Malicious
External Scanning
Potential Misconfiguration
INV-47
10:53PM (PST)
Unauthorized IAM User Access from Tor IP Detected
Alert Summary
An alert from GuardDuty was triggered on January 7, 2025, at 06:51:49 UTC due to an "UnauthorizedAccess:IAMUser/TorIPCaller" event involving the IAM user james who attempted an API call ListNotificationHubs from the IP address 185.40.4.94 associated with a Tor exit node in Sandefjord, Norway. The call was made using the access key ID ASIATCKAQRLQXCDI264W and was directed towards notifications.amazonaws.com, resulting in an "AccessDenied" error. This suspicious activity was flagged by AmazonGuardDuty, which continuously monitors AWS accounts for malicious or unauthorized behavior, and the alert is still open with a severity magnitude of 1, indicating a potentially limited impact.
Top Findings
1
IP 185.40.4.94 is linked to a Tor exit node and ProtonVPN.
2
IP 185.40.4.94 has a mixed reputation, flagged as malicious by 11 vendors.
3
james typically logs in from IP 47.204.209.17, not 185.40.4.94.
4
No login activity from IP 185.40.4.94 for james in past 30 days.
5
Activity from IP 185.40.4.94 should be treated as highly suspicious.
Conclusion
The IP address 185.40.4.94 is flagged by multiple security vendors as malicious, shows high abuse rates, and is linked to a Tor exit node. The user james has no history of using Tor or IP addresses from Norway. This evidence strongly indicates malicious behavior requiring remediation.
External Scanning: The IP address 185.40.4.94, associated with a Tor exit node and reported 49 times in the last 30 days on AbuseIPDB, indicates a high likelihood of malicious activity and suggests potential external scanning, which was crucial in determining the alert as malicious.
Associated Entities
2
185.40.4.94james