Publicly accessible GCP compute instance performing SSH scanning


A publicly accessible GCP compute instance performed an unusually high number of outbound SSH connections.

A publicly accessible resource performing these SSH connections could indicate a malware infection. Attackers often compromise cloud infrastructure to propagate malware and add more victims to their botnet. More often than not, botnet malware performs other unauthorized activity on their victim machines, including mining cryptocurrency and stealing cloud secrets.


  1. Contain the incident by isolating or terminating the host or container. Consider snapshotting to enable further analysis if required.
  2. Determine the root cause for host compromise. Review critical vulnerabilities identified for the host or container that may indicate how the attackers were able to run code remotely on the workload.
  3. Update relevant infrastructure deployment mechanism (Terraform, helm, etc.) or software patch to prevent future continual compromise.