Project appears to be performing intrusion attempts against a third party

[Seong-Jun Yea]

Hello all,

I'm using a VM instance as an API server, and I got an email from GCP/API Trust & Safety Team that my GCP Project appears to be performing intrusion attempts against a third party, and it is violating the GCP Terms of Service. The email says that I should:

• Try to fix the problem: Make sure that your project traffic directed at third parties is expected, and that your project has not been compromised. Check the traffic originating from all your instances and fix any that may be impacted by this issue

However, the nodejs code that consists of the server doesn't call a third-party API or get any data from a third party. 

This is the second time I receive the same email, and the problem was fixed when I removed the problematic instance because it was just a test instance that had nothing important in there, but now, the same problem is happening in the service code instance. How should I manage this issue? What is this error happening?

[Theodore Ts'o]

On Sun, Apr 18, 2021 at 07:19:19PM -0700, Seong-Jun Yea wrote:
> Hello all,
> I'm using a VM instance as an API server, and I got an email from GCP/API
> Trust & Safety Team that my GCP Project appears to be performing intrusion
> attempts against a third party, and it is violating the GCP Terms of
> Service. The email says that I should:
>

> - *Try to fix the problem*: Make sure that your project traffic directed

> at third parties is expected, and that your project has not been
> compromised. Check the traffic originating from all your instances and fix
> any that may be impacted by this issue
>
> However, the nodejs code that consists of the server doesn't call a
> third-party API or get any data from a third party.
>
> This is the second time I receive the same email, and the problem was fixed
> when I removed the problematic instance because it was just a test instance
> that had nothing important in there, but now, the same problem is happening
> in the service code instance. How should I manage this issue? What is this
> error happening?

It's possible that there is some kind of security vulnerability in
your VM which is causing people with bad intent to be able to break
into your system, and then using that system to attack other systems.
This could be a denial of service attack, or something that could be
causing a lot more damage.

Security vulnerabilities can be caused by bugs in application your
software, software which your application is depending on, or OS-level
bugs which would be closed if you have been regularly applying
security updates.

It's also possible that your login credentials for your project has
been compromised, or your ssh keys have gotten compromised. This was
the "make sure.. that your project has not been compromised."

You may find the following talk helpful in terms of understanding why
all cloud providers take this thing super-seriously.

https://www.youtube.com/watch?v=pyFq9HJrwTg

"Chris Inglis: Keynote from Day 2 of the CERIAS Center for
Education and Research in Information Assurance and Security
2019 Symposium"

(It's quite possible your server might be playing the role of one of
the yellow or red dots shown on the slide around 10 minutes in the
above video. It's also possible that your server was taken over by
hackers working for North Korea which attacking hospitals to get hard
currency for their country by installing ransomware on third parties.
That sort of thing is described about 12 minutes in. When you put a
server out on the internet, whether it is a cloud server or not, you
need to be really careful about your system security.)

Cheers,

- Ted

[pralove]

You can configure security and manage risk for Google Cloud Platform using Security Command Center(SCC)[1].

Using SCC you can uncover common web application vulnerabilities in your applications running on compute engine, app engine etc[2]. 

[1] https://cloud.google.com/security-command-center

[2] https://cloud.google.com/security-command-center#section-2