Hackers target SSRF bugs in EC2-hosted sites to steal AWS credentials

April 10, 2025

AWS

A targeted campaign exploited Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on AWS EC2 instances to extract EC2 Metadata, which could include Identity and Access Management (IAM) credentials from the IMDSv1 endpoint.

Retrieving IAM credentials allows attackers to escalate their privileges and access S3 buckets or control other AWS services, potentially leading to sensitive data exposure, manipulation, and service disruption.

The campaign was discovered by F5 Labs researchers, who reports that the malicious activity culminated between March 13 and 25, 2025. The traffic and behavioral patterns strongly suggest that it was carried out by a single threat actor.

Campaign overview

SSRF problems are web flaws that enable attackers to "trick" a server into making HTTP requests to internal resources on their behalf, which usually are not accessible by the attacker.

In the campaign observed by F5, the attackers located websites hosted on EC2 with SSRF flaws, allowing them to remotely query the internal EC2 Metadata URLs and receive sensitive data.

EC2 Metadata is a service in Amazon EC2 (Elastic Compute Cloud) that provides information about a virtual machine running on AWS. This information can include configuration details, network settings, and potentially, security credentials.

This metadata service is only accessible by the virtual machine by connecting to special URLs on internal IP addresses, like http://169.254.169.254/latest/meta-data/.

The first malicious SSRF probe was logged on March 13, but the campaign escalated to full scale between March 15 and 25, employing several FBW Networks SAS IPs based in France and Romania.

During this time, the attackers rotated six query parameter names (dest, file, redirect, target, URI, URL) and four subpaths (e.g., /meta-data/, /user-data), showing a systematic approach in exfiltrating sensitive data from vulnerable sites.

The attacks worked because the vulnerable instances were running on IMDSv1, AWS's older metadata service that allows anyone with access to the instance to retrieve the metadata, including any stored IAM credentials.

The system has been superseded by IMDSv2, which requires session tokens (authentication) to protect websites from SSRF attacks.

Broader exploitation activity

These attacks were highlighted in a March 2025 threat trends report where F5 Labs documented the most exploited vulnerabilities for the past month.

The top four most exploited CVEs by volume were:

CVE-2017-9841 – PHPUnit remote code execution via eval-stdin.php (69,433 attempts)
CVE-2020-8958 – Guangzhou ONU OS command injection RCE (4,773 attempts)
CVE-2023-1389 – TP-Link Archer AX21 command injection RCE (4,698 attempts)
CVE-2019-9082 – ThinkPHP PHP injection RCE (3,534 attempts)

**Exploitation volumes***Source: F5 Labs*

The report underlines that older vulnerabilities remain highly targeted, with 40% of exploited CVEs being over four years old.

To mitigate the threats, it is recommended to apply the available security updates, harden router and IoT device configurations, and replace EoL networking equipment with supported models.