Join Log in
Score:2
avatar Server

Action Required: Suspicious Activity Observed on Google Cloud Project

cn flag
Sherif Buzz

I received the following email from Google today. Ran multiple scans on our system and nothing came out - the destination IP address they sent is a Facebook IP. Does this make any sense? We run Facebook Ads - and my only explanation is that somehow a malicious ad made it into their ad network.

Any assistance much appreciated.

Our systems identified that your Google Cloud Platform / API Project ID [] may have been compromised and used for cryptocurrency mining.

This activity was detected as originating from IP XXX and VM ID XX to destination IP 31.13.86.8 on remote port 443 between 2021-12-02 01:34 and 2021-12-02 01:45 (Pacific Time), though it may still be ongoing.

288
0 + 0
cn flag
Bantak
We received the same E-Mail today with the same remote IP. Our conclusion was also, that it is a Facebook IP and we couldn't find anything suspicous on our servers. We didn't even have any CPU spikes (which I guess would be the case when somebody is cryptomining). We use for example Facebook Login.
1
Reply
John Hanley avatar
cn flag
John Hanley
Posting here will not help you. Your question has no details where we can solve your problem. You need to contact Google Cloud support. If an automated system continues to detect crypto mining, wrong or not, your systems can be suspended. I recommend that you to create a new system. Consider it disaster recovery restore practice. I have performed forensics for companies that have received this notice. Google was correct. That does not mean they are correct in your case but you need to convince Google.
0
Reply
cn flag
Sherif Buzz
Of course I contacted support. And also of course, Posting here is useful, if multiple people receive the same notice with the Facebook IP, this helps to build understanding.
0
Reply
Nestor Daniel Ortega Perez avatar
ad flag
Nestor Daniel Ortega Perez
@SherifBuzz Was the information posted in my answer helpful for you? Or, do you consider that you need more information in order to resolve your issue or doubt?
0
Reply
Score:0
Nestor Daniel Ortega Perez avatar Server
ad flag
Nestor Daniel Ortega Perez

These are the GCP’s recommended steps when a user faces that warning message:

-Stop the instance immediately.

-Notify impacted users; they might be wondering why your service is down.

-Identify the source of the vulnerability by analyzing the behavior of your instance and the software you've installed.

-Ensure that all the software is up to date. Check for any known vulnerabilities in the software installed on your machine and take proactive steps to apply the latest security patches.

-Adopt additional security measures to ensure that your project is not compromised by a third party and then completely reinstall your project.

-Follow the guidelines in What can I do to protect my instance? (above) to ensure your project is secure going forward.

-If you received a warning from Google Cloud Platform about suspicious behavior by your project, appeal the warning by going to the Google Cloud -Platform console and explaining the steps you took to secure the instance.

GCP does not have visibility into what is installed on your instance or what software caused the issue. You are responsible for investigating the source of vulnerability and taking steps to mitigate it. If you need any additional support to troubleshoot the issue please refer to the Cloud Platform Support page Cloud Platform Support.

You can visit the following GCP’s official information URL as a reference Securing instances:

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.