UNC6783 Leverages BPOs to Steal Corporate Zendesk Tickets

Google’s Mandiant has identified a new threat actor, UNC6783, focusing on Business Process Outsourcing (BPO) providers. This group leverages compromised BPO access to infiltrate high-value client organizations across diverse sectors, specifically targeting their Zendesk support ticket systems. This campaign represents a significant Supply Chain Attack vector, exposing sensitive customer data and intellectual property. According to BleepingComputer, UNC6783’s strategy highlights the increasing risk posed by third-party vendors and the critical need for enhanced security controls over external access points.

Threat Actor Profile: UNC6783 Tactics

UNC6783’s modus operandi centers on exploiting the trusted relationships between organizations and their BPO partners. Their initial access typically involves sophisticated Phishing and social engineering techniques aimed at BPO employee accounts. Once credentials are stolen, the actor uses these compromised accounts to gain unauthorized entry into the BPO’s internal networks. From there, they conduct Lateral Movement to identify and exploit legitimate BPO access to client systems, with Zendesk instances being a primary target.

The group’s focus on Zendesk support tickets is particularly concerning. These tickets often contain a wealth of confidential information, including customer names, contact details, proprietary technical discussions, and even intellectual property shared during support interactions. Such data can be leveraged for further targeted attacks, corporate espionage, or sold on illicit markets. Google’s Mandiant assesses that UNC6783’s activities are consistent with financially motivated espionage, though the precise end goal can vary depending on the target’s industry and data type.

Understanding UNC6783 BPO Compromise Mitigation

Detecting and mitigating the TTPs employed by UNC6783 requires a multi-layered approach that addresses both technical vulnerabilities and human factors. Organizations must recognize that their security posture is only as strong as their weakest link, which often includes third-party vendors with privileged access.

• Initial Access & Credential Theft: UNC6783 relies heavily on credential theft. This means employees, especially those at BPO providers, must be rigorously trained to identify and report phishing attempts. Implementing strong authentication mechanisms like multi-factor authentication (MFA) across all systems, particularly for external access and BPO accounts, is fundamental.
• Lateral Movement & Persistence: Once inside a BPO network, UNC6783 seeks to expand its foothold. Robust network segmentation, least privilege access, and continuous monitoring of BPO activity logs can help detect anomalous behavior indicative of lateral movement.
• Targeting Zendesk & Data Exfiltration: The exfiltration of support tickets from Zendesk instances is the ultimate objective. Organizations should implement strict access controls on their Zendesk environments, review BPO user permissions regularly, and monitor for unusual API calls or large data downloads from BPO-associated accounts. An EDR solution with advanced threat detection capabilities can assist in identifying suspicious activities on endpoints.

Actionable Recommendations for Securing Corporate Zendesk Instances

To effectively counter threats like UNC6783 and protect sensitive data within support platforms, organizations should prioritize the following actions:

• Vendor Security Assessment: Conduct thorough security assessments and due diligence on all BPO providers. Ensure contractual agreements include stringent security requirements, regular audits, and incident response obligations.
• Implement Strict Access Controls:
  • Enforce Zero Trust principles for all third-party and internal access to critical systems, including Zendesk.
  • Mandate multi-factor authentication (MFA) for all BPO user accounts accessing your corporate systems.
  • Regularly review and revoke unnecessary privileges for BPO accounts. Adhere to the principle of least privilege.
• Enhanced Monitoring and Alerting:
  • Integrate Zendesk logs and BPO access logs into your SIEM for centralized monitoring.
  • Configure alerts for unusual login patterns, mass data exports, or modifications by BPO accounts.
  • Focus on specific IoCs related to known UNC6783 TTPs as they become available.
• Employee Security Awareness Training: Extend comprehensive security awareness training, particularly on recognizing phishing and social engineering tactics, to both internal staff and BPO personnel who interact with your systems.
• Regular Audits and Penetration Testing: Schedule regular security audits and penetration tests specifically focusing on third-party access points and configurations of critical platforms like Zendesk. This can help to proactively detect UNC6783 Zendesk attacks before a breach occurs.

By taking these proactive measures, organizations can significantly reduce their attack surface and mitigate the risks posed by threat actors like UNC6783 leveraging trusted third-party relationships for illicit access to sensitive data.