Potential Google Cloud cryptomining attack from Tor IP

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a Google Compute Engine cryptomining attack is observed from a Tor IP.

Strategy

This rule monitors Google Cloud Audit Logs to determine when a compute network creation, compute image creation, or firewall rule creation event coincides with the creation of a compute engine and originates from a Tor client. Datadog enriches all ingested logs with expert-curated threat intelligence in real time. An attacker may use a Tor client to anonymize their true origin.

Triage and response

  1. Determine if the actions {{@evt.name}} taken by the user {{@usr.id}} from Tor IP address: {{@network.client.ip}} are legitimate by looking at past activity and the type of API calls occurring.
  2. Furthermore, use the Cloud SIEM - IP Investigation & User Investigation dashboards to see if the IP address: {{@network.client.ip}} & {{@usr.id}} have taken other actions.
  3. If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process and investigate.

Changelog

  • 17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.