CyberSecurityBoard
Sponsor Register Login

Hackers target SSRF bugs in EC2-hosted sites to steal AWS credentials

A targeted campaign exploited Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on AWS EC2 instances to extract EC2 Metadata, which could include Identity and Access Management (IAM) credentials from the IMDSv1 endpoint. In the campaign observed by F5, the attackers located websites hosted on EC2 with SSRF flaws, allowing them to remotely query the internal EC2 Metadata URLs and receive sensitive data. The attacks worked because the vulnerable instances were running on IMDSv1, AWS's older metadata service that allows anyone with access to the instance to retrieve the metadata, including any stored IAM credentials. Retrieving IAM credentials allows attackers to escalate their privileges and access S3 buckets or control other AWS services, potentially leading to sensitive data exposure, manipulation, and service disruption. During this time, the attackers rotated six query parameter names (dest, file, redirect, target, URI, URL) and four subpaths (e.g., /meta-data/, /user-data), showing a systematic approach in exfiltrating sensitive data from vulnerable sites. The first malicious SSRF probe was logged on March 13, but the campaign escalated to full scale between March 15 and 25, employing several FBW Networks SAS IPs based in France and Romania. These attacks were highlighted in a March 2025 threat trends report where F5 Labs documented the most exploited vulnerabilities for the past month. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. SSRF problems are web flaws that enable attackers to "trick" a server into making HTTP requests to internal resources on their behalf, which usually are not accessible by the attacker. This metadata service is only accessible by the virtual machine by connecting to special URLs on internal IP addresses, like  . EC2 Metadata is a service in Amazon EC2 (Elastic Compute Cloud) that provides information about a virtual machine running on AWS.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 09 Apr 2025 21:00:19 +0000


Cyber News related to Hackers target SSRF bugs in EC2-hosted sites to steal AWS credentials

