The identity compromise, particularly in cloud infrastructure, poses significant threats as attackers leverage legitimate credentials to execute large-scale phishing and BEC campaigns. The TruffleNet operation, recently uncovered by FortiGuard Labs, illustrates a sophisticated approach where stolen AWS credentials enable fraudsters to manipulate the Simple Email Service (SES) to impersonate legitimate organizations. By creating email identities with compromised DKIM keys, attackers were able to send fraudulent communications targeting the oil and gas sector, with requests for substantial payments.
This campaign demonstrates extensive operational security, using a tiered architecture that involves over 800 unique hosts and 57 Class C networks, indicating the scale of the operation. The initial stages of the attack involved credential verification followed by privilege escalation attempts. Although some attempts failed, one account with adequate permissions accessed SES directly. The attackers engineered their approach meticulously, sending vendor invoices and maintaining a façade of credibility to enhance success rates in their social engineering efforts.
👉 Pročitaj original: Cyber Security News
