Cybercriminals have launched a sophisticated campaign targeting websites hosted on Amazon Web Services (AWS) EC2 instances.
This campaign, observed in March 2025, exploits a vulnerability in EC2 Instance Metadata through Server-Side Request Forgery (SSRF), allowing attackers to access sensitive information and potentially escalate their attacks.
The attackers are leveraging a combination of two common weaknesses: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-918 (Server-Side Request Forgery).
They send GET requests to websites hosted on EC2 instances, attempting to retrieve metadata from the instance’s internal IP address (169.254.169.254).
This metadata includes critical information like IAM role credentials, which can be used to gain unauthorized access to AWS resources.
The campaign’s timeline shows a brief but intense period of activity, starting on March 15, 2025, and lasting for four days.
The attackers used multiple IP addresses, all from the same Autonomous System Number (ASN) owned by FBW NETWORKS SAS, a French company.
These IPs displayed uniform behavior in their exploitation attempts, suggesting a coordinated effort by a single actor.
The exposure of EC2 Instance Metadata, particularly through IMDSv1, poses significant risks.
As AWS documentation notes, IMDSv1 data is not protected by authentication or cryptographic methods, making it vulnerable to anyone with direct access to the instance or software running on it.
This vulnerability allows attackers to potentially escalate their privileges within the AWS environment, leading to further exploitation or data breaches.
To mitigate this threat, AWS users are advised to transition from IMDSv1 to IMDSv2, which requires attackers to supply a secret token, significantly reducing the risk of SSRF-based attacks.
Additionally, implementing Web Application Firewall (WAF) rules to block requests to the metadata service IP can prevent unauthorized access.
While the EC2 metadata exploit is novel, March 2025 also saw significant activity around several other CVEs:
According to the Report, The exploitation of EC2 Instance Metadata through SSRF underscores the evolving tactics of cybercriminals to target cloud infrastructure.
Organizations must remain vigilant, ensuring their cloud configurations are secure and up-to-date.
The resurgence of interest in older vulnerabilities also serves as a reminder that patching and updating systems are critical to maintaining robust cybersecurity defenses.
As cloud services continue to grow, so too does the sophistication of attacks against them, necessitating a proactive approach to security.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
A new wave of cyberattacks is targeting Active Directory (AD) environments by abusing Windows Remote…
Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed critical…
Critical vulnerability in Apache ActiveMQ (CVE-2024-XXXX) exposes brokers to denial-of-service (DoS) attacks by allowing malicious…
Cybersecurity researchers at Kaspersky have identified a new supply chain vulnerability emerging from the widespread…
UK government has unveiled plans to implement passkey technology across its digital services later this…
Significant blow to cybercriminal infrastructure, Europol has coordinated an international operation resulting in the arrest…