Publicly accessible EC2 instance connected to known attack domain

ec2
이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

A publicly accessible EC2 instance connected to a widely-known security testing domain. Security testing tools use these domains to validate if an attack has been successful.

A DNS lookup for a known security testing domain might indicate a successful application compromise or the active use of attacker tooling. This may have resulted from a vulnerable application or misconfigured public resources.

Remediation

  1. Contain the incident by isolating or terminating the host or container. Consider snapshotting to enable further analysis if required.
  2. Determine the root cause for host compromise. Review critical and high vulnerabilities identified for the host or container that may indicate how the attackers were able to run code remotely on the workload.
  3. Update relevant infrastructure deployment mechanism (Terraform, helm, etc.) or software patch to prevent future continual compromise.
  4. Reference the AWS Incident Response Playbook for potential malware for further guidance.