Amazon Elastic Compute Cloud (EC2) customers have been targeted in a campaign using server-side request forgery (SSRF) to steal EC2 instance metadata from unsecured websites. According to F5 Labs, the malicious activities occurred between March 13 and March 25, aiming to exploit websites hosted on EC2 instances with misconfigured metadata settings. SSRF enables attackers to manipulate server requests to gain unauthorized access to resources.
The Amazon EC2 Instance Metadata Service (IMDS) provides vital metadata for tasks such as connections to external applications. AWS warns that this metadata, encompassing instance IDs, IP addresses, and IAM credentials, lacks authentication or cryptographic protection, making it reachable to anyone with direct instance access.
The campaign originated from multiple IP addresses linked to the same autonomous system number (ASN) belonging to “FBW NETWORKS SAS,” based in France, with IP addresses in both France and Romania, suggesting coordination by a single threat actor. The attackers deployed GET requests targeting metadata endpoints and focused on metadata categories, user data, IAM credentials, and IAM admin credentials.
F5 indicated that the campaign did not exploit any specific CVE (Common Vulnerabilities and Exposures) but targeted SSRF-vulnerable sites. Users are advised to migrate from IMDSv1 to IMDSv2, which mandates a secret provided via a custom header to access metadata, significantly mitigating such attacks. Alternatively, IMDSv1 users can apply WAF rules to block requests containing the IP address 169.254.169.254, identifying the IMDS endpoint.
This incident underscores the urgent need for securing instance metadata to prevent unauthorized access. The trend shows an increase in sophisticated attackers targeting misconfigured cloud resources, highlighting the necessity for continuous monitoring and proactive security measures.
Securing instance metadata by transitioning to IMDSv2 and implementing security measures like WAF rules is crucial. The campaign is a reminder of the vulnerabilities in cloud environments and the continuous effort needed to maintain robust security.
