‘TruffleNet’ Attack Wields Stolen Credentials Against AWS

Steven

‘TruffleNet’ Attack Wields Stolen Credentials Against AWS

Summary

Fortinet AI researchers have identified a large-scale campaign dubbed “TruffleNet” that weaponises stolen AWS credentials to probe and abuse Amazon Simple Email Service (SES). The attackers use a framework built around the open-source secret-hunting tool TruffleHog and lightweight orchestration tools such as Portainer to run reconnaissance at scale across compromised AWS accounts.

The observed activity focuses on identity checks (GetCallerIdentity) and SES-focused queries (GetSendQuota) rather than immediate privilege escalation, suggesting a tiered infrastructure: some nodes scan and validate credentials while others are reserved for later abuse. Once access is confirmed, attackers set up sending identities (often via DKIM from compromised WordPress sites) and run downstream business email compromise (BEC) scams — for example, vendor onboarding W-9 invoice fraud using typosquatted domains.

Key Points

  • TruffleNet leverages TruffleHog and credential stuffing to systematically validate stolen AWS keys across many hosts and networks.
  • Attackers use Portainer and similar legitimate DevOps tools as lightweight control planes to coordinate malicious nodes at scale.
  • Initial AWS calls observed were GetCallerIdentity and GetSendQuota (SES) — reconnaissance rather than immediate exploitation.
  • Confirmed compromises enable SES abuse: attackers create DKIM-backed sending identities and launch BEC/fraud campaigns (e.g. fake W-9 invoices, typosquatted payment sites).
  • Most source IPs used had no prior reputation flags, indicating bespoke malicious infrastructure designed to evade detection.
  • Defensive recommendations include continuous monitoring, least-privilege access, behavioural analytics, and composite alerting to detect identity misuse.

Context and relevance

This story highlights a continuing shift: identity compromise is now a primary vector for large-scale cloud abuse. Attackers are combining open-source tools, credential theft, and legitimate cloud services (SES) to scale fraud with low noise. Organisations that rely on AWS and use automated email services should regard this as a timely reminder that valid credentials can be indistinguishable from normal usage unless defenders have identity-aware visibility.

It matters because cloud-first operations and DevOps tooling reduce friction for both administrators and attackers. The use of Portainer as a management surface and the minimal API calls observed show adversaries are optimising for stealth and scalability — a trend that aligns with other recent cloud attacks where identity is the pivot to downstream fraud and data access.

Why should I read this?

Short answer: if you touch AWS or run automated email, this matters. Attackers are quietly testing stolen keys and then weaponising SES for convincing BEC scams. Read this so you don’t get caught out — it’s a neat, practical example of how a few API calls and legitimate tools can lead to costly fraud. We’ve done the slog and pulled the essentials out for you.

Actionable takeaways

  • Enforce least-privilege IAM policies and rotate keys regularly; treat all long-lived keys as high-risk.
  • Enable and monitor API-level activity (GetCallerIdentity, GetSendQuota) as potential early indicators of compromise.
  • Use behavioural analytics and composite alerting to correlate unusual cloud automation and identity usage across services.
  • Monitor DKIM/SPF changes and new SES sending identities; tie email-sending configuration changes back to user/role activity.
  • Harden DevOps tooling (Portainer, container UIs) with strong authentication, network controls and logging to prevent misuse as a command-and-control layer.

Source

Source: https://www.darkreading.com/vulnerabilities-threats/trufflenet-attack-stolen-credentials-aws