Hackers Target SSRF Bugs in EC2-Hosted Sites to Steal AWS Credentials
Summary:
A targeted campaign discovered by F5 labs, exploited Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on Amazon EC2 instances. These SSRF flaws allowed attackers to trick vulnerable servers into making unauthorized internal HTTP requests, specifically to the EC2 Instance Metadata Service v1 (IMDSv1), which does not require authentication. By querying the internal URL http://169.254.169.254/latest/meta-data/, attackers were able to retrieve sensitive metadata about the virtual machines, including Identity and Access Management (IAM) credentials. These credentials enabled them to escalate privileges and potentially gain unauthorized access to AWS resources such as S3 buckets, virtual machines, or other cloud services, opening the door to data theft, manipulation, and operational disruptions.
The campaign was active between March 13 and 25, 2025, with the first malicious SSRF probe detected on March 13. Full-scale exploitation began by March 15, during which the attackers used multiple IP addresses tied to FBW Networks SAS in France and Romania. They demonstrated a methodical approach by rotating six different query parameter names and targeting four specific subpaths to evade detection and maximize data exfiltration. Their success largely hinged on targeting EC2 instances that were still using IMDSv1, a legacy service that allows metadata retrieval without requiring session tokens. This version has since been replaced by IMDSv2, which offers enhanced protection by enforcing session-based authentication, thereby mitigating the risk of SSRF-based metadata access.
Security Officer Comments:
The incident was part of a broader threat landscape outlined in F5 Labs’ March 2025 threat trends report, which highlighted widespread exploitation of older vulnerabilities. Among the most exploited CVEs were: CVE-2017-9841 (PHPUnit remote code execution), CVE-2020-8958 (Guangzhou ONU OS command injection), CVE-2023-1389 (TP-Link Archer AX21 command injection), and CVE-2019-9082 (ThinkPHP PHP injection). These four accounted for tens of thousands of attack attempts, emphasizing that threat actors continue to target outdated and unpatched systems—40% of the exploited CVEs were more than four years old. In response, F5 Labs recommends organizations prioritize security updates, migrate away from IMDSv1 to IMDSv2, harden configurations for routers and IoT devices, and replace end-of-life network equipment with supported models to reduce their attack surface.
Suggested Corrections:
Researchers at F5 recommend the following mitigations:
Link(s):
https://www.bleepingcomputer.com/ne...in-ec2-hosted-sites-to-steal-aws-credentials/
https://www.f5.com/labs/articles/th...targets-amazon-ec2-instance-metadata-via-ssrf
A targeted campaign discovered by F5 labs, exploited Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on Amazon EC2 instances. These SSRF flaws allowed attackers to trick vulnerable servers into making unauthorized internal HTTP requests, specifically to the EC2 Instance Metadata Service v1 (IMDSv1), which does not require authentication. By querying the internal URL http://169.254.169.254/latest/meta-data/, attackers were able to retrieve sensitive metadata about the virtual machines, including Identity and Access Management (IAM) credentials. These credentials enabled them to escalate privileges and potentially gain unauthorized access to AWS resources such as S3 buckets, virtual machines, or other cloud services, opening the door to data theft, manipulation, and operational disruptions.
The campaign was active between March 13 and 25, 2025, with the first malicious SSRF probe detected on March 13. Full-scale exploitation began by March 15, during which the attackers used multiple IP addresses tied to FBW Networks SAS in France and Romania. They demonstrated a methodical approach by rotating six different query parameter names and targeting four specific subpaths to evade detection and maximize data exfiltration. Their success largely hinged on targeting EC2 instances that were still using IMDSv1, a legacy service that allows metadata retrieval without requiring session tokens. This version has since been replaced by IMDSv2, which offers enhanced protection by enforcing session-based authentication, thereby mitigating the risk of SSRF-based metadata access.
Security Officer Comments:
The incident was part of a broader threat landscape outlined in F5 Labs’ March 2025 threat trends report, which highlighted widespread exploitation of older vulnerabilities. Among the most exploited CVEs were: CVE-2017-9841 (PHPUnit remote code execution), CVE-2020-8958 (Guangzhou ONU OS command injection), CVE-2023-1389 (TP-Link Archer AX21 command injection), and CVE-2019-9082 (ThinkPHP PHP injection). These four accounted for tens of thousands of attack attempts, emphasizing that threat actors continue to target outdated and unpatched systems—40% of the exploited CVEs were more than four years old. In response, F5 Labs recommends organizations prioritize security updates, migrate away from IMDSv1 to IMDSv2, harden configurations for routers and IoT devices, and replace end-of-life network equipment with supported models to reduce their attack surface.
Suggested Corrections:
Researchers at F5 recommend the following mitigations:
- Scan your environment for vulnerabilities aggressively.
- Patch high-priority vulnerabilities (defined however suits you) as soon as feasible.
- Engage a DDoS mitigation service to prevent the impact of DDoS on your organization.
- Use a WAF or similar tool to detect and stop web exploits.
- Monitor anomalous outbound traffic to detect devices in your environment that are participating in DDoS attacks.
Link(s):
https://www.bleepingcomputer.com/ne...in-ec2-hosted-sites-to-steal-aws-credentials/
https://www.f5.com/labs/articles/th...targets-amazon-ec2-instance-metadata-via-ssrf