Researchers have recently discovered a new method of fully mitigating the exposure of EC2 Metadata via SSRF, a vulnerability that does not typically allow attackers to specify headers. According to the researchers, an attacker would also need to determine the secret in addition to exploiting the SSRF vulnerability. This finding provides valuable insights into how organizations can better protect their data and mitigate potential risks associated with SSRF attacks.
In addition to the mitigation technique, users are strongly advised to consider implementing WAF rules at the endpoint in question. These rules can help prevent unauthorized requests from flagged IP addresses or those containing “169.254.169.254,” which is the internal IP address used by AWS, Azure, and Google Cloud to serve Instance Metadata to EC2 instances. By implementing these WAF rules, organizations can further enhance their security posture and reduce the likelihood of falling victim to SSRF attacks.
The threat actors behind this campaign conducted initial reconnaissance on March 13 from IP address 193.41.206.72. Subsequently, the main campaign officially began two days later from IP address 193.41.206.189. Over the course of six days, the threat actors cycled through multiple IP addresses within the same ASN before ultimately tapering off and concluding the campaign by March 25. It is worth noting that all IP addresses involved in the campaign belong to the ASN:34534, which is owned by a French company called “FBW NETWORKS SAS.” Despite the geographically diverse locations of the IPs used (in France and Romania), they all fall under the ownership of this particular ASN.
This discovery sheds light on the sophisticated tactics employed by threat actors to exploit vulnerabilities such as SSRF. By analyzing the timeline and IP addresses associated with the campaign, researchers can gain a better understanding of the methodologies used by malicious actors to carry out attacks. Furthermore, the identification of the ASN responsible for these IP addresses provides valuable intelligence that can be used to track and potentially disrupt future cyber threats originating from the same source.
Overall, the research findings underscore the importance of implementing robust security measures to protect against SSRF vulnerabilities and other cyber threats. By staying vigilant and proactive in their defense strategies, organizations can effectively safeguard their sensitive data and mitigate the risk of falling victim to malicious attacks. The collaborative efforts of researchers and cybersecurity professionals play a critical role in identifying and addressing emerging threats, ultimately contributing to a safer and more secure digital environment for all stakeholders.