Date: 11/03/2025
Severity: Medium
Summary
Identity compromise remains a major threat to cloud infrastructure, allowing attackers with valid credentials to evade traditional security controls. In AWS, such compromises often involve abuse of the Simple Email Service (SES) for illicit email operations. Recent investigations revealed a campaign where stolen AWS credentials were used to exploit SES. This activity uncovered TruffleNet, an attack infrastructure built around the open-source tool TruffleHog for credential testing and reconnaissance. Adversaries further leveraged compromised accounts to conduct large-scale Business Email Compromise (BEC) campaigns.
Indicators of Compromise (IOC) List
Domains\URLs : | cdnbenin.com cfp-impactaction.com jia.com.au majoor.co novainways.com restaurantalhes.com |
IP Address : | 175.103.36.74 43.252.9.253 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1: | domainname like "cdnbenin.com" or url like "cdnbenin.com" or siteurl like "cdnbenin.com" or domainname like "jia.com.au" or url like "jia.com.au" or siteurl like "jia.com.au" or domainname like "majoor.co" or url like "majoor.co" or siteurl like "majoor.co" or domainname like "novainways.com" or url like "novainways.com" or siteurl like "novainways.com" or domainname like "restaurantalhes.com" or url like "restaurantalhes.com" or siteurl like "restaurantalhes.com" or domainname like "cfp-impactaction.com" or url like "cfp-impactaction.com" or siteurl like "cfp-impactaction.com" |
|---|
Detection Query 2: | dstipaddress IN ("43.252.9.253","175.103.36.74") or srcipaddress IN ("43.252.9.253","175.103.36.74") |
|---|
Reference:
https://www.fortinet.com/blog/threat-research/cloud-abuse-at-scale