Publicly accessible GCP compute instance connected to known attack domain

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

A publicly accessible GCP compute instance connected to a widely-known security testing domain. Security testing tools use these domains to validate if an attack has been successful.

A DNS lookup for a known security testing domain might indicate a successful application compromise or the active use of attacker tooling. This may have resulted from a vulnerable application or misconfigured public resources.

Remediation

  1. Contain the incident by isolating or terminating the host or container. Consider snapshotting to enable further analysis if required.
  2. Determine the root cause for host compromise. Review critical and high vulnerabilities identified for the host or container that may indicate how the attackers were able to run code remotely on the workload.
  3. Update relevant infrastructure deployment mechanism (Terraform, helm, etc.) or software patch to prevent future continual compromise.