'TruffleNet' Attack Uses Stolen Credentials Against AWS TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityAI Developed Code: 5 Critical Security Checkpoints for Human OversightAI Developed Code: 5 Critical Security Checkpoints for Human OversightbyMatias MadouNov 3, 20254 Min ReadCyber RiskZombie Projects Rise Again to Undermine SecurityZombie Projects Rise Again to Undermine SecuritybyRobert Lemos, Contributing WriterOct 30, 20257 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLVulnerabilities & ThreatsCyberattacks & Data BreachesThreat IntelligenceСloud SecurityNews'TruffleNet' Attack Wields Stolen Credentials Against AWS'TruffleNet' Attack Wields Stolen Credentials Against AWS'TruffleNet' Attack Wields Stolen Credentials Against AWSReconnaissance and BEC are among the malicious activities attackers commit after compromising cloud accounts, using a framework based on the TruffleHog tool.Elizabeth Montalbano, Contributing WriterNovember 3, 20254 Min ReadSource: Eyewave via Alamy Stock PhotoAttackers are abusing Amazon Web Services' (AWS) Simple Email Service (SES) via legitimate open source tools to steal credentials and infiltrate organizations to execute network reconnaissance. In some cases, threat actors even use compromised environments to perform downstream business email compromise (BEC) attacks.An emerging threat campaign is using stolen credentials to target SES, Amazon's email automation service, via a large-scale attack infrastructure dubbed TruffleNet, built around the open source scanning tool TruffleHog, according to research from Fortinet AI. Attackers designed TruffleNet to "systematically test compromised credentials and perform reconnaissance across AWS environments," Fortinet AI's Scott Hall wrote in the post."In one incident involving multiple compromised credentials, we recorded activity from more than 800 unique hosts across 57 distinct Class C networks," he wrote. Attackers achieved this using not only TruffleHog, but also "by consistent configurations, including open ports and the presence of Portainer," an open source management UI for Docker and Kubernetes that simplifies container deployment and orchestration. Though Portainer also is a legitimate tool — in this case, widely used by administrators for DevOps workflows — attackers also can exploit it as a lightweight control panel that provides a centralized dashboard and API for managing malicious infrastructure. This enables adversaries to coordinate large numbers of nodes with minimal effort, Hall noted.Related:An 18-Year-Old Codebase Left Smart Buildings Wide OpenHow the TruffleNet Cloud Cyberattack WorksThe initial way that attackers connect TruffleNet to an AWS environment is through a simple call to GetCallerIdentity, which is used to test whether stolen credentials were valid. The malicious infrastructure also had a component that leverages the AWS control line interface (CLI) to query the "GetSendQuota" API for SES, which is "a call frequently seen at the outset of SES abuse," Hall noted.Most of the IPs used by TruffleNet had no antivirus or bad reputation detections, suggesting that the infrastructure was built by attackers specifcially for its purpose. "In most cloud-based attacks, source IP addresses are often linked to VPNs, Tor nodes, or other illicit activity," Hall noted. Similarly, no follow-on actions or privilege escalations were attempted from these source hosts — only GetSendQuota and GetCallerIdentity calls were observed. "This pattern implies a possible tiered infrastructure, with some nodes dedicated to reconnaissance, and others reserved for later stages of the attack," he wrote.Related:LotL Attack Hides Malware in Windows Native AI StackDownstream, Post-Compromise BEC AttacksThe BEC attacks observed by the researchers are likely related to TruffleNet, as they were observed along reconnaissance activity linked to the malicious infrastructure, Hall said. Attackers exploited Amazon SES within the compromised environment to establish sending identities using DomainKeys Identified Mail (DKIM) from previously compromised WordPress sites.One of the malicious domains, cfp-impactaction.com, was then used in a "BEC vendor onboarding W-9 scam" targeting the oil and gas sector, Hall wrote. "Attackers sent an invoice purporting to be from ZoomInfo, requesting a $50,000 ACH payment," he explained. The W-9 attached to the BEC messages contained a publicly available Employer ID number of the impersonated company to lend credibility to the email, which directed recipients of the BEC scam emails to send payment inquiries to a typosquatted address, zoominfopay[.]com, Hall added.Using Identity Compromise Against AWSTruffleNet demonstrates that identity compromise remains one of the most pressing threats to cloud infrastructure, particularly against AWS. Attackers frequently abuse SES to successfully scale illicit email operations once they've obtained valid AWS keys, Hall observed.Related:Oracle EBS Attack Victims May Be More Numerous Than ExpectedThe discovery of the malicious infrastructure also shows "how quickly threat actors are evolving their tactics to exploit cloud infrastructure at scale" to bypass traditional security controls, he said. "By combining credential theft, reconnaissance automation, and SES abuse, adversaries can weaponize legitimate services to conduct high-volume fraud and Business Email Compromise with minimal detection," Hall wrote.How Enterprises Can Mitigate Cloud Cyber RiskTo mitigate the risks from these evolving threats to the cloud, defenders should implement continuous monitoring, least-privilege access, and behavioral analytics, according to Fortinet AI. Identity-driven cloud threats require specific types of visibility and protection so organizations can detect any abnormal activity and ensure that credentials to their networks aren't stolen and used against them for further malicious activity.Composite alerting technology in particular can help organizations evaluate multiple aspects of cloud-based attacks, including: anomalous cloud connections and suspicious automation activity; unusual user behavior and deviations from expected patterns; offensive tool usage, including TruffleHog and similar utilities; and common SES abuse indicators, Hall said."Composite alerting is highly effective at detecting identity compromise, which often evades traditional point-based detection," he wrote. "Because valid credentials appear legitimate, they can bypass standard monitoring when no clear indicators of compromise are present."Composite alerts, then, can analyze both network and behavioral anomalies, he explained, "generating high-confidence alerts for cloud attacks and identity misuse."About the AuthorElizabeth Montalbano, Contributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.See more from Elizabeth Montalbano, Contributing WriterMore InsightsIndustry ReportsIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025Miercom Test Results: PA-5450 Firewall WinsSecurity Without Compromise Better security, higher performance and lower TCOThe Total Economic Impact™ Of Palo Alto Networks NextGeneration FirewallsAccess More ResearchWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsElectronic Warfare Puts Commercial GPS Users on NoticeElectronic Warfare Puts Commercial GPS Users on NoticebyRobert Lemos, Contributing WriterOct 21, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterTues, Nov 18, 2025 at 1pm ESTSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideThe AI Security GuideTop 10 Identity-Centric Security Risks of Autonomous AI AgentsExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The ‘TruffleNet’ attack represents a significant escalation in the tactics employed by cybercriminals targeting cloud infrastructure, specifically Amazon Web Services (AWS). This attack, detailed by Fortinet AI’s Scott Hall, leverages a sophisticated, multi-faceted approach centered around stolen credentials and the open-source scanning tool TruffleHog. The core of the operation, dubbed TruffleNet, demonstrates a chillingly effective method of reconnaissance and subsequent malicious activity following a compromised AWS account.

