Publicly accessible Azure VM performed cryptomining operations

azure.compute

Description

A publicly accessible Azure VM instance performed a DNS lookup of a domain used by cryptomining malware.

Attackers often compromise cloud infrastructure to deploy high-capacity compute resources to mine cryptocurrency. When an Internet-facing Azure VM instance is observed making DNS requests to known mining pools, this likely indicates compromised infrastructure.

Remediation

  1. Consider creating a snapshot to enable further analysis if required.
  2. Contain the incident by isolating or terminating the host or container.
  3. Determine the root cause for host compromise. Review critical vulnerabilities identified for the host or container that may indicate how the attackers could run code on the workload.
  4. Prevent future compromise by updating relevant infrastructure deployment mechanisms (Terraform, Helm, etc.) or updating vulnerable software.
  5. Reference the Azure Incident Response Playbooks for further guidance.