Identity compromise has become one of the most significant threats facing cloud infrastructure, particularly when attackers gain access to legitimate credentials.
These valid access keys enable adversaries to bypass traditional security defenses, creating opportunities for widespread exploitation.
Amazon Web Services environments have witnessed a surge in such attacks, with the Simple Email Service emerging as a preferred tool for conducting malicious email operations at scale.
The service provides attackers with a reliable, scalable platform to execute phishing campaigns and Business Email Compromise schemes once they’ve obtained valid AWS credentials.
FortiGuard Labs recently uncovered a sophisticated campaign that exploits stolen AWS credentials to abuse the Simple Email Service.
During this investigation, researchers identified a massive attack infrastructure known as TruffleNet, which leverages the open-source secret-scanning tool TruffleHog to systematically validate compromised credentials and conduct reconnaissance across AWS environments.
.webp "New TruffleNet BEC Campaign Leverages AWS SES Using Stolen Credentials to Compromise 800+ Hosts 3")
The campaign involved activity from over 800 unique hosts distributed across 57 distinct Class C networks, demonstrating the operation’s unprecedented scale and coordination.
Fortinet researchers noted that the infrastructure exhibited remarkably consistent characteristics, including specific port configurations and the presence of Portainer, a container management platform.
The initial TruffleNet connections typically began with a simple GetCallerIdentity API call to verify credential validity, followed by GetSendQuota queries targeting Amazon Simple Email Service.
Unlike typical cloud attacks that rely on VPN services or TOR nodes, the vast majority of TruffleNet IP addresses showed no prior malicious reputation, suggesting purpose-built infrastructure dedicated exclusively to this campaign.
Further analysis revealed that adversaries utilized compromised WordPress sites to obtain DKIM cryptographic keys, subsequently configuring AWS SES to send emails on their behalf.
This sophisticated technique involved creating multiple email identities within SES using stolen authentication credentials, enabling attackers to impersonate legitimate organizations.
The campaign culminated in targeted Business Email Compromise attacks against the oil and gas sector, with fraudsters sending invoices purporting to be from ZoomInfo and requesting $50,000 ACH payments.
The fraudulent communications directed payment inquiries to typosquatted domains, demonstrating the attackers’ attention to detail in maintaining credibility throughout the social engineering process.
Technical Infrastructure and Attack Methodology
The TruffleNet infrastructure demonstrated sophisticated operational security through its tiered architecture design.
Host-level analysis identified 10 hosting autonomous system numbers, with the majority mapped to US-based providers WS Telecom Inc. and Hivelocity LLC.
Most hosts maintained open ports 5432 and 3389, though these were repurposed from their standard PostgreSQL and RDP assignments.
The deployment of Portainer across numerous nodes provided attackers with a centralized management interface, effectively functioning as infrastructure-as-a-service for coordinating large-scale credential testing operations.
.webp "New TruffleNet BEC Campaign Leverages AWS SES Using Stolen Credentials to Compromise 800+ Hosts 4")
The attack progression involved multiple AWS API calls executed in a specific sequence. Following initial reconnaissance, attackers attempted privilege escalation by creating new IAM identities, though this effort failed in several instances.
However, one compromised user account possessed sufficient privileges to interact directly with SES. The CreateEmailIdentity API request included stolen DKIM signing attributes from previously compromised domains, with the following technical implementation observed in FortiGuard Labs’ analysis:
{"dkimSigningAttributes":{"domainSigningAttributesOrigin":"AWS_SES_US_EAST_1","domainSigningPrivateKey":"HIDDEN_DUE_TO_SECURITY_REASONS"},"emailIdentity":"cfp-impactaction[.]com"}This request parameter demonstrates how attackers weaponized legitimate AWS functionality by importing compromised cryptographic keys from external sources.
Six email identities were ultimately established during the campaign, including domains such as cfp-impactaction[.]com, cndbenin[.]com, and novainways[.]com.
Several of these domains shared hosting infrastructure in France and exhibited connections to other malicious activities, including XMRig cryptomining operations and the Coroxy trojan.
The attackers executed their Business Email Compromise operation immediately following infrastructure preparation, sending vendor onboarding invoices with legitimate-appearing W-9 forms containing publicly available employer identification numbers to enhance credibility.
FortiCNAPP’s composite alerting technology successfully detected the campaign by evaluating multiple behavioral indicators simultaneously, including anomalous cloud connections, suspicious automation activity, and offensive tool usage.
The platform generated high-confidence alerts that correlated network anomalies with behavioral deviations, providing security teams with actionable intelligence to respond to the identity-driven threat effectively.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