Hall’s research illustrates a concerning trend: cybercriminals are increasingly utilizing legitimate, publicly available tools like TruffleHog – designed for security auditing – to systematically test and exploit compromised credentials across AWS environments. This bypasses traditional security controls that may not be configured to detect such automated assessments. The sheer scale of TruffleNet – involving over 800 unique hosts across 57 Class C networks – highlights the potential for widespread impact.

A key element of the attack is the integration of Portainer, an open-source interface for managing Docker and Kubernetes containers. Attackers exploited this tool as a lightweight control panel, enabling coordinated operations across numerous nodes with minimal effort. This reflects a shift toward operational efficiency in cybercrime, utilizing readily available tools to streamline attacks.

The sequence of events begins with a simple “GetCallerIdentity” call, used to validate stolen credentials. From there, the attackers systematically employed the AWS Command Line Interface (CLI) to query the “GetSendQuota” API for Amazon Simple Email Service (SES). This API, frequently abused at the outset of SES abuse, provided a conduit for launching large-scale email operations.

Notably, the attack didn't rely solely on brute-force credential guessing. Instead, it demonstrated a targeted approach, fueled by previously obtained credentials. The lack of follow-on actions or privilege escalation after reconnaissance further underscores this calculated strategy, suggesting a tiered infrastructure designed for efficiency and minimal detection.

Beyond reconnaissance, the attackers exploited Amazon SES to conduct downstream business email compromise (BEC) attacks. They leveraged compromised WordPress sites to establish DomainKeys Identified Mail (DKIM) sending identities, creating a veneer of legitimacy for fraudulent emails. One particularly dangerous example involved a BEC scam targeting the oil and gas sector, using a fabricated W-9 and a typosquatted email address to trick victims into sending payments.

The discovery of TruffleNet underscores the vulnerability of identity compromise within cloud environments. The ability to weaponize legitimate services like SES, once stolen, represents a significant threat. The attack’s rapid evolution – utilizing open-source tools and sophisticated techniques – highlights the need for defenders to proactively address this evolving risk.

The implications of TruffleNet extend beyond a single incident. It serves as a stark reminder of how readily available tools can be exploited by cybercriminals, and the importance of continuous monitoring and least-privilege access controls. Ultimately, the attack's success reinforces the crucial need for organizations to move beyond traditional security approaches and adopt a more proactive, identity-centric defense strategy. As Hall noted, the speed at which attackers are evolving their tactics to exploit cloud infrastructure at scale is a critical concern, demanding constant adaptation and vigilance.