There's an old cybersecurity maxim: "One person's security tool is another person's skeleton key."
There’s a new threat on the wild block and they are not even playing, TruffleNet is acriminal group turning Amazon's cloud services into a fraud factory, one stolen credential at a time.
The twist? They're doing it with tools designed to protect you.
800 Hosts, One Big Problem
A sprawling attack campaign using stolen AWS credentials to build criminal infrastructure, with over 800 unique hosts across 57 networks, all dedicated to reconnaissance, credential testing, and fraud has been uncovered.
The weapon of choice? TruffleHog, a legitimate open-source security tool designed to find accidentally exposed credentials in code repositories. Attackers turned this digital metal detector into a battering ram pointed straight at AWS accounts.
How TruffleNet Works
Test the Keys
Attackers use AWS's GetCallerIdentity API call, essentially asking "Do these stolen credentials work?" It's like checking if a stolen credit card is still active with a $1 purchase.
Map the Territory
They query AWS Simple Email Service (SES) using Get Send Quota to check email sending capacity. Why? Email is the ultimate weapon for fraud at scale. Messages from legitimate AWS accounts bypass spam filters and inherit the sender's reputation.
Build the Empire
Using Portainer (another legitimate DevOps tool), attackers orchestrate 800+malicious nodes through one dashboard. It's a lightweight command-and-control panel managing an entire fraud operation.
Launch the Scam
Attackers exploit Amazon SES using compromised WordPress sites to send authenticated emails. In one case: a fake ZoomInfo invoice requesting $50,000 with real taxID numbers, directing payment to a typosquatted domain zoom infopay[.]com.
Why This is Terrifying
TruffleNet is invisible to traditional security.
Most IP addresses had zero antivirus detections and no bad reputation flags. They looked completely legitimate because they were purpose-built infrastructure; clean, new, and unsuspicious.
No privilege escalation. No lateral movement. Just two harmless-looking API calls. This suggests tiered infrastructure: some nodes for reconnaissance, others for fraud operations.
The Cloud's Achilles' Heel (Identity)
The uncomfortable truth is, In the cloud, identity is the perimeter.
Traditional security assumed fortified walls and guarded gates. But in the cloud, there is no castle, just credentials.
Valid AWS credentials bypass all security controls. The attacker looks legitimate because, technically, they are. No alarms. No red flags. They walkthrough the front door and get to work.
TruffleNet exploits the fundamental trust model of cloud infrastructure.
Composite Alerting
You can't detect TruffleNet with single-point alerts. You need composite alerting, connecting multiple suspicious behaviors:
✓API calls from unusual locations or times
✓ Rapid, systematic automation patterns
✓ Accounts accessing services they've never used
✓ Detection of offensive tools (TruffleHog, Portainer)
✓ Sudden spikes in email quota checks
None alone is malicious. Together? They paint a picture of compromise.
The Bottom Line
TruffleNet teaches us that cloud security is fundamentally different. Every credential isa potential skeleton key. And when those keys get stolen, attackers don't breakdown doors, they walk through the front entrance.
The solution isn't magic. It's discipline:
- Rotate credentials religiously
- Monitor everything obsessively
- Assume breach constantly
- Verify identity continuously
Mitigations
Audit AWS Credentials
- Rotate all access keys every 90 days
- Delete unused credentials immediately
- Enable AWS CloudTrail for API activity logging
- Enforce least privilege IAM permissions
Monitor Suspicious API Activity
- Alert on unusual GetCallerIdentity and GetSendQuota patterns
- Flag accounts suddenly querying SES
- Watch for API calls from new IP ranges
Lock Down Everything
- Enable MFA everywhere (especially AWS root accounts)
- Deploy AWS GuardDuty for threat detection
- Don't enable SES unless necessary
- Require manual approval for DKIM domain verification
Implement Behavioral Analytics
- Deploy UEBA tools that learn "normal" account behavior
- Use composite alerting to correlate low-confidence signals
- Scan your own code with TruffleHog before attackers do
In the cloud, you are what you authenticate. And if someone else can authenticate as you? They become you. Stay vigilant. Rotate your keys. Enable MFA.
.png)
.png)