New Trufflenet Bec Campaign Leverages Aws Ses Using Stolen...

Identity compromise has become one of the most significant threats facing cloud infrastructure, particularly when attackers gain access to legitimate credentials.

These valid access keys enable adversaries to bypass traditional security defenses, creating opportunities for widespread exploitation.

Amazon Web Services environments have witnessed a surge in such attacks, with the Simple Email Service emerging as a preferred tool for conducting malicious email operations at scale.

The service provides attackers with a reliable, scalable platform to execute phishing campaigns and Business Email Compromise schemes once they’ve obtained valid AWS credentials.

FortiGuard Labs recently uncovered a sophisticated campaign that exploits stolen AWS credentials to abuse the Simple Email Service.

During this investigation, researchers identified a massive attack infrastructure known as TruffleNet, which leverages the open-source secret-scanning tool TruffleHog to systematically validate compromised credentials and conduct reconnaissance across AWS environments.

The campaign involved activity from over 800 unique hosts distributed across 57 distinct Class C networks, demonstrating the operation’s unprecedented scale and coordination.

Fortinet researchers noted that the infrastructure exhibited remarkably consistent characteristics, including specific port configurations and the presence of Portainer, a container management platform.

The initial TruffleNet connections typically began with a simple GetCallerIdentity API call to verify credential validity, followed by GetSendQuota queries targeting Amazon Simple Email Service.

Unlike typical cloud attacks that rely on VPN services or TOR nodes, the vast majority of TruffleNet IP addresses showed no prior malicious reputation, suggesting purpose-built infrastructure dedicated exclusively to this campaign.

Source: Cybersecurity News