Full Report
Researchers uncovered a coordinated campaign leveraging stolen AWS credentials to automate reconnaissance and abuse Amazon Simple Email Service (SES) for Business Email Compromise (BEC) operations. The attackers used a custom infrastructure dubbed TruffleNet, built around the ...
Analysis Summary
# Incident Report: TruffleNet Campaign Exploiting AWS SES for BEC Fraud
## Executive Summary
A coordinated, large-scale campaign exploiting stolen AWS credentials (dubbed TruffleNet) was uncovered, focusing on automating reconnaissance and abusing Amazon Simple Email Service (SES) for Business Email Compromise (BEC) fraud. The attackers leveraged custom infrastructure, including the TruffleHog tool, to validate access across hundreds of AWS environments, ultimately pivoting to send sophisticated phishing attempts using legitimate, compromised email identities.
## Incident Details
- Discovery Date: October 31, 2025 (Publication Date)
- Incident Date: Ongoing campaign prior to discovery
- Affected Organization: Multiple AWS environments targeted (Not specified individually)
- Sector: VARIED (Targeting organizations susceptible to BEC)
- Geography: Global (Leveraging cloud infrastructure)
## Timeline of Events
### Initial Access
- Date/Time: Prior to discovery
- Vector: Password Attack (Implied via stolen AWS credentials)
- Details: Attackers obtained valid, stolen AWS credentials belonging to potentially hundreds of AWS environments.
### Lateral Movement
- Date/Time: Post-Initial Access/During Reconnaissance
- Vector: Valid Credential Abuse / Infrastructure Coordination
- Details: Attackers used AWS CLI and Boto3 to perform reconnaissance API calls (e.g., `_GetCallerIdentity_`, `_GetSendQuota_`) across compromised accounts. Portainer was used to coordinate infrastructure operations, suggesting command and control over compromised hosts.
### Data Exfiltration/Impact
- Date/Time: Ongoing
- Vector: Business Email Compromise (BEC) Fraud
- Details: Primary impact was the abuse of Amazon SES to create verified email identities and execute large-scale financial fraud/phishing campaigns, impersonating legitimate businesses. A secondary impact involved leveraging compromised DKIM keys from hijacked WordPress sites for email authentication.
### Detection & Response
- Date/Time: Disclosed October 31, 2025
- Vector: Threat Research and Analysis
- Details: Detection involved external threat intelligence uncovering the coordinated campaign infrastructure managed by the threat actors. Response actions are not explicitly detailed but would focus on credential revocation and SES abuse mitigation.
## Attack Methodology
- **Initial Access:** Password attack against AWS environments (Stolen Credentials).
- **Persistence:** Not explicitly detailed, but utilization of automated infrastructure and exploitation of cloud service roles suggest maintained access via compromised keys.
- **Privilege Escalation:** Follow-on activity included explicit privilege escalation attempts within compromised AWS environments.
- **Defense Evasion:** Leveraging legitimate cloud services (AWS SES) for malicious activity, resulting in minimal network-level detection.
- **Credential Access:** Stolen credentials were the primary enabler.
- **Discovery:** Extensive automated reconnaissance using AWS CLI/Boto3 to check permissions (`_GetCallerIdentity_`, `_GetSendQuota_`) across the infrastructure using the TruffleNet framework.
- **Lateral Movement:** Movement between potentially compromised hosts via infrastructure management tools (Portainer).
- **Collection:** Identification and verification of email sending capabilities via SES.
- **Exfiltration:** Focused on financial fraud through BEC, executed via high-volume, verified phishing emails.
- **Impact:** BEC Fraud enabled by high-volume, authenticated email sending via AWS SES.
## Impact Assessment
- **Financial:** High potential for organizational financial loss due to successful BEC fraud campaigns impersonating vendors.
- **Data Breach:** Direct data exfiltration severity is not highlighted, but stolen cloud credentials themselves represent significant sensitive data compromise.
- **Operational:** Operational impact limited primarily to the compromised AWS resource hijacking and the necessary clean-up post-detection.
- **Reputational:** Risk to organizations whose domains or identities were successfully impersonated via the abused SES infrastructure.
## Indicators of Compromise
- **Network Indicators (Defanged):** Specific IP addresses associated with the 800+ TruffleNet hosts (Requires deeper Fortinet report analysis).
- **File Indicators:** Potential use or creation of artifacts related to custom infrastructure orchestration (Portainer configurations).
- **Behavioral Indicators:** High volume of AWS API calls (`_GetCallerIdentity_`, `_GetSendQuota_`) originating from newly visible hosts acting on stolen credentials; creation of new, verified identity records within Amazon SES; use of compromised DKIM keys for email authentication.
## Response Actions
*(Note: Specific analyst response actions are extrapolated based on standard containment practices given the context of cloud abuse.)*
- **Containment:** Immediate revocation of all potentially compromised AWS access keys and IAM credentials identified via reconnaissance patterns. Disabling or auditing the suspicious verified identities created within the targeted AWS SES accounts.
- **Eradication:** Auditing all targeted AWS accounts to remove any deployed infrastructure or backdoors coordinated via Portainer or custom scripting. Remediation of compromised WordPress sites (DKIM key restoration).
- **Recovery:** Re-establishing strict Identity and Access Management (IAM) policies, enforcing MFA across all AWS root and primary user accounts, and reviewing audit logs for lateral movement.
## Lessons Learned
- Stolen cloud credentials are an extremely effective vector for scalable, low-detection cloud abuse.
- Legitimate cloud services, especially email sending services like SES, provide unparalleled infrastructure for large-scale fraud when compromised, making detection difficult.
- The use of open-source management tools (like Portainer) combined with custom automation (TruffleHog framework) allows attackers to efficiently manage large botnets or compromised infrastructure.
## Recommendations
- Implement mandatory Multi-Factor Authentication (MFA) for all AWS root and critical IAM users.
- Enforce rigorous monitoring and alerting on anomalous AWS API call volumes, especially reconnaissance calls (`_GetCallerIdentity_`) originating from unfamiliar sources or roles.
- Conduct regular access key rotation, especially for long-lived access keys.
- Integrate Cloud Security Posture Management (CSPM) tools to alert immediately upon the creation of new verified identities within AWS SES that do not align with business process.