The FBI recently issued a private industry notification regarding Storm-0539, also known as Atlas Lion, a cyber criminal group based in Morocco. This group specializes in targeting retailers and creating fraudulent gift cards. Microsoft conducted a more thorough analysis of Storm-0539’s tactics, techniques, and procedures (TTPs), revealing their advanced reconnaissance abilities, utilization of cloud environments, and efforts to minimize operational costs.
According to Microsoft analysts, Storm-0539 excels at compromising and creating cloud-based attack infrastructure, allowing them to avoid typical upfront costs. The group masquerades as legitimate non-profits to cloud providers to obtain sponsored or discounted services, utilizes free trials or student accounts, and compromises recently registered WordPress domains to host fraudulent pages.
Storm-0539’s modus operandi involves identifying employees’ personal and work mobile phone numbers and emails through publicly available information. They then lure these employees with messages prompting them to click on a provided link. Once redirected to an AiTM phishing page, the victims unwittingly provide their credentials, enabling the attackers to register their own devices within the victim’s environment to receive multifactor authentication (MFA) prompts associated with the compromised account.
Once an employee account within a targeted organization is compromised, Storm-0539 moves laterally through the network to pinpoint the gift card business process. The group then utilizes the compromised accounts to create fraudulent gift cards, which they either redeem for value, sell on black markets, or cash out through money mules. Despite detection of their activities by a corporation, Storm-0539 quickly adjusted their tactics by targeting unredeemed gift cards and changing associated email addresses to ones controlled by the group.
Microsoft has observed a 30% increase in intrusion activity by Storm-0539 over the past two months, likely in anticipation of the summer holiday season in the US. The criminal group has been operational since at least 2021 and continually adapts their techniques to circumvent defensive measures implemented by their preferred targets: large retailers, luxury brands, and fast-food establishments.
To mitigate the risk of a successful compromise by Storm-0539, Microsoft has recommended several countermeasures in a recent publication. These measures aim to enhance defenses against the group’s tactics and minimize the impact of their fraudulent activities on targeted organizations.
Overall, the threat posed by Storm-0539 highlights the evolving nature of cyber criminal activities and the importance of robust cybersecurity measures to safeguard against such threats. Organizations must remain vigilant and proactive in defending against sophisticated adversaries like Storm-0539 to protect their sensitive data and assets from exploitation.