Publicly accessible GCP compute instance performed cryptomining operations
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Description
A publicly accessible GCP compute instance performed a DNS lookup of a domain used by cryptomining malware.
Attackers often compromise cloud infrastructure to deploy high-capacity compute resources to mine cryptocurrency. When an Internet-facing GCP compute instance is observed making DNS requests to known mining pools, this likely indicates compromised infrastructure.
- Consider creating a snapshot to enable further analysis if required.
- Contain the incident by isolating or terminating the host or container.
- Determine the root cause for host compromise. Review critical vulnerabilities identified for the host or container that may indicate how the attackers could run code on the workload.
- Prevent future compromise by updating relevant infrastructure deployment mechanisms (Terraform, Helm, etc.) or updating vulnerable software.