Full Report
Attackers are abusing Amazon Web Services’ (AWS) Simple Email Service (SES) via legitimate open source tools to steal credentials and infiltrate organizations to execute network reconnaissance. In some cases, threat actors even use compromised environments to perform downstream business email compromise (BEC) attacks. An emerging threat campaign is using stolen credentials to target SES, Amazon’s email automation service,…
Analysis Summary
# Tool/Technique: TruffleNet Campaign Abuse of AWS SES
## Overview
TruffleNet is an emerging threat campaign where attackers leverage stolen credentials to systematically target and abuse Amazon Web Services (AWS) Simple Email Service (SES). The goal is credential validation, network reconnaissance within AWS environments, and in some cases, execution of downstream Business Email Compromise (BEC) attacks. The campaign relies on legitimate open-source tools for its operations.
## Technical Details
- Type: Campaign / Technique (Abuse of legitimate service)
- Platform: Amazon Web Services (AWS), specifically utilizing AWS SES. Relies on tools that run on attacker-controlled infrastructure (likely cloud or compromised systems).
- Capabilities: Credential testing/validation, large-scale network reconnaissance within AWS, and potential for BEC attacks using the compromised SES access.
- First Seen: Contextually recent, described as an "emerging threat campaign."
## MITRE ATT&CK Mapping
The primary activity described centers on leveraging existing access (stolen credentials) to probe an environment and utilize cloud services for communication/delivery.
- **TA0006 - Credential Access** (Implied initial stage, as stolen credentials are used)
- T1003 - OS Credential Dumping (Not explicitly detailed, but necessary for obtaining credentials)
- **TA0007 - Discovery**
- T1595 - Active Scanning / Reconnaissance (Through systematic SES testing/probing)
- **TA0011 - Command and Control** (Using SES for communication/delivery can potentially map here depending on the abuse pattern)
- T1573 - Encrypted Channel (AWS services inherently use encrypted channels)
- **TA0001 - Initial Access** (Leveraging compromised credentials for access)
- T1078.004 - Valid Accounts: Cloud Accounts
## Functionality
### Core Capabilities
- **Credential Validation:** Systematically testing a large volume of stolen credentials against AWS resources.
- **Service Abuse:** Utilizing AWS SES for its intended purpose (email automation/sending) but at scale for malicious ends (reconnaissance or BEC).
- **Large-Scale Operations:** The infrastructure recorded activity from over 800 unique hosts across 57 distinct Class C networks, suggesting scalable, distributed abuse.
### Advanced Features
- **Infrastructure Configuration:** Consistent configurations across compromised environments, including the presence of open ports and the use of **Portainer** (an open-source management UI for Docker/Kubernetes), indicating containerization or simplified orchestration of attack infrastructure.
- **Downstream BEC:** Using compromised SES access to perform Business Email Compromise attacks against other organizations or individuals.
## Indicators of Compromise
*Note: Since the primary attack vector involves abusing a legitimate AWS service (SES) with legitimate tools, specific IOCs like file hashes are not provided in the context. Network indicators relate to the infrastructure hosting the tools.*
- File Hashes: N/A (Focus is on abuse of legitimate tools)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (No specific C2 domains provided, only references to the scale of the attacker's network footprint: 800+ hosts, 57 C networks)
- Behavioral Indicators: Systematic testing of compromised credentials against AWS. Presence of Portainer in the attacker's compromised environments.
## Associated Threat Actors
- The context does not explicitly name a formally recognized threat group, but attributes the campaign infrastructure to the research finding it dubbed "TruffleNet."
## Detection Methods
- Signature-based detection is difficult as legitimate tools are used.
- **Behavioral detection:** Monitoring for anomalous patterns of AWS SES usage originating from compromised or suspicious sets of credentials (e.g., massive spikes in SES API calls or high failure rates followed by success). Monitoring for the co-occurrence of cloud account compromise and standard discovery techniques (T1595).
- **Infrastructure Monitoring:** Detecting the consistent presence of management tools like Portainer alongside unexpected network activity on compromised hosts.
## Mitigation Strategies
- **Credential Security:** Implementing strong Multi-Factor Authentication (MFA) on all AWS accounts, especially those capable of API access or SES usage.
- **Principle of Least Privilege:** Restricting IAM policies to only allow necessary actions, limiting the scope of damage if credentials are stolen.
- **Service Monitoring:** Implementing strict rate limiting and anomaly detection specifically on AWS SES API usage tied to potentially compromised credentials.
- **Environment Hardening:** Auditing accessed environments for unnecessary open ports and the presence of configuration management tools like Portainer if they are not explicitly required and secured.
## Related Tools/Techniques
- **TruffleHog:** Explicitly named as the open-source scanning tool built around which the TruffleNet infrastructure is organized. TruffleHog is primarily used for secret scanning and credential discovery.
- **Portainer:** Used for simplifying container deployment/orchestration, suggesting the attackers are running their validation/scanning infrastructure via Docker/Kubernetes.
- **Business Email Compromise (BEC) techniques:** The ultimate downstream goal mentioned for some attack paths.