TruffleNet Weaponizes Stolen Credentials to Target AWS

New details are emerging about a wave of intrusions into Amazon Web Services environments. Attackers are reportedly weaponizing AWS IAM, using it to validate stolen credentials and turn identity controls into a springboard for in-cloud abuse.

According to new research from Fortinent, attackers are leveraging the open source TruffleHog tool to automate testing of stolen AWS credentials in what they are calling the TruffleNet infrastructure. 

In their report, researchers say that the hackers are abusing AWS IAM to actually test the validity of their stolen credentials using a GetCallerIdentity call. 

Once inside their targets’ environments, attackers are exploiting the compromised infrastructure to carry out Business Email Compromise (BEC) attacks via AWS’s Simple Email Service (SES).

Additionally, Fortinent’s researchers observed that the attackers were using the AWS CLI to query the GetSendQuota API for SES. They believe these queries to be a part of the abuse of SES for use in their downstream attacks like the BEC attacks that have been cited in the researchers’ report. 

Read Fortinent’s blog post for more info on how the attackers are leveraging open source tools and AWS infrastructure, as well as the tricks used for their BEC campaign. 

How Compromised Identities Pave the Way for Higher-value Attacks

At this stage, the BEC attacks appear to be the “smash and grab” part of the plan. 

But researchers note that the hackers are also leveraging their infiltration capabilities to carry out reconnaissance inside the compromised infrastructure. 

This snooping around can be the crucial first step in future stages of their operations where attackers can go after sensitive resources like regulated data (think PII & PHI) as well as production environments that can harm the business. 

There are a number of valuable take aways from this story that reinforce what we know surrounding the risks of compromised credentials:

• We see the continued risk of stolen or otherwise compromised credentials. We know that credential compromise is a question of when and not if. 
• Attackers are becoming increasingly adept at leveraging not only the infrastructure of our cloud environments for their criminal activities. They are abusing the tools that we use for managing access privileges within our cloud infrastructure as part of their operations.
• Hackers can leverage any standing access that a compromised identity may have to illicitly access resources like we see with the abuse of AWS SES. 
• The level of privileges attached to an identity matters. Researchers cite that while attempts to create new users failed, they apparently succeeded in compromising a user who had sufficient privileges to cause havoc with SES. Had they compromised an IAM user with the right privileges, then they could have made numerous identities.

How Apono Helps Secure Your AWS

Remove Standing Access

By eliminating standing access the attacker cannot use any attached privileges to access resources, even if an identity is compromised. By moving to a Just-in-Time (JIT) access model, all access is made available to identities, human or not, temporarily and instantaneously. This ensures that access privileges are not abused and improves developer velocity.

Minimize the Blast Radius

Continuously reduce privileges to support least-privilege ops via a Just-Enough (JEA) approach. Apono’s Access Discovery capabilities uncover overprivileged identities and provide data-driven recommendations on how to reduce privileges without impacting productivity, all based on real usage.

Simplify Remediations

Apono’s approach to reducing privileges steps away from the binary of choosing to either leave risky privileges in place or revoking privileges that can break processes. Risky privileges can be quarantined via Access Flow deny policies, enabling security teams to quickly remove the risk and quickly reverting access if needed.

Apono enables organizations to adopt a Zero Standing Privileges (ZSP) approach in support of their Zero Trust initiatives.

Ready to Take a Smarter Approach to Cloud Access?

See how Apono can help your organization prevent credential-based attacks while keeping teams fast and productive. Visit apono.io/jit-and-jep/ to learn more about our platform or request a demo.