EC2 instance used for malicious botnet operations

network

Set up the network integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

A workload established an unusual amount of outbound connections to the Internet using SSH (TCP port 22).

Malware that infects cloud workloads typically uses victim workloads to spread their infections further. Resources containing a large volume of outbound connections can impact resource availability.

Remediation

  1. Review the destination IP addresses. Determine if the host is expected to make outbound SSH connections.
  2. Review the associated vulnerabilities and misconfigurations on the resource to determine the root cause for the compromise
  3. Patch or fix the vulnerabilities and misconfigurations on the relevant infrastructure deployment mechanism (Terraform, helm, etc) or apply the most recent software patch available to prevent future continual compromise.
  4. Reference the AWS Incident Response Guide for further guidance.

This detection is based on data from Network Performance Monitoring.