You expect the guardians at the gate of any system to keep attacks out; you don’t expect them to turn against internal systems and networks and ravage those on behalf of threat actors. Yet that’s what happened with cloud servers: they turned against internal systems.
In March 2025, Server-Side Request Forgery (SSRF) attacks targeting cloud servers allowed attackers to send unauthorized, forged requests from vulnerable servers to internal systems, according to a blog post by threat intelligence firm GreyNoise. The attackers accessed internal systems and sensitive data, potentially compromising the entire network and the broader cloud ecosystem.
According to the GreyNoise blog, the coordinated SSRF attacks used 400 unique Internet Protocol (IP) addresses to exploit a dozen different SSRF vulnerabilities simultaneously. IP addresses offer logical destination points for Internet and network traffic.
According to Jason Miller, founder and chief executive officer of BitLyft, a managed security service provider, the attack patterns suggest sophisticated cybercriminal organizations or state-sponsored actors due to the scale (the hundreds of IPs involved), coordination, and targeting of critical infrastructure in cloud environments across multiple countries. Said Miller, “Their motivations could include financial gain (e.g., data theft or ransomware), espionage (accessing internal systems), or disruption of critical services.”
The threat actors remain unidentified.