Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

Exposing the Shadows: A Detailed Analysis of a Coordinated Attack on AWS EC2 Instances



Hackers exploited Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on AWS EC2 instances to steal credentials in a coordinated attack that occurred between March 13 and 25, 2025. Learn how organizations can mitigate the risks of this incident by taking proactive steps to secure their cloud resources.

  • Hackers exploited Server-Side Request Forgery (SSRF) vulnerabilities in AWS EC2 instances to steal credentials.
  • The attack occurred between March 13 and 25, 2025, and was attributed to a single threat actor.
  • The attackers targeted websites running on IMDSv1, exploiting the vulnerability to remotely query internal EC2 Metadata URLs and receive sensitive data.
  • The incident highlights the importance of monitoring for SSRF vulnerabilities, applying timely security patches, and implementing robust security measures to prevent exploitation.



  • The online security landscape is constantly evolving, with new threats emerging every day. Recently, F5 Labs researchers uncovered a coordinated attack against websites hosted on Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances, exploiting Server-Side Request Forgery (SSRF) vulnerabilities to steal sensitive credentials and gain unauthorized access to these resources. In this article, we will delve into the details of this attack, its implications for organizations relying on AWS EC2, and provide guidance on how to mitigate the risks.


    The campaign, which occurred between March 13 and 25, 2025, was discovered by F5 Labs researchers who noticed a surge in malicious activity targeting websites hosted on EC2 instances. The attackers exploited SSRF vulnerabilities in these instances, allowing them to remotely query internal EC2 Metadata URLs and receive sensitive data. This metadata service is only accessible by the virtual machine running on AWS, making it an attractive target for attackers looking to gain unauthorized access to resources.


    The first malicious SSRF probe was logged on March 13, but the campaign escalated to full scale between March 15 and 25, employing several IP addresses based in France and Romania. During this time, the attackers rotated six query parameter names (dest, file, redirect, target, URI, URL) and four subpaths (e.g., /meta-data/, /user-data), demonstrating a systematic approach to exfiltrating sensitive data from vulnerable sites.


    The attacks worked because the vulnerable instances were running on IMDSv1, AWS's older metadata service that allows anyone with access to the instance to retrieve the metadata, including any stored IAM credentials. This has since been superseded by IMDSv2, which requires session tokens (authentication) to protect websites from SSRF attacks.


    In a broader context, these attacks were highlighted in a March 2025 threat trends report where F5 Labs documented the most exploited vulnerabilities for the past month. The top four most exploited CVEs by volume were: CVE-2017-9841 – PHPUnit remote code execution via eval-stdin.php (69,433 attempts), CVE-2020-8958 – Guangzhou ONU OS command injection RCE (4,773 attempts), CVE-2023-1389 – TP-Link Archer AX21 command injection RCE (4,698 attempts), and CVE-2019-9082 – ThinkPHP PHP injection RCE (3,534 attempts). These attacks demonstrate the ongoing threat of older vulnerabilities and the importance of applying security updates to prevent exploitation.


    In conclusion, the recent attack on AWS EC2 instances highlights the importance of monitoring for SSRF vulnerabilities and applying timely security patches. As organizations continue to rely on cloud services like AWS, it is essential to stay vigilant and proactive in addressing emerging threats. Furthermore, this incident underscores the need for more robust security measures, including regular vulnerability assessments and penetration testing.


    To mitigate these risks, we recommend that organizations take the following steps:

    1. Regularly review and apply security updates to ensure all dependencies are patched.
    2. Implement robust monitoring and detection tools to identify potential SSRF vulnerabilities.
    3. Harden router and IoT device configurations to prevent exploitation.
    4. Replace End-of-Life (EoL) networking equipment with supported models.


    By taking these steps, organizations can significantly reduce the risk of being targeted by such attacks and protect their sensitive data and resources from falling into the wrong hands.


    Summary:
    Hackers exploited Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on AWS EC2 instances to steal AWS credentials. The attack occurred between March 13 and 25, 2025, and was attributed to a single threat actor. The attackers targeted websites running on IMDSv1, exploiting the vulnerability to remotely query internal EC2 Metadata URLs and receive sensitive data. This incident highlights the importance of monitoring for SSRF vulnerabilities, applying timely security patches, and implementing robust security measures to prevent exploitation.


    Hackers target AWS EC2 instances using Server-Side Request Forgery (SSRF) vulnerabilities to steal credentials in a coordinated attack that occurred between March 13 and 25, 2025. Learn how organizations can mitigate the risks of this incident by taking proactive steps to secure their cloud resources.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Exposing-the-Shadows-A-Detailed-Analysis-of-a-Coordinated-Attack-on-AWS-EC2-Instances-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/hackers-target-ssrf-bugs-in-ec2-hosted-sites-to-steal-aws-credentials/


  • Published: Wed Apr 9 18:18:11 2025 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us