Publicly accessible Azure VM connected to known attack domain
Description
A publicly accessible Azure VM instance connected to a widely-known security testing domain. Security testing tools use these domains to validate if an attack has been successful.
A DNS lookup for a known security testing domain might indicate a successful application compromise or the active use of attacker tooling. This may have resulted from a vulnerable application or misconfigured public resources.
- Contain the incident by isolating or terminating the host or container. Consider snapshotting to enable further analysis if required.
- Determine the root cause for host compromise. Review critical and high vulnerabilities identified for the host or container that may indicate how the attackers were able to run code remotely on the workload.
- Update relevant infrastructure deployment mechanism (Terraform, helm, etc.) or software patch to prevent future continual compromise.
