, they can use stolen legitimate credentials from BPO employees to break into their customers' IT environments.
Google has also observed the extortionists targeting corporations' support and helpdesk staff directly to gain access and steal sensitive data.
"The campaign relies on social engineering via live chat to direct employees to malicious, spoofed Okta login pages," Larsen said. "These domains frequently masquerade as the targeted organization using a domain pattern such as <org>[.]zendesk-support<##>[.]com."
The attackers use a phishing kit to bypass multi-factor authentication (MFA) by stealing clipboard contents, and then enrolling their own devices for persistent access to victim environments.
Google has also spotted the miscreants using fake security software updates to trick victims into downloading remote access malware.
Once they steal corporations' data, the crew uses Proton Mail accounts to deliver ransom notes to their victims.
Google did not immediately respond to The Register's inquiries about UNC6783 and its extortion operations.
Last week, International Cyber Digest reported that Adobe was allegedly breached by an attacker calling themselves Mr. Raccoon, who reportedly gained access through an Indian BPO by first deploying a remote access tool on one employee and then phishing that worker’s manager.
The data thief claimed to have stolen 13 million support tickets with personal data, 15,000 employee records, all HackerOne submissions, internal documents, and other information.
Adobe did not immediately respond to The Register's request for comment.
According to malware hunters vx-underground, the Adobe breach appears to be legitimate, and "anyone who submitted a helpdesk ticket to Adobe, or requested assistance in any capacity, could be impacted." ®
Source: The register