![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![Blue Archive tier list [April 2025]](https://media.pocketgamer.com/artwork/na-33404-1636469504/blue-archive-screenshot-2.jpg?#)
.png?#)
-Baldur’s-Gate-3-The-Final-Patch---An-Animated-Short-00-03-43.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
![Apple to Split Enterprise and Western Europe Roles as VP Exits [Report]](https://www.iclarified.com/images/news/97032/97032/97032-640.jpg)
![Alleged Pixel 10 series wallpapers leak with vibrant colors and a strange new theme [Gallery]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/04/pixel-10-wallpaper-leak-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1){kind=tracking}
![Nanoleaf Announces New Pegboard Desk Dock With Dual-Sided Lighting [Video]](https://www.iclarified.com/images/news/97030/97030/97030-640.jpg)
![Apple's Foldable iPhone May Cost Between $2100 and $2300 [Rumor]](https://www.iclarified.com/images/news/97028/97028/97028-640.jpg)
Hackers Exploiting EC2 Instance Metadata Vulnerability to Attacks Websites Hosted
A newly uncovered campaign targeting websites hosted on Amazon EC2 instances has raised alarms across the cybersecurity community. Since mid-March 2025, threat actors have been exploiting a combination of Server-Side Request Forgery (SSRF) vulnerabilities and Amazon’s EC2 Instance Metadata Service (IMDSv1) to steal sensitive credentials, enabling unauthorized access to cloud resources. This attack vector, while […] The post Hackers Exploiting EC2 Instance Metadata Vulnerability to Attacks Websites Hosted appeared first on Cyber Security News.
A newly uncovered campaign targeting websites hosted on Amazon EC2 instances has raised alarms across the cybersecurity community.
Since mid-March 2025, threat actors have been exploiting a combination of Server-Side Request Forgery (SSRF) vulnerabilities and Amazon’s EC2 Instance Metadata Service (IMDSv1) to steal sensitive credentials, enabling unauthorized access to cloud resources.
This attack vector, while technically straightforward, highlights critical risks in misconfigured cloud environments.
The campaign begins with hackers probing web applications for SSRF flaws, which allow them to route malicious HTTP requests to internal systems.
By targeting the IMDSv1 endpoint (169.254.169.254), attackers extract temporary AWS security credentials tied to the EC2 instance’s Identity and Access Management (IAM) role.
These credentials can grant access to S3 buckets, databases, and other cloud services, escalating privileges within the victim’s environment.
F5 Labs researchers first detected anomalous activity on March 13, 2025, with a surge in exploitation attempts peaking between March 15 and March 25.
The attackers used a consistent pattern of HTTP GET requests across six parameters (url, dest, file, redirect, target, and uri) to trigger SSRF. For example:-
GET /?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/admin-role HTTP/1.1
Host: vulnerable-website.com This request retrieves IAM role credentials, which attackers then leverage for lateral movement.
The campaign infrastructure traced back to ASN 34534 (owned by French entity FBW NETWORKS SAS) revealed uniformly configured hosts with OpenSSH 9.2 and Kubernetes-related ports, suggesting orchestrated botnet activity.
.webp)
Exploitation Mechanism: Bridging SSRF and IMDSv1
The attack hinges on two weaknesses: SSRF flaws in web applications and IMDSv1’s lack of authentication. IMDSv1, a legacy service, exposes metadata via unauthenticated HTTP requests.
When combined with SSRF—a flaw where a server fetches unauthorized URLs—attackers bypass network restrictions to query the metadata service.
As AWS documentation warns, IMDSv1 “is not protected by authentication,” making it susceptible to exploitation if applications inadvertently forward requests to it.
F5’s telemetry showed attackers targeting four subpaths, including /meta-data/iam/security-credentials/ and /user-data, to harvest credentials and instance configurations.
Successful breaches often lead to cryptocurrency mining, data exfiltration, or further compromise of cloud assets.
To mitigate risks, organizations should transition to IMDSv2, which requires session tokens for metadata access, and deploy web application firewalls (WAFs) to block requests to 169.254.169.254.
F5’s report underscores the urgency of patching SSRF vulnerabilities and auditing IAM roles to minimize overprivileged access.
Equip your team with real-time threat analysis With ANY.RUN’s interactive cloud sandbox -> Try 14-day Free Trial
The post Hackers Exploiting EC2 Instance Metadata Vulnerability to Attacks Websites Hosted appeared first on Cyber Security News.
