With the increase of shifting to the cloud during the COVID-19 pandemic, we see cyberattacks that are targeting the cloud users and also see threats originating from the cloud. Unit 42, the threat intelligence team at of Palo Alto Networks discovered that more than 86,600 domains hosted in public clouds are risky or malicious. Fending of threats originating from the cloud is more difficult because malicious actors use the cloud resources to evade detection and amplify the attack.
The US has the highest number
According to the report of Palo Alto Networks, Unit 42 researchers analyzed 1.2 million newly registered domain names containing keywords related to the COVID-19 pandemic for seven weeks from 9th March to 26 April 2020. They classified domain names as “high-risk” or “malicious” (C2, malware, or phishing). They found that over 86,600 domains, of which 2,829 domains hosted in public clouds are risky or malicious. Geographically, the highest number of malicious domains (29,007) is the US, followed by Italy (2,877), Germany (2,564), and Russia (2,456).
When we look at findings of four popular cloud service providers (CSPs), such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Alibaba, we see over 56,200 of the newly observed hostnames are hosted in these four popular cloud service providers. Here are the rates: 70.1% in AWS, 24.6% in GCP, 5.3% in Azure, below 1% in Alibaba.
Furthermore, the researchers also discovered that some malicious domains resolve to multiple IP addresses, and some IP addresses are associated with multiple domains because of the use of content delivery networks (CDNs) which can make IP-based firewalls ineffective.
Important findings of the research
- On average, 1,767 high-risk or malicious COVID-19 themed domain names are created every day.
- Of the 86,600+ domain names, 2,829 domain names hosted in public clouds are found as high-risk or malicious
- – 79.2% in AWS
- -14.6% in GCP
- -5.9% in Azure
- -3% in Alibaba
- Adversaries are disguising malicious activities such as phishing and malware delivery in the cloud.
- The higher price and more rigorous screening/monitoring process are likely making malicious actors less willing to host malicious domain names in public clouds.
COVID-19 themed domain names
In the research, The COVID-19 related domain names have been studied. These names include “coronav”, “covid”, “ncov”, “pandemic”, “vaccine,” and “virus.” 86,607 domain names are categorized as high-risk or malicious by Palo Alto Networks URL Filtering.
Due to findings, on average, 1,767 high-risk or malicious COVID-19 related domain names are created every day. The word ‘virus’ is at the top. They divided malicious activities into three: phishing and malware delivery in the cloud and C2. Malware has a %79,2 share.
The report shows us that organizations need to have a cloud-native security platform and a more advanced application-aware firewall to secure their environments.