Tags
Cloud
ATT&CK Tactic
Credential Access (TA0006)
Incidents
ScarletEel campaign (Feb ‘23)ScarletEel campaign (July ‘23)SilentBob cryptomining campaignFrom PHP exploitation to AWS lateral movementMisconfigured firewall to cryptojacking botnetCapital One incident (March 2019)UNC2903 campaignsSQL Server to cloud lateral movementFrom PHP vuln to Sliver execution via cronFrom web app exploitation to Chisel tunnelingCommando Cat campaignHugging Face cross-tenant accessUS DoD NIPRNet access via Atlassian SSRFGENESIS PANDA's Cloud Intrusions: Persistent Control Plane Exploitation and Access Brokerage
References
https://hackingthe.cloud/aws/exploitation/ec2-metadata-ssrf/
Last edited
Jan 15, 2024 2:41 PM
Status
Featured
Applications running on virtual machines in cloud environments rely on the Instance Metadata Service (IMDS) to receive temporary cloud credentials for service accounts. However, when threat actors gain initial access to a VM, they often abuse this mechanism to compromise the credentials and thereby grant themselves privileges within the larger environment and move laterally to other resources. IMDS abuse is sometimes preceded and facilitated by exploiting SSRF vulnerabilities (short for Server-side request forgery), which allow adversaries to route requests through the vulnerable application. However, this technique can be easily mitigated by enforcing IMDSv2.