Cloud Abuse at Scale

Description

A large-scale attack infrastructure dubbed TruffleNet has been identified, built around the open-source tool TruffleHog. This infrastructure is used to systematically test compromised credentials and perform reconnaissance across AWS environments. The campaign involves over 800 unique hosts across 57 distinct Class C networks, characterized by consistent configurations and the use of Portainer. Alongside TruffleNet, adversaries are exploiting Amazon Simple Email Service (SES) to facilitate Business Email Compromise (BEC) campaigns. The attackers create email identities using compromised WordPress sites and conduct aggressive cloud reconnaissance. This activity highlights the evolving tactics of threat actors in exploiting cloud infrastructure at scale, combining credential theft, reconnaissance automation, and SES abuse to conduct high-volume fraud with minimal detection.