Hacking campaign targets Amazon EC2 instance metadata via SSRF
Take action: For EC2 instances on AWS, migrate from IMDSv1 to IMDSv2 to prevent easy SSRF attacks that could expose your metadata and credentials. Monitor your web applications for vulnerabilities, and block external requests to internal IPs (like 169.254.169.254).
Learn More
F5 Labs researchers have uncovered a targeted campaign exploiting Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on AWS EC2 instances.
This attack targets EC2 Instance Metadata to extract sensitive information, including Identity and Access Management (IAM) credentials from IMDSv1 endpoints. The campaign was active between March 13 and March 25, 2025, with behavioral patterns and traffic analysis strongly operations by a single threat actor.
The attack exploited SSRF vulnerabilities, which allow attackers to manipulate servers into making HTTP requests to internal resources on their behalf. Attackers identified EC2-hosted websites with SSRF flaws and used them to remotely query internal EC2 Metadata URLs, gaining access to sensitive configuration data.
EC2 Instance Metadata is a service that provides virtual machines running on AWS with information about their configuration, network settings, and security credentials. This data is normally only accessible by the virtual machine itself through special internal IP addresses like http://169.254.169.254/latest/meta-data/.
The initial reconnaissance activity was detected on March 13, 2025, from a single IP address (193.41.206.72). Full-scale exploitation began on March 15, with the attackers systematically rotating through multiple IP addresses, all belonging to the same ASN (34534) owned by French company "FBW NETWORKS SAS," though the addresses were geographically located in both France and Romania.
During the attack period, the threat actors used six different query parameter variations (dest, file, redirect, target, uri, url) combined with four different metadata subpaths to maximize their chances of success:
- /meta-data/
- /meta-data/iam/security-credentials/
- /meta-data/iam/security-credentials/admin-role
- /user-data
The attacks were successful against systems running IMDSv1, AWS's older metadata service that lacks authentication requirements, making it vulnerable to SSRF attacks. IMDSv2, which has replaced IMDSv1, requires session tokens for authentication, which would have prevented this type of attack.
Successful exploitation of these vulnerabilities could allow attackers to:
- Retrieve IAM credentials
- Escalate privileges within AWS environments
- Access S3 buckets and other AWS services
- Expose sensitive data
- Manipulate cloud resources
- Disrupt services
To protect against these threats, organizations should
- Migrate from IMDSv1 to IMDSv2, which requires attackers to supply a secret via a custom header (X-aws-ec2-metadata-token)
- Apply WAF rules to block requests containing "169.254.169.254," which should not appear in legitimate traffic
- Scan environments for vulnerabilities regularly and patch high-priority vulnerabilities
