Researchers from Unit 42, the global threat intelligence team of PaloAlto Networks, said they have been able to identify two “risky” Covid-related domains in the Philippines: covid19qpass.hopto.org and fcovid.ph.
The two sites were part of the 1.2 million newly registered domain (NRD) names containing keywords related to the Covid-19 pandemic from March 9, 2020 to April 26, 2020 (seven weeks), according to Unit 42.
The US has the highest number of malicious domains (29,007), followed by Italy (2,877), Germany (2,564), and Russia (2,456). About 86,600 domains were classified as “risky” or “malicious”.
The researchers found 56,200+ of the NRDs are hosted in one of the top four popular cloud service providers (CSPs), such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Alibaba:
- 70.1% in AWS
- 24.6% in GCP
- 5.3% in Azure
- <.1% in Alibaba
“During our research, we noticed that some malicious domains resolve to multiple IP addresses, and some IP addresses are associated with multiple domains. This many-to-many mapping often occurs in cloud environments due to the use of content delivery networks (CDNs) and can make IP-based firewalls ineffective,” said Jay Chen of Unit 42.
Some important findings in the research are:
- On average, 1,767 malicious Covid-19 themed domains are created every day.
- Of the 86,600+ domains, 2,829 domains hosted in public clouds are found as risky or malicious
- Adversaries are disguising malicious activities such as phishing and malware delivery in the cloud.
- The higher price and more rigorous screening/monitoring process is likely making malicious actors less willing to host malicious domains in public clouds.
Threats originating from the cloud can be more difficult to defend because malicious actors leverage the cloud resources to evade detection and amplify the attack, the research noted. “Organizations need to have a cloud-native security platform and a more advanced application-aware firewall to secure their environments,” it added.