Summary: Researchers from cybersecurity firm Expel have uncovered a tactic used by the Moroccan cybercrime group Atlas Lion, which targets large retailers and other organizations by enrolling virtual machines into corporate cloud domains using stolen credentials. By mimicking a legitimate system, the group can maintain access and perpetrate fraud, such as issuing gift cards. Despite successful enrollment efforts, their activities were detected due to the requirement of compliance software installation, leading to a security breach and further investigations into corporate internal processes.
Affected: Large retailers, apparel companies, restaurants, and organizations with cloud infrastructure
Keypoints :
- Atlas Lion uses stolen credentials to enroll their virtual machines into organizational cloud domains, evading detection.
- The group sends phishing texts disguised as helpdesk notifications to harvest user credentials and MFA codes.
- Security measures highlighted the threat when a flagged IP address triggered a compliance alert, revealing the attack.
- After being removed from the network, Atlas Lion continued attempts to access sensitive internal information and gift card issuance processes.
- The group has been previously noted for exploiting cloud infrastructure for fraudulent activities, including gift card fraud.
Source: https://therecord.media/atlas-lion-gift-card-cybercrime-hiding-virtual-machines