Amazon Elastic Compute Cloud (EC2) customers were targeted in a campaign last month that used server-side request forgery (SSRF) to attempt to steal exposed EC2 instance metadata from unsecured websites, according to F5 Labs.The Amazon EC2 Instance Metadata Service (IMDS) enables metadata needed for certain tasks, such as connections to external applications, to be accessed at runtime without the need to use the Amazon EC2 console or Amazon Web Services (AWS) command-line interface.  AWS warns that instance metadata is not protected by authentication or cryptography, meaning “anyone who has direct access to the instance, and potentially any software running on the instance, can view its metadata.”EC2 instance metadata can include sensitive information such as the instance ID and IP address and identity access management (IAM) role credentials, which could be misused by bad actors.The attack campaign was conducted from multiple IP addresses between March 13 and March 25, targeting websites hosted in EC2 instances that had inadvertently left their instance metadata exposed. F5 noted that the activity was not tied to a particular CVE but affected sites that were vulnerable to SSRF.All of the IP addresses involved in the attack came from the same autonomous system number (ASN), suggesting a single threat actor was behind all the malicious requests. The ASN was owned by a French company called “FBW NETWORKS SAS” with IP addresses geographically located in France and Romania, according to F5.The attacker attempted to make GET requests targeting specific instance metadata, for example, “/?url=http://169.254.169.24/latest/meta-data/iam/security-credentials/.” The IPv4 address 169.254.169.254 corresponds to the IMDS endpoint from which EC2 instances retrieve instance metadata.The threat actor used six different parameters (dest, file, redirect, target, uri and url) and four different subpaths (targeting metadata, user data, IAM credentials and IAM admin credentials) in the flurry of requests, which numbered in the tens of thousands of the course of the campaign.There are two versions of IMDS that can be used to retrieve EC2 instance metadata: IMDSv1 and IMDSv2. F5 recommends that users of IMDSv1 consider migrating to IMDSv2, which fully mitigates this type of attack, as IMDSv2 requires a secret to be provided via a custom header in order to access instance metadata.However, IMDSv1 users can also consider applying web application firewall (WAF) rules blocking requests containing 169.254.169.254, which would not typically appear in legitimate requests from outside the instance, F5 noted.SC Media reached out to F5 and AWS for more information but did not receive responses by time of publishing.