Researchers from Unit 42, the global threat intelligence team of PaloAlto Networks, said they have been able to identify two “risky” Covid-related domains in the Philippines: covid19qpass.hopto.org and fcovid.ph.
The two sites were part of the 1.2 million newly registered domain (NRD) names containing keywords related to the Covid-19 pandemic from March 9, 2020 to April 26, 2020 (seven weeks), according to Unit 42.
The US has the highest number of malicious domains (29,007), followed by Italy (2,877), Germany (2,564), and Russia (2,456). About 86,600 domains were classified as “risky” or “malicious”.
The researchers found 56,200+ of the NRDs are hosted in one of the top four popular cloud service providers (CSPs), such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Alibaba:
“During our research, we noticed that some malicious domains resolve to multiple IP addresses, and some IP addresses are associated with multiple domains. This many-to-many mapping often occurs in cloud environments due to the use of content delivery networks (CDNs) and can make IP-based firewalls ineffective,” said Jay Chen of Unit 42.
Some important findings in the research are:
Threats originating from the cloud can be more difficult to defend because malicious actors leverage the cloud resources to evade detection and amplify the attack, the research noted. “Organizations need to have a cloud-native security platform and a more advanced application-aware firewall to secure their environments,” it added.