New TruffleNet BEC Operation Uses Compromised AWS SES Keys Over 800 Hosts Impacted

TruffleNet BEC Operation Targets AWS Environments

A significant cloud security incident named TruffleNet has been detected, revealing advanced tactics by threat actors focused on compromising Amazon Web Services (AWS) environments through stolen credentials.

Attack Methodology and Tools

Researchers identified the use of TruffleHog, a popular open-source tool, by the attackers to test compromised access keys and perform automated reconnaissance systematically.

Exploitation of AWS Simple Email Service (SES)

The operation prominently abuses Amazon Simple Email Service (SES) to facilitate Business Email Compromise (BEC) attacks, utilizing AWS’s trusted infrastructure for these campaigns.

Attack Progression

The attack starts by validating credentials, often using AWS’s GetCallerIdentity API. Upon confirmation, hosts query the SES GetSendQuota endpoint, preparing for large-scale email exploitation.

Infrastructure and Host Analysis

Unlike typical cloud threats, most source IPs showed no reputation flags or antivirus detections, suggesting the use of custom-built infrastructure. Analysis revealed frequent use of open ports 5432 and 3389, corresponding to PostgreSQL and RDP services, although these were not targeted for their usual purposes.

TruffleNet “leverages the popular open-source tool TruffleHog to test compromised access keys and conduct systematic automated reconnaissance.”
The operation’s hallmark is “high-scale abuse of Amazon Simple Email Service (SES), which facilitates Business Email Compromise (BEC) campaigns using AWS’s trusted infrastructure.”

Author’s summary: TruffleNet illustrates a sophisticated BEC campaign exploiting stolen AWS credentials and cloud-native infrastructure to leverage Amazon SES for large-scale email attacks undetected by standard security solutions.

more

Cyber Press Cyber Press — 2025-11-04

More News