Full Report
FortiGuard Labs analyzes TruffleNet, a large-scale campaign abusing AWS SES with stolen credentials and linked to Business Email Compromise (BEC).
Analysis Summary
# Incident Report: TruffleNet - AWS SES Abuse and BEC Campaign
## Executive Summary
Security researchers uncovered TruffleNet, a large-scale infrastructure leveraging stolen AWS credentials to abuse Amazon Simple Email Service (SES) for malicious purposes, including Business Email Compromise (BEC). Attackers used the open-source tool TruffleHog to systematically test compromised credentials and identify abuse potential within AWS environments, resulting in high-severity identity compromise and subsequent criminal activity.
## Incident Details
- Discovery Date: Prior to October 31, 2025 (Date of analysis publication)
- Incident Date: Ongoing campaign identified (Specific start date unknown)
- Affected Organization: Any organization with compromised AWS credentials (Universal/Not publicly disclosed)
- Sector: Cross-Industry (As it targets cloud identity)
- Geography: Infrastructure observed mapped to U.S.-based ASNs (WS Telecom Inc., Hivelocity LLC)
## Timeline of Events
### Initial Access
- Date/Time: Unknown (Ongoing campaign)
- Vector: Stolen AWS Credentials
- Details: Attackers used valid, stolen AWS access keys to initiate connections, bypassing traditional perimeter security controls.
### Lateral Movement
- *Note: Direct traditional lateral movement within an internal network was not the focus of the initial discovery phase. The focus was infrastructure reconnaissance.*
- Details: The TruffleNet infrastructure used specialized reconnaissance calls (`GetCallerIdentity`, `GetSendQuota` for SES) across 800+ hosts to map compromised AWS accounts and prepare them for abuse.
### Data Exfiltration/Impact
- Impact: Facilitation of downstream Business Email Compromise (BEC) campaigns.
- Details: While BEC is the ultimate goal, the direct impact from the initial SES abuse phase involves the ability to send high volumes of fraudulent emails, leading to financial fraud (BEC).
### Detection & Response
- Detection: FortiGuard Labs, by observing and analyzing the specific API call patterns consistent with SES abuse preparation.
- Response: Threat analysis, infrastructure mapping (identifying ASNs and configuration patterns), and the creation of Indicators of Compromise (IOCs) for mitigation.
## Attack Methodology
- Initial Access: Compromised AWS Credentials.
- Persistence: Not explicitly detailed for the compromised AWS account, but the large, coordinated infrastructure suggests persistence via automated management tools like Portainer.
- Privilege Escalation: Not explicitly detailed in the reconnaissance phase, though required for BEC setup.
- Defense Evasion: Use of seemingly legitimate, non-reputed source IPs across hundreds of hosts, avoiding typical VPN/TOR detection signatures.
- Credential Access: Through means external to this specific report (implied pre-compromise of AWS keys).
- Discovery: Using `GetCallerIdentity` to validate credentials and querying AWS SES APIs (`GetSendQuota`, `ListIdentities`) to confirm sending capability.
- Lateral Movement: Coordinated usage of infrastructure nodes (TruffleNet) utilizing Portainer for management.
- Collection: Preparation of SES for impersonation/delivery in BEC operations.
- Exfiltration: Not the primary focus, but linked to BEC fraud.
- Impact: Facilitation of large-scale BEC fraud via legitimate AWS infrastructure.
## Impact Assessment
- Financial: High potential for significant financial losses due to successful BEC campaigns enabled by the infrastructure.
- Data Breach: Potential exposure of data related to compromised AWS identities, though BEC is the immediate impact focus.
- Operational: Low inherent operational disruption to the victim AWS accounts during the initial reconnaissance phase, as actions were focused on non-intrusive API queries.
- Reputational: Damage to any victim company targeted by the subsequent BEC emails impersonating their domain or executives.
## Indicators of Compromise
- **Network Indicators (BEC Phase IPs):**
- `175[.]103[.]36[.]74`
- `43[.]252[.]9[.]253`
- **File Indicators:** (None specific beyond the use of TruffleHog tool by the attacker)
- **Behavioral Indicators (API Call Sequences indicative of SES Abuse):**
- Sequences involving `GetAccount`, `GetSendQuota`, `ListIdentities`, immediately followed by `CreateEmailIdentity`.
- Configuration changes: `PutAccountVdmAttributes` and `PutAccountDedicatedIpWarmupAttributes`.
- **Compromised Domains (BEC Identities):**
- `cdnbenin[.]com`
- `cfp-impactaction[.]com`
- `jia[.]com[].au`
- `majoor[.]co`
- `novainways[.]com`
- `restaurantalhes[.]com`
## Response Actions
- Containment measures: Not explicitly detailed as this report is based on external threat intelligence, but containment would focus on immediate disabling/revocation of compromised AWS Access Keys and securing SES configurations.
- Eradication steps: Removing any newly created SES identities (`CreateEmailIdentity`) and de-provisioning unknown resources linked to the activity.
- Recovery actions: Auditing the account configuration for any permanent changes made to IP warm-up or VDM settings.
## Lessons Learned
- Cloud identity remains the primary attack vector, bypassing network defenses.
- Attackers are efficiently weaponizing open-source tools (TruffleHog) to automate infrastructure discovery and credential testing at scale.
- Specific cloud services (like SES) offer attackers a legitimate delivery mechanism for highly damaging activities (BEC).
- The use of dedicated, clean infrastructure (high volume of hosts with no bad reputation) makes behavioral detection difficult unless specific API usage patterns are monitored.
## Recommendations
- **Enforce Strong Credential Hygiene:** Implement strict access key rotation and least privilege policies for all AWS IAM users and roles.
- **Monitor SES API Activity:** Implement rigorous logging and alerting for unusual SES API sequences, especially `CreateEmailIdentity` or configuration changes (`PutAccountVdmAttributes`) performed by non-standard credentials or unusual geographic locations.
- **Implement Multi-Factor Authentication (MFA):** Mandate MFA for all AWS console and programmatic access, drastically limiting the effectiveness of stolen static credentials.
- **Infrastructure Auditing:** Regularly audit container management tools like Portainer for unauthorized deployment or configuration on cloud assets.