駭客組織UNC6783滲透業務流程外包公司,已有數十家高價值企業組織成為目標
Google威脅情報團隊(GTIG)主要威脅分析師Austin Larsen於社群網站LinkedIn指出,他們近期追蹤名為UNC6783的駭客團體,該組人馬犯案的動機是為了經濟利益,正在進行針對性的社交工程與網釣活動,GTIG已掌握有多個產業、數十家高價值企業組織成為目標。值得留意的是,Google提及UNC6783很可能與稱為Raccoon的人士有關。
UNC6783主要聚焦於滲透為目標企業服務的業務流程外包商,GTIG也看到駭客對目標企業的客服下手的情況,不過,最終目的都是取得存取權限,然後竊取敏感資料並向受害企業勒索。
駭客依賴即時通訊軟體作為社交工程的媒介,誘騙受害企業的員工存取偽造的Okta登入網頁。他們使用的網域名稱通常會冒充受害企業,其結構通常是<組織名稱>[.]zendesk-support<##>[.]com。GTIG提到,UNC6783的網釣工具能竊取受害電腦的剪貼簿內容,從而繞過多因素驗證(MFA)流程,並讓駭客註冊自己的裝置,以便建立持續存取的管道。
一旦成功竊得資料並外流,UNC6783就會使用Proton Mail帳號,向受害企業寄送勒索信。此外,GTIG也看到駭客假借資安軟體更新的名義,誘騙使用者下載惡意軟體的情況。
#unc6783 | Austin Larsen
Google Threat Intelligence Group (GTIG) is tracking #UNC6783, a financially motivated threat cluster potentially tied to the "Raccoon" persona, conducting targeted social engineering and phishing campaigns. We are aware of several dozen high-value corporate entities targeted across multiple sectors. The actor primarily focuses on compromising Business Process Outsourcers (BPOs) that work with these targeted companies. We have also seen them target the support and helpdesk staff of these organizations directly to gain trusted access and steal sensitive data for extortion operations. The campaign relies on social engineering via live chat to direct employees to malicious, spoofed Okta login pages. These domains frequently masquerade as the targeted organization using a domain pattern such as [.]zendesk-support<##>[.]com. Their phishing kit is used to bypass standard multi-factor authentication (MFA) verification by stealing clipboard contents, which then allows the attackers to e
www.linkedin.com
Comments (0)