Expel’s research echoed much of what Microsoft found last year — illustrating that Atlas Lion has shown an aptitude for leveraging cloud infrastructure and using internal documentation to learn more about how best to fraudulently issue gift cards. Microsoft said last year that it saw Atlas Lion download legitimate copies of 501(c)(3) letters issued by the Internal Revenue Service (IRS) from nonprofit organizations’ public websites — using them to get discounted cloud products from providers. The group was observed using stolen credentials to enroll its own virtual machines (VMs) into an organization’s cloud domain, according to researchers at cybersecurity firm Expel. They appear to have looked through gift card issuance process docs, information about gift card refunds and exchanges, and even gift card fraud prevention policies,” Expel explained, noting that the hackers also took several other actions while trying to stay under the radar. Atlas Lion specializes in breaching the systems of large retailers in order to fraudulently issue gift card codes to themselves, according to Microsoft. Expel said it appears the hackers were trying to find information on “Bring Your Own Device” policy configurations, device management software, and internal VPN setups — likely as a way to avoid being caught on their next attempt to enroll a virtual machine. Researchers have discovered a novel tactic used by Moroccan cybercrime group Atlas Lion to attack big-box retailers, apparel companies, restaurants and more. Once inside, Atlas Lion actors created a Windows VM in their own Microsoft Azure cloud tenant and connected it to the organization’s domain. Expel said the hackers had to install Microsoft Defender on the virtual machine, and the system alerted defenders to a previously flagged IP address with a history of malicious activity. “But in addition to this, Atlas Lion looked up information on a familiar goal of the group: obtaining gift cards. Just hours after being kicked out of the system, Atlas Lion actors used the stolen credentials to log into the network again. Expel recently witnessed an attack in which Atlas Lion sent text messages made to look like notifications from a company’s helpdesk. “This effectively took a [virtual machine] mimicking a brand new system within the corporate environment and onboarded it as a new system, bypassing requirements put in place to keep unauthorized devices off of the corporate network,” the researchers said. Microsoft researchers said they have seen instances where threat actors steal up to $100,000 a day at certain companies through individual gift cards. Part of the normal Windows device setup involves offering users the opportunity to join a device to a corporate domain if an account is provided, according to Expel.
This Cyber News was published on therecord.media. Publication date: Thu, 10 Apr 2025 13:35:14 +0000