Hackers target SSRF bugs in EC2-hosted sites to steal AWS credentials

A targeted campaign exploited Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on AWS EC2 instances to extract EC2 Metadata, which could include Identity and Access Management (IAM) credentials from the IMDSv1 endpoint. Retrieving IAM credentials allows attackers to escalate their privileges and access S3 buckets or control other AWS services, potentially leading to sensitive data exposure, manipulation, and service disruption. The campaign was discovered by F5 Labs researchers, who reports that the malicious activity culminated between March 13 and 25, 2025. The traffic and behavioral patterns strongly suggest that it was carried out by a single threat actor. Campaign overview SSRF problems are web flaws that enable attackers to "trick" a server into making HTTP requests to internal resources on their behalf, which usually are not accessible by the attacker. In the campaign observed by F5, the attackers located websites hosted on EC2 with SSRF flaws, allowing ... Read full article.