Palo Alto Networks threat intelligence team Unit 42 has released new research on malicious COVID-19 themed domains hosted in the cloud that are targeting users with phishing and malware.
Unit 42 researchers analysed 1.2 million newly registered domain (NRD) names containing keywords related to the COVID-19 pandemic from March 9, 2020 to April 26, 2020 (7 weeks). 86,600+ domains are classified as “risky” or “malicious”, spread across various regions. The United States has the highest number of malicious domains (29,007), followed by Italy (2,877), Germany (2,564), and Russia (2,456).
Unit 42 researchers found 56,200+ of the NRDs are hosted in one of the top four popular cloud service providers (CSPs), such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Alibaba:
- 1% in AWS
- 6% in GCP
- 3% in Azure
- <.1% in Alibaba
During the research, Unit 42 researchers noticed that some malicious domains resolve to multiple IP addresses, and some IP addresses are associated with multiple domains. This many-to-many mapping often occurs in cloud environments due to the use of content delivery networks (CDNs) and can make IP-based firewalls ineffective. Some important findings in this research are:
- On average, 1,767 malicious COVID-19 themed domains are created every day.
- Of the 86,600+ domains, 2,829 domains hosted in public clouds are found as risky or malicious
- 2% in AWS
- 6% in GCP
- 9% in Azure
- .3% in Alibaba
- Adversaries are disguising malicious activities such as phishing and malware delivery in the cloud.
- The higher price and more rigorous screening/monitoring process is likely making malicious actors less willing to host malicious domains in public clouds.
Threats originating from the cloud can be more difficult to defend because malicious actors leverage the cloud resources to evade detection and amplify the attack. Organisations need to have a cloud-native security platform and a more advanced application-aware firewall to secure their environments. Palo Alto Networks continuously monitor the malicious newly registered domains. Prisma Cloud and VM-Series both provide layer-7 firewall capabilities in cloud environments to prevent malicious activities from these domains.
