Publicly accessible Azure VM performed cryptomining operations

azure.compute
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

A publicly accessible Azure VM instance performed a DNS lookup of a domain used by cryptomining malware.

Attackers often compromise cloud infrastructure to deploy high-capacity compute resources to mine cryptocurrency. When an Internet-facing Azure VM instance is observed making DNS requests to known mining pools, this likely indicates compromised infrastructure.

Remediation

  1. Consider creating a snapshot to enable further analysis if required.
  2. Contain the incident by isolating or terminating the host or container.
  3. Determine the root cause for host compromise. Review critical vulnerabilities identified for the host or container that may indicate how the attackers could run code on the workload.
  4. Prevent future compromise by updating relevant infrastructure deployment mechanisms (Terraform, Helm, etc.) or updating vulnerable software.
  5. Reference the Azure Incident Response Playbooks for further guidance.