EC2 instance used for malicious botnet operations

network

Set up the network integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

A workload established an unusual amount of outbound connections to the Internet using SSH (TCP port 22).

Malware that infects cloud workloads typically uses victim workloads to spread their infections further. Resources containing a large volume of outbound connections can impact resource availability.

Remediation

  1. Review the destination IP addresses. Determine if the host is expected to make outbound SSH connections.
  2. Review the associated vulnerabilities and misconfigurations on the resource to determine the root cause for the compromise
  3. Patch or fix the vulnerabilities and misconfigurations on the relevant infrastructure deployment mechanism (Terraform, helm, etc) or apply the most recent software patch available to prevent future continual compromise.
  4. Reference the AWS Incident Response Guide for further guidance.

This detection is based on data from Network Performance Monitoring.