Palo Alto Networks finds malicious Covid-19 domains hosted on public cloud

Santa Clara, California based cybersecurity company Palo Alto Networks has found over 2,800 malicious Covid-19 themed domains hosted on the cloud.

The company’s threat intelligence team, Unit 42, analysed 1.2 million newly registered domain (NRD) names containing keywords related to the Covid-19 pandemic from March 9 to April 26, 2020, according to a blog post by Palo Alto. 

Researchers found over 86,600 domains classified as “risky” or “malicious”, spread across various regions. The United States saw the highest number of malicious domains (29,007), followed by Italy (2,877), Germany (2,564), and Russia (2,456).

Of the 86,600, 2,829 domains hosted in public clouds were found as risky or malicious, according to the blog. 

The study also found around 92 malicious domains in the top four host organisations in India. These are Web Werks India (28.26%), Amazon Technologies ( 16.30%), ASN block not managed by the RIPE NCC ( 6.52%) and Microsoft Corporation (4.35%).

Some 56,200 of the NRDs were found hosted on cloud service providers. With 70.1%, Amazon Web Services (AWS) has the most newly registered domains, followed by Google Cloud Platform (GCP) with 24.6% and Microsoft Azure (5.3%) and Alibaba with less than 0.5%.

Read: Google says state-backed hackers deploying Covid-19 phishing attacks

However, the researchers noticed that some malicious domains resolve to multiple IP addresses, and some IP addresses are associated with multiple domains.

This many-to-many mapping often occurs in cloud environments due to the use of content delivery networks (CDNs) and can make IP-based firewalls ineffective, the company said.

"Threats originating from the cloud can be more difficult to defend because malicious actors leverage the cloud resources to evade detection and amplify the attack. Organisations need to have a cloud-native security platform and a more advanced application-aware firewall to secure their environments," Jay Chen, senior cloud vulnerability and exploit researcher at Palo Alto Network said in a blog post.

In 2019, the cybersecurity company had found that 72% of Indian enterprises have misplaced confidence in cloud providers’ security.

Recently, the cybersecurity solutions provider Trend Micro said it blocked nearly 13 million high-risk email threats for customers using cloud-based email services from Microsoft and Google last year. In a report, the company said the changes they noticed in messaging-specific threats included the use of more sophisticated malware and the potential abuse of emerging technologies in the field of artificial intelligence.