Cloud security · 4 MIN READ · BEN NAHORNEY AND JENNIFER MAYNARD · APR 14, 2025 · TAGS: Vulnerability management
TL;DR
- In part one, we covered how Atlas Lion enrolled attacker-controlled virtual machines (VMs) into an organization’s domain, but was stopped.
- The group’s attacks continued, switching tactics to leverage compromised accounts in reconnaissance attacks.
- Vigilance in light of the original attacks uncovered this activity, putting a stop to the attack.
It’s easy to get caught up in the excitement of successfully stopping an attack early. It’s like in basketball, when the bad actor—ball in hand—heads for the proverbial net. But sensing their move, you swat the ball back downcourt. “Not in my house!” you shout. You might even throw in a few choice words about their poor taste in footwear.
But a basketball game isn’t won with one play; you’ve got to get through four quarters. And similarly, just because an attacker is discovered doesn’t mean they’re just going to lower their head, sigh, and shuffle off dejected.
We saw this recently in an incident involving a well-known attack group known as Atlas Lion. As we discussed in our previous blog, Why take control when you can enroll?, this attack group attempted a rather novel attack technique—onboarding an attacker-controlled virtual machine (VM) in the organization’s network. Thankfully, the VM was quickly identified and kicked off the network.
The watch never sleeps
Knowing about Atlas Lion’s perniciousness, our SOC kept a watchful eye on this organization’s network. And while doing some follow-up checks on common Atlas Lion IOCs shortly after the incident, our analysts identified additional signs that Atlas Lion wasn’t done targeting this organization yet.
It turned out that Atlas Lion’s initial SMS phishing campaign was relatively successful, netting the group roughly 18 sets of user credentials. For nine of these, the attackers managed to register MFA authentication apps, giving them the ability to further their attacks using these accounts.
As predicted, Atlas Lion didn’t just roll over and give up. Only a couple of hours after the attackers had enrolled the malicious VM (and were subsequently detected and kicked out), they began using these credentials to log into the network. At this point, their goal appeared to be reconnaissance—learning more about internal systems and processes.
Once in, the attackers logged into popular applications used by the target organization. At one point, they managed to log into 19 different applications within the space of 13 minutes—something challenging for a user to do by hand—likely requiring the attacker to run prewritten scripts while logged in.
Much of the information the attackers gathered appears to have been stored in SharePoint. And they once again did so with superhuman speed—in one second (literally), they performed 378 operations, such as accessing, previewing, and downloading files, across 111 SharePoint pages.
Getting the lay of the land
It appears the attackers were specifically looking for resources related to ‘Bring Your Own Device’ policy configurations, device management software, and internal VPN setups, probably trying to learn how to avoid the pitfalls they encountered when they tried to enroll their VM.
But in addition to this, Atlas Lion looked up information on a familiar goal of the group: obtaining gift cards. They appear to have looked through gift card issuance process docs, information about gift card refunds and exchanges, and even gift card fraud prevention policies.
Atlas Lion took a novel, but ingeniously simple, approach to dive deeper into the target organization’s internal documentation. Upon discovering the user didn’t have adequate Confluence permissions, they simply raised tickets in the internal IT request application on behalf of the compromised user, requesting access. To IT, this would likely look as though the actual user just needed access to Confluence. Permission was granted, allowing the attackers to log in and gather further information from this application.
What’s also interesting is what the attackers didn’t do in the hopes of remaining undetected. While opening tickets for Confluence access, the attacker deliberately deleted the email paper trail as emails came to avoid raising suspicion over unexpected emails from IT. However, they didn’t create filtering rules to automatically remove these emails, as this often triggers security detections, alerting security teams to the presence of an intruder.
Vigilance in the face of opposition
While the initial attack that involved enrolling a VM was detected and stopped, that didn’t stop them from progressing with their attack. This shows how important resilience is in incidents like this. While it’s true the attacker gained access to process-related documents within the organization, the important thing to highlight is that this activity was detected and they were stopped from succeeding in their ultimate objective: stealing large quantities of gift cards from the organization.
There are a few important things to watch out for here. The first is to keep a close eye on where users are logging in from. If the IP addresses that a user logs in from doesn’t line up with their typical location, this should raise an alert—even if the account manages to authenticate using MFA. Changes to a user’s password, shortly followed by the inclusion of new MFA devices (like in this case) should also be investigated. Naturally, a user’s login credentials should be reset if you suspect that their account has been compromised.
It’s also important to keep an eye out for unusual activity surrounding internal applications. If a user rapidly logs into a series of apps in a short timespan, or accesses hundreds of documents in a matter of seconds, the user’s account should be temporarily suspended and investigated for unauthorized activity.
But most of all, it’s important to stay vigilant in the face of a well-coordinated attack. Just because you manage to stop them once, doesn’t mean they won’t be back to try again. You’ve got to play through all four quarters to win the game.
