Since mid-March 2025, threat actors have been exploiting a combination of Server-Side Request Forgery (SSRF) vulnerabilities and Amazon’s EC2 Instance Metadata Service (IMDSv1) to steal sensitive credentials, enabling unauthorized access to cloud resources. By targeting the IMDSv1 endpoint (169.254.169.254), attackers extract temporary AWS security credentials tied to the EC2 instance’s Identity and Access Management (IAM) role. The campaign begins with hackers probing web applications for SSRF flaws, which allow them to route malicious HTTP requests to internal systems. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The attackers used a consistent pattern of HTTP GET requests across six parameters (url, dest, file, redirect, target, and uri) to trigger SSRF. F5’s telemetry showed attackers targeting four subpaths, including /meta-data/iam/security-credentials/ and /user-data, to harvest credentials and instance configurations. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. These credentials can grant access to S3 buckets, databases, and other cloud services, escalating privileges within the victim’s environment. The campaign infrastructure traced back to ASN 34534 (owned by French entity FBW NETWORKS SAS) revealed uniformly configured hosts with OpenSSH 9.2 and Kubernetes-related ports, suggesting orchestrated botnet activity.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 15 Apr 2025 13:40:10 +0000