Hackers attempted to steal AWS credentials using SSRF flaws within hosted sites

Posted on by

“This fully mitigates exposure of EC2 Metadata via SSRF as SSRF vulnerabilities do not generally expose the ability to specify headers, and an attacker would need to determine the secret in addition,” the researchers added.

Additionally, users are advised to consider applying WAF rules, at the concerned endpoint, to disallow requests from flagged IP addresses or the ones with “169.254.169.254” which is the internal IP used by AWS (as well as Azure and Google Cloud) to serve Instance Metadata to EC2 instances.

Threat actors conducted initial reconnaissance on March 13 from IP 193.41.206.72, researchers added. The main campaign began two days later from IP 193.41.206.189, cycling through multiple IPs within the same ASN over six days, before tapering off and ending by March 25. “All IP addresses in the campaign belong to the ASN:34534. This ASN is owned by a French company ”FBW NETWORKS SAS“, even though geographically the IPs are based in both France and Romania.”