Unauthorized Root Login Attempt from Tor IP Address

Alert Summary

GuardDuty detected an unauthorized access attempt on September 6, 2024, at 22:02:12 UTC, involving the root user account of AWS from the Tor exit node IP address 109.70.100.71, associated with the Foundation for Applied Privacy in Austria. The alert, identified as "UnauthorizedAccess:IAMUser/TorIPCaller," was triggered when the API ConsoleLogin was invoked at signin.amazonaws.com using the principal ID "211125570273" and username "Root." The GuardDuty detector with ID a2c67b2d8cf65fc7834ac07bdba8abd5 in the AWS region us-west-2 generated this alert, noting the resource involved was an access key of type "Root."

Source: GuardDuty

View Original Alert

Top Findings

IP address `109.70.100.71` linked to multiple security threats and malicious activities.

AWS CloudTrail logs show multiple `ConsoleLogin` events from IP `109.70.100.71`.

`Root` user authenticated with MFA for actions involving suspicious IP.

No recent related alerts to this alert.

Conclusion

The conclusion reached is that the alert is suspicious because the IP address 109.70.100.71 is linked to multiple security threats and malicious activities as reported by various threat intelligence sources, and it was involved in specific suspicious activities on AWS on September 6, 2024, despite no prior unusual activities being detected for the root user account Root.

Associated Entities

IP Address109.70.100.71

UsernameRoot