9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
Hackers target SSRF bugs in EC2-hosted sites to steal AWS credentials - A targeted campaign exploited Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on AWS EC2 instances to extract EC2 Metadata, which could include Identity and Access Management (IAM) credentials from the IMDSv1 endpoint. ...
6 days ago Bleepingcomputer.com
CrowdStrike Demonstrates Cloud Security Leadership at AWS re:Invent - CrowdStrike is honored to be named Partner of the Year for several 2023 Geo and Global AWS Partner Awards at Amazon Web Services re:Invent 2023, where we are participating this year as a Diamond Sponsor. These accomplishments demonstrate our ...
1 year ago Crowdstrike.com
GCP to AWS migration: A Comprehensive Guide - Embarking on a GCP to AWS migration journey can be both exciting and challenging. Before we dive into the technical details, let's explore why businesses might consider migrating from GCP to AWS. While GCP offers a range of services, AWS boasts an ...
1 year ago Feeds.dzone.com
whoAMI attacks give hackers code execution on Amazon EC2 instances - The attacker only needs an AWS account to publish their backdoored AMI to the public Community AMI catalog and strategically choose a name that mimics the AMIs of their targets. The issue was fixed last year on September 19, and on December 1st AWS ...
2 months ago Bleepingcomputer.com
SentinelLabs Details Discovery of FBot Tool for Compromising Cloud Services - SentinelLabs today published a report identifying a Python-based tool that cybercriminals are using to compromise cloud computing and software-as-a-service platforms. Alex Delamotte, senior threat researcher at SentinelLabs, said FBot is used to take ...
1 year ago Securityboulevard.com
Shaping the Future of Finance: The Cisco and AWS Collaboration in EMEA - The collaboration between Cisco and Amazon Web Services in the Europe, Middle East, and Africa region-combining each company's market leading strengths-continues to deliver impressive outcomes for our customers, notably within the Financial Services ...
1 year ago Feedpress.me
Customer compliance and security during the post-quantum cryptographic migration | AWS Security Blog - For example, using the s2n-tls client built with AWS-LC (which supports the quantum-resistant KEMs), you could try connecting to a Secrets Manager endpoint by using a post-quantum TLS policy (for example, PQ-TLS-1-2-2023-12-15) and observe the PQ ...
6 months ago Aws.amazon.com
AWS CloudQuarry: Digging for Secrets in Public AMIs - Money, secrets and mass exploitation: This research unveils a quarry of sensitive data stored in public AMIs. As a best practice, AMI creators should not include credentials, including AWS account credentials, in published AMIs. We wanted to scan all ...
11 months ago Packetstormsecurity.com
Tensorflow Supply Chain Compromise via Self-Hosted Runner Attack - Let's say TensorFlow wants to run a set of tests when a GitHub user submits a pull request. TensorFlow can define these tests in a yaml workflow file, used by GitHub Actions, and configure the workflow to run on the `pull request` trigger. One type ...
1 year ago Securityboulevard.com
Rundown of Security News from AWS re:Invent 2023 - Amazon Web Services has been unveiling a steady stream of announcements during its AWS re:Invent 2023 event in Las Vegas this week. The focus over the four days, as expected, is on AI as AWS strives to show that its offerings can match - or surpass - ...
1 year ago Darkreading.com
What happens when you accidentally leak your AWS API keys? - My situation had no ill consequences, but it could have if I had used my actual email for the script or if my project was bigger and I had used AWS or another cloud provider and hardcoded those credentials. In a later class I did learn how to safely ...
1 year ago Isc.sans.edu
CVE-2024-37293 - The AWS Deployment Framework (ADF) is a framework to manage and deploy resources across multiple AWS accounts and regions within an AWS Organization. ADF allows for staged, parallel, multi-account, cross-region deployments of applications or ...
10 months ago Tenable.com
4500+ WordPress Sites Hacked with a Monero Cryptojacking Campaign - Security researchers recently reported the discovery of a massive Monero hacking campaign targeted at WordPress sites. According to reports, more than 4500 WordPress sites were compromised with a malicious cryptocurrency-mining campaign. The hackers ...
2 years ago Thehackernews.com
A Single Cloud Compromise Can Feed an Army of AI Sex Bots – Krebs on Security - “Once initial access was obtained, they exfiltrated cloud credentials and gained access to the cloud environment, where they attempted to access local LLM models hosted by cloud providers: in this instance, a local Claude (v2/v3) LLM model from ...
6 months ago Krebsonsecurity.com
Hackers Exploiting EC2 Instance Metadata Vulnerability to Attacks Websites Hosted - Since mid-March 2025, threat actors have been exploiting a combination of Server-Side Request Forgery (SSRF) vulnerabilities and Amazon’s EC2 Instance Metadata Service (IMDSv1) to steal sensitive credentials, enabling unauthorized access to cloud ...
14 hours ago Cybersecuritynews.com
Server-Side Request Forgery Attack Explained: Definition, Types, Protection - A Server-Side Request Forgery attack is a security vulnerability in which a hacker tricks a server into accessing unintended resources on his behalf. An SSRF attack can lead to sensitive information being leaked or the attacker gaining control of ...
2 years ago Heimdalsecurity.com
7 Rules to Improve AWS Security and Reduce Unwanted Incidents - Security of your AWS infrastructure is ultimately up to you. As the largest cloud services provider, AWS invests heavily to ensure its cloud environment is secure. Much of AWS security is still left to the customer, especially with regard to managing ...
2 years ago Beyondtrust.com
A Handbook for Managing Containers on Amazon Web Services - Container management is a way to help you create, govern, and maintain your containers. There are tools and services available that can automate the creation, deployment, maintenance, scaling, and monitoring of application or system containers. In ...
2 years ago Trendmicro.com
AWS Key Hunter - A Free Automated Tool to Detect Exposed AWS keys - Security teams should combine this with AWS security best practices, such as enabling CloudTrail logging for API activity monitoring, implementing IAM policies based on least-privilege principles, and rotating credentials via the AWS Secrets Manager ...
1 month ago Cybersecuritynews.com
Cybersecurity Firm Hacks Itself, Finds DNS Flaw Leak AWS Credentials - Intruder.io, a London, England-based cybersecurity firm, conducted a self-hack using a DNS rebinding attack, enabling them to extract low-privileged AWS credentials. Cybersecurity firm Intruder has published blog posts explaining how they got hacked ...
1 year ago Hackread.com
Credentials are Still King: Leaked Credentials, Data Breaches and Dark Web Markets - Infostealers infect computers, steal all of the credentials saved in the browser along with active session cookies and other data, then export it back to command and control infrastructure before, in some cases, self-terminating. This article will ...
1 year ago Bleepingcomputer.com
Datadog Report Surfaces Pair of Sophisticated AWS Attacks - A report published by Datadog suggests that cybercriminal activity aimed specifically at cloud infrastructure services provided by Amazon Web Services are increasing in terms of both sophistication and scale. In one case, a malicious user was able to ...
1 year ago Securityboulevard.com
AWS Root vs IAM User: What to Know & When to Use Them - In Amazon Web Services, there are two different privileged accounts. One is defined as Root User and the other is defined as an IAM User. In this blog, I will break down the differences of an AWS Root User versus an IAM account, when to use one ...
2 years ago Beyondtrust.com
CVE-2023-35165 - AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. In the packages `aws-cdk-lib` 2.0.0 until 2.80.0 and `@aws-cdk/aws-eks` 1.57.0 ...
1 year ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)