Tags
Cloud
MITRE Tactic
Credential Access (TA0006)
Incidents
ScarletEel campaign (Feb ‘23)
ScarletEel campaign (July ‘23)
SilentBob cryptomining campaign
From PHP exploitation to AWS lateral movement
Misconfigured firewall to cryptojacking botnet
Capital One incident (March 2019)
UNC2903 campaigns
SQL Server to cloud lateral movement
From PHP vuln to Sliver execution via cron
From web app exploitation to Chisel tunneling
Commando Cat campaign
Hugging Face cross-tenant access
US DoD NIPRNet access via Atlassian SSRF
Last edited
Jan 15, 2024 2:41 PM
Status
Featured
Applications running on virtual machines in cloud environments rely on the Instance Metadata Service (IMDS) to receive temporary cloud credentials for service accounts. However, when threat actors gain initial access to a VM, they often abuse this mechanism to compromise the credentials and thereby grant themselves privileges within the larger environment and move laterally to other resources. IMDS abuse is sometimes preceded and facilitated by exploiting SSRF vulnerabilities (short for Server-side request forgery), which allow adversaries to route requests through the vulnerable application. However, this technique can be easily mitigated by enforcing IMDSv2.