Publicly accessible EC2 instance performed cryptomining operations
이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.
Description
A publicly accessible EC2 instance performed a DNS lookup of a domain used by cryptomining malware.
Attackers often compromise cloud infrastructure to deploy high-capacity compute resources to mine cryptocurrency. When an Internet-facing EC2 instance is observed making DNS requests to known mining pools, this likely indicates compromised infrastructure.
- Consider creating a snapshot to enable further analysis if required.
- Contain the incident by isolating or terminating the host or container.
- Determine the root cause for host compromise. Review critical vulnerabilities identified for the host or container that may indicate how the attackers could run code on the workload.
- Prevent future compromise by updating relevant infrastructure deployment mechanisms (Terraform, Helm, etc.) or updating vulnerable software.
- Reference the AWS Incident Response Playbook for cryptomining for further guidance.