Threat Research

Cloud Abuse at Scale

Fortinet
Cloud Abuse at Scale

Adversaries used stolen AWS credentials to run large-scale credential testing and cloud reconnaissance via an infrastructure named TruffleNet, leveraging TruffleHog and automated AWS API calls to identify valid accounts and probe SES sending capabilities. Compromised accounts were then used to create verified email identities and conduct Business Email Compromise campaigns, including a $50,000 W-9 invoice scam that used domains like cfp-impactaction[.]com. #TruffleNet #TruffleHog #cfp-impactaction[.]com

Keypoints

  • TruffleNet is a large-scale attack infrastructure (~800+ source IPs across 57 Class C networks) built around TruffleHog to test stolen AWS credentials and perform automated reconnaissance.
  • Reconnaissance activity centered on lightweight AWS API calls such as GetCallerIdentity and GetSendQuota, indicating credential validation and SES probing without immediate privilege escalation from those nodes.
  • TruffleNet hosts showed consistent configurations (open ports 5432 and 3389, Portainer presence) and were mostly mapped to ASNs including WS Telecom Inc. (AS209372) and Hivelocity LLC (AS61317).
  • Attackers abused Amazon SES to create verified sending identities (using DKIM keys from compromised WordPress sites) and launched Business Email Compromise (BEC) campaigns, including a vendor onboarding W-9 scam requesting $50,000.
  • Observed SES-related API usage included ListIdentities, GetSendQuota/Statistics, CreateEmailIdentity, PutAccountVdmAttributes, and PutAccountDedicatedIpWarmupAttributes—call sequences that reliably indicate SES abuse.
  • Domains used as email identities included cfp-impactaction[.]com, cdnbenin[.]com, and novainways[.]com; some of these domains were previously compromised and associated with other malware like XMrig and Coroxy/SystemBC.
  • Defensive recommendations emphasize continuous monitoring, least-privilege access, behavioral analytics, and use of integrated protections (e.g., FortiCNAPP, FortiMail, FortiEDR) to detect anomalous AWS API activity and SES abuse.

MITRE Techniques

  • [T1087.003] Account Discovery (Cloud) – Enumerating verified sending identities using ListIdentities to find domains or emails to spoof: “…Enumerates verified sending identities (domains or emails) to find targets to spoof or identify addresses used for high-volume sending.”
  • [T1526] Service Quotas Discovery – Calling ListServiceQuotas and GetSendStatistics to reveal service limits and send metrics for mapping boundaries and measuring campaign success: “…Reveals service limits and quota settings that help attackers map boundaries and plan large-scale or stealthy abuse.”
  • [T1098] Account Manipulation – Using UpdateLoginProfile and PutAccountDetails/PutAccountVdmAttributes/PutAccountDedicatedIpWarmupAttributes to change account metadata, modify authentication/delivery settings, or warm up dedicated IPs for improved deliverability: “…Enables an attacker with sufficient IAM privileges to change a user’s console password or sign-in configuration… Modifies account contact or metadata… Alters delivery and authentication settings (VDM attributes)… Adjusts dedicated IP warm-up settings…”
  • [T1525] Cloud Account Discovery – Using GetAccount (SESv2) to obtain account-level configuration such as sending status and region to fine-tune campaigns: “…Returns account-level configuration details such as sending status and region, which attackers can use to fine-tune their campaigns.”
  • [T1136.003] Create Account (IAM) – Creating new IAM users via CreateUser and CreateEmailIdentity to establish persistent credentials and verified sending identities for spoofing campaigns: “…Allows creation of new IAM users to establish persistent credentials that blend in as legitimate accounts.””
  • [T1087] Account Discovery (SNS) – Calling GetSMSAttributes to enumerate SMS configuration or sender IDs as potential messaging vectors: “…Enumerates SMS configuration or sender IDs to identify potential phone-based vectors or confirm messaging capabilities.”

Indicators of Compromise

  • [IP Addresses] TruffleNet reconnaissance and BEC source hosts – examples include 175[.]103[.]36[.]74 and 43[.]252[.]9[.]253 (MikroTik RouterOS devices likely compromised); more than 800 source IPs referenced in VirusTotal collection.
  • [Domains] Compromised email identities used for SES/BEC – cdnbenin[.]com, cfp-impactaction[.]com, jia[.]com[.]au, majoor[.]co, novainways[.]com, restaurantalhes[.]com (some hosted in France and linked to other malicious activity).
  • [User Agents] AWS CLI / Botocore / Boto3 strings observed – examples: “aws-cli/2.27.57 … md/command#sesv2.create-email-identity” and “Boto3/1.36.3 md/Botocore#1.36.3 …”, used during SES CreateEmailIdentity calls and credential testing.
  • [File/Tool] Reconnaissance tool – TruffleHog usage observed for secret scanning and credential harvesting (user agent labeled TruffleHog and associated aws-cli traces).

Read more: https://feeds.fortinet.com/~/927010508/0/fortinet/blog/threat-research~Cloud-Abuse-at-Scale

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint