Suspicious activity

Create public access security rule from malicious IP address

Risk Level

Informational (4)

  • N/A


Orca detected a create or modify security group rule operation from a malicious IP address. The operation was called from a malicious IP address, which might indicate of an exfiltration or a persistence attempt. An attacker with permissions to create or modify security groups can expose sensitive assets to the internet in order the maintain his access or leak information.
  • Recommended Mitigation

    It is recommended to review the permissions which were used to make this api call and verify if the change in the security group is necessary.