Malware: Cryptomining Bad IP

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Finding description

Malware is detected by examining VPC Flow Logs and Cloud DNS logs for connections to known command and control domains and IP addresses. To respond to this finding, do the following:

Step 1: Review finding details

  1. Open a Malware: Cryptomining Bad IP finding, as directed in Reviewing findings. The details panel for the finding opens to the Summary tab.

  2. On the Summary tab, review the information in the following sections:

    • What was detected, especially the following fields:
      • Source IP: the suspected cryptomining IP address.
      • Source port: the source port of the connection, if available.
      • Destination IP: the target IP address.
      • Destination port: the destination port of the connection, if available.
      • Protocol: the IANA protocol that is associated with the connection.
    • Affected resource
    • Related links, including the following fields:
      • Logging URI: link to Logging entries.
      • MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
      • Related findings: links to any related findings.
      • Flow Analyzer: link to the Flow Analyzer feature of Network Intelligence Center. This field displays only when VPC Flow Logs is enabled.

  3. In the detail view of the finding, click the Source properties tab.

  4. Expand properties and note project and instance values in the following field:

    • instanceDetails: note both the project ID and the name of the Compute Engine instance. The project ID and instance name appear as shown in the following example:

      /projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_NAME

  5. To see the complete JSON for the finding, click the JSON tab.

Step 2: Review permissions and settings

  1. In the Google Cloud console, go to the Dashboard page.

    Go to the Dashboard

  2. Select the project that is specified in properties_project_id.

  3. Navigate to the Resources card and click Compute Engine.

  4. Click the VM instance that matches properties_sourceInstance. Investigate the potentially compromised instance for malware.

  5. In the navigation pane, click VPC Network, then click Firewall. Remove or disable overly permissive firewall rules.

Step 3: Check logs

  1. In the Google Cloud console, go to Logs Explorer.

    Go to Logs Explorer

  2. On the Google Cloud console toolbar, select your project.

  3. On the page that loads, find VPC Flow Logs related to Properties_ip_0 by using the following filter:

    • logName="projects/properties_project_id/logs/compute.googleapis.com%2Fvpc_flows"
    • (jsonPayload.connection.src_ip="Properties_ip_0" OR jsonPayload.connection.dest_ip="Properties_ip_0")

Step 4: Research attack and response methods

  1. Review MITRE ATT&CK framework entries for this finding type: Resource Hijacking.
  2. To develop a response plan, combine your investigation results with MITRE research.

Step 5: Implement your response

The following response plan might be appropriate for this finding, but might also impact operations. Carefully evaluate the information you gather in your investigation to determine the best way to resolve findings.

  • Contact the owner of the project containing malware.
  • Investigate the potentially compromised instance and remove any discovered malware. To assist with detection and removal, use an endpoint detection and response solution.
  • If necessary, stop the compromised instance and replace it with a new instance.
  • Block the malicious IP addresses by updating firewall rules or by using Cloud Armor. You can enable Cloud Armor on the Security Command Center Integrated Services page. Depending on the data volume, Cloud Armor costs can be significant. See the Cloud Armor pricing guide for more information.

What's next