Context:
We are utilizing an Azure Databricks workspace for data management and model serving within our project, with delegated VNet and subnets configured specifically for this workspace. However, we are consistently observing malicious flow entries in the VNet flow logs. It appears that a background script is continuously running, sending requests to certain URLs and IP addresses. We are currently operating on the runtime version 15.4.x-cpu-ml-scala2.12, with no third-party libraries installed.
The urls are like: https://chandramoulisangabathula01.github.io & http://yasse5n.github.io/EDJOSK & https://solankisuryansh.github.io/CloneNetflix
Just screenshot one of them:
The ips listed in below screenshot:
And the requests go out from a databricks configured aclRule called "microsoft.databricks-workspaces_useonly_databricks-worker-to-worker-outbound", the screenshot shown below: