UNC2903 is a financially-motivated threat actor tracked by Mandiant/Google Cloud that systematically exploited IMDSv1 vulnerabilities in AWS deployments. Beginning in mid-2021, UNC2903 scanned for and exploited web applications with SSRF vulnerabilities to reach the AWS EC2 Instance Metadata Service v1 endpoint (169.254.169.254), which returns temporary IAM role credentials without requiring any authentication. These credentials were then used to access S3 buckets and other AWS services. IMDSv1 by design provides credentials to anyone who can reach the metadata endpoint, including through SSRF. AWS subsequently made IMDSv2 (which requires a session token obtained via PUT request, preventing SSRF exploitation) the default for new instances. This campaign was disclosed in Google Cloud’s threat intelligence report in May 2022 and is a canonical example of the SSRF-to-cloud-credentials attack chain.