GoKawiilA threat actor tracked as UNC6783 is compromising business process outsourcing (BPO) providers to gain access to high-value companies across multiple sectors.
According to the Google Threat Intelligence Group, dozens of corporate entities have been targeted through this method to exfiltrate sensitive data for extortion.
Austin Larsen, GTIG principal threat analyst, says that UNC6783 typically relies on social engineering and phishing campaigns to compromise BPOs working with targeted companies.
However, there have been instances where the hackers have also contacted support and helpdesk staff within targeted organizations, in an attempt to obtain direct access.
The researchers say that UNC6783 may be linked to Raccoon, a persona known to have targeted multiple BPOs that provide services to large companies.
In social engineering attacks over live chat, the threat actor directs support employees to spoofed Okta login pages hosted on domains that impersonate those of the target company and follow the pattern <org>[.]zendesk-support<##>[.]com .
Larsen says that the phishing kit deployed in these attacks can steal clipboard contents to bypass multi-factor authentication (MFA) protection, enabling the attacker to register their device with the organization.
Google has also observed attacks where UNC6783 distributed fake security updates to deliver remote access malware.
After stealing sensitive data, the threat actor proceeds to extort victims, contacting them via ProtonMail addresses with payment demands.
While GTIG did not offer more information about Raccoon, threat intelligence account International Cyber Digest recently disclosed that someone using the alias “Mr. Raccoon” claimed a breach at Adobe, which the company has yet to confirm.
... continue reading