Stricter WAF and switching to IMDSv2 can help: The first and foremost remediation F5 researchers said users should apply is migrating to IMDSv2 from IMDSv1. Post-migration, an attacker would be required to supply a secret via a custom header (X-aws-ec2-metadata-token) for successful exploitation.”This fully mitigates exposure of EC2 Metadata via SSRF as SSRF vulnerabilities do not generally expose the ability to specify headers, and an attacker would need to determine the secret in addition,” the researchers added.Additionally, users are advised to consider applying WAF rules, at the concerned endpoint, to disallow requests from flagged IP addresses or the ones with “169.254.169.254” which is the internal IP used by AWS (as well as Azure and Google Cloud) to serve Instance Metadata to EC2 instances.Threat actors conducted initial reconnaissance on March 13 from IP 193.41.206.72, researchers added. The main campaign began two days later from IP 193.41.206.189, cycling through multiple IPs within the same ASN over six days, before tapering off and ending by March 25. “All IP addresses in the campaign belong to the ASN:34534. This ASN is owned by a French company “FBW NETWORKS SAS”, even though geographically the IPs are based in both France and Romania.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3959148/hackers-attempted-to-steal-aws-credentials-using-ssrf-flaws-within-hosted-sites.html
