A new report from researchers with Palo Alto Networks’ Unit 42 found that more than 86,600 domains of the 1.2 million newly registered domain (NRDs) names containing keywords related to the COVID-19 pandemic from March 9, 2020 to April 26, 2020 are classified as “risky” or “malicious.”
Unit 42’s Jay Chen wrote a study analyzing all new domain names containing keywords related to the COVID-19 pandemic and found that the United States, Germany, Russia and Italy had the highest number of malicious coronavirus domains. The US had far and away the most, with more than 29,000.
On average, Chen found that 1,767 malicious COVID-19-themed domains were created every day between March 9, 2020 to April 26, 2020, and of the 86,600-plus domains, 2,829 domains hosted in public clouds were found to be “risky” or “malicious.”
Nearly 80% were hosted on Amazon Web Services, about 15% on Google Cloud Platform, 6% on Azure and less than 1% on Alibaba. The report is based on data collected by RiskIQ, which is tracking new domains that have the keywords “coronav,” “covid,” “ncov,” “pandemic,” “vaccine,” and “virus.”
“It is interesting to see that only 5% of the NRDs are found malicious in public clouds, while 7.5% of NRDs are found malicious in the entire internet. The higher price and more rigorous screening/monitoring process is likely making malicious actors less willing to host malicious domains in public clouds,” Chen wrote.
“During our research, we noticed that some malicious domains resolve to multiple IP addresses, and some IP addresses are associated with multiple domains. This many-to-many mapping often occurs in cloud environments due to the use of content delivery networks and can make IP-based firewalls ineffective.”
SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)
Chen goes on to explain that in Unit 42’s analysis of malicious domains, it discovered that in content delivery networks (CDNs), such as Amazon Cloudfront or Cloudflare, hundreds or thousands of domains in the nearby geographical location may resolve to the same IP of an edge server.
“CDNs reduce network latency and improve service availability by caching the static web content on edge servers. However, because a malicious domain shares the same IPs as other benign domains in the same CDN, it also acts as a cover for malicious domains,” Chen added.
One particular Cloudflare IP, IP 23.227.38[.]64, is directly tied to 50 risky or malicious domains, the report says, adding that more than 2,000 other benign domains also resolve to the same IP. This design, which Chen calls “many-to-many domain to IP mapping” is very hard for firewalls to block because a blacklisted IP “may fail to block the traffic to/from a malicious domain while unintentionally making many other benign domains unreachable.”
According to Chen, cybercriminals are using the cloud to disguise phishing attacks and malware delivery attempts because threats coming from the cloud are more difficult to defend against due to resources that allow for greater detection evasion and attack amplification.
The crisis makes it even more imperative that the millions of enterprises turning to cloud platforms amid quarantine efforts leverage cloud-native security tools.
“With COVID-19 driving a surge in cloud adoption, we see not only attacks targeting the cloud users but also threats originating from the cloud. With thousands of malicious domains coming online every day, it is imperative to protect every endpoint with continuous monitoring and automatic threat prevention tools,” Chen wrote.
“However, cloud-hosted services or applications usually give users less visibility and make network monitoring more challenging. The problem becomes even more complicated when working in a multi-cloud environment.